diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/work_items/components/item_title.vue | 6 | ||||
-rw-r--r-- | app/controllers/oauth/jira_dvcs/authorizations_controller.rb | 13 | ||||
-rw-r--r-- | app/finders/notes_finder.rb | 2 | ||||
-rw-r--r-- | app/models/ci/build.rb | 10 | ||||
-rw-r--r-- | app/models/integration.rb | 2 | ||||
-rw-r--r-- | app/models/integrations/datadog.rb | 1 | ||||
-rw-r--r-- | app/models/integrations/prometheus.rb | 31 | ||||
-rw-r--r-- | app/services/groups/transfer_service.rb | 2 | ||||
-rw-r--r-- | app/services/resource_access_tokens/create_service.rb | 2 |
9 files changed, 56 insertions, 13 deletions
diff --git a/app/assets/javascripts/work_items/components/item_title.vue b/app/assets/javascripts/work_items/components/item_title.vue index 6aa3c54705c..1c0fed2dde9 100644 --- a/app/assets/javascripts/work_items/components/item_title.vue +++ b/app/assets/javascripts/work_items/components/item_title.vue @@ -29,6 +29,11 @@ export default { handleSubmit() { this.$refs.titleEl.blur(); }, + handlePaste(e) { + e.preventDefault(); + const text = e.clipboardData.getData('text'); + this.$refs.titleEl.innerText = text; + }, }, }; </script> @@ -48,6 +53,7 @@ export default { :contenteditable="!disabled" class="gl-px-4 gl-py-3 gl-ml-n4 gl-border gl-border-white gl-rounded-base gl-display-block" :class="{ 'gl-hover-border-gray-200 gl-pseudo-placeholder': !disabled }" + @paste="handlePaste" @blur="handleBlur" @keyup="handleInput" @keydown.enter.exact="handleSubmit" diff --git a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb index 613999f4ca7..03921761f45 100644 --- a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb +++ b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb @@ -8,6 +8,8 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController skip_before_action :authenticate_user! skip_before_action :verify_authenticity_token + before_action :validate_redirect_uri, only: :new + feature_category :integrations # 1. Rewire Jira OAuth initial request to our stablished OAuth authorization URL. @@ -56,4 +58,15 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController def normalize_scope(scope) scope == 'repo' ? 'api' : scope end + + def validate_redirect_uri + client = Doorkeeper::OAuth::Client.find(params[:client_id]) + return render_404 unless client + + return true if Doorkeeper::OAuth::Helpers::URIChecker.valid_for_authorization?( + params['redirect_uri'], client.redirect_uri + ) + + render_403 + end end diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb index 7890502cf0e..c542ffbce7e 100644 --- a/app/finders/notes_finder.rb +++ b/app/finders/notes_finder.rb @@ -117,7 +117,7 @@ class NotesFinder when "snippet", "project_snippet" SnippetsFinder.new(@current_user, project: @project).execute # rubocop: disable CodeReuse/Finder when "personal_snippet" - PersonalSnippet.all + SnippetsFinder.new(@current_user, only_personal: true).execute # rubocop: disable CodeReuse/Finder else raise "invalid target_type '#{noteable_type}'" end diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb index f8b3777841d..1e70dd171ed 100644 --- a/app/models/ci/build.rb +++ b/app/models/ci/build.rb @@ -74,6 +74,7 @@ module Ci delegate :trigger_short_token, to: :trigger_request, allow_nil: true delegate :ensure_persistent_ref, to: :pipeline delegate :enable_debug_trace!, to: :metadata + delegate :debug_trace_enabled?, to: :metadata serialize :options # rubocop:disable Cop/ActiveRecordSerialize serialize :yaml_variables, Gitlab::Serializer::Ci::Variables # rubocop:disable Cop/ActiveRecordSerialize @@ -1069,11 +1070,10 @@ module Ci end def debug_mode? - # TODO: Have `debug_mode?` check against data on sent back from runner - # to capture all the ways that variables can be set. - # See (https://gitlab.com/gitlab-org/gitlab/-/issues/290955) - variables['CI_DEBUG_TRACE']&.value&.casecmp('true') == 0 || - variables['CI_DEBUG_SERVICES']&.value&.casecmp('true') == 0 + # perform the check on both sides in case the runner version is old + debug_trace_enabled? || + Gitlab::Utils.to_boolean(variables['CI_DEBUG_SERVICES']&.value, default: false) || + Gitlab::Utils.to_boolean(variables['CI_DEBUG_TRACE']&.value, default: false) end def drop_with_exit_code!(failure_reason, exit_code) diff --git a/app/models/integration.rb b/app/models/integration.rb index 8bef8b08c19..d3006f00ba1 100644 --- a/app/models/integration.rb +++ b/app/models/integration.rb @@ -510,7 +510,7 @@ class Integration < ApplicationRecord end def api_field_names - fields.reject { _1[:type] == 'password' }.pluck(:name) + fields.reject { _1[:type] == 'password' || _1[:name] == 'webhook' }.pluck(:name) end def form_fields diff --git a/app/models/integrations/datadog.rb b/app/models/integrations/datadog.rb index 80eecc14d0f..3b3c7d8f2cd 100644 --- a/app/models/integrations/datadog.rb +++ b/app/models/integrations/datadog.rb @@ -15,6 +15,7 @@ module Integrations TAG_KEY_VALUE_RE = %r{\A [\w-]+ : .*\S.* \z}x.freeze field :datadog_site, + exposes_secrets: true, placeholder: DEFAULT_DOMAIN, help: -> do ERB::Util.html_escape( diff --git a/app/models/integrations/prometheus.rb b/app/models/integrations/prometheus.rb index 142f466018b..2f0995e9ab0 100644 --- a/app/models/integrations/prometheus.rb +++ b/app/models/integrations/prometheus.rb @@ -3,6 +3,7 @@ module Integrations class Prometheus < BaseMonitoring include PrometheusAdapter + include Gitlab::Utils::StrongMemoize field :manual_configuration, type: 'checkbox', @@ -81,7 +82,7 @@ module Integrations allow_local_requests: allow_local_api_url? ) - if behind_iap? + if behind_iap? && iap_client # Adds the Authorization header options[:headers] = iap_client.apply({}) end @@ -106,6 +107,22 @@ module Integrations should_return_client? end + alias_method :google_iap_service_account_json_raw, :google_iap_service_account_json + private :google_iap_service_account_json_raw + + MASKED_VALUE = '*' * 8 + + def google_iap_service_account_json + json = google_iap_service_account_json_raw + return json unless json.present? + + Gitlab::Json.parse(json) + .then { |hash| hash.transform_values { MASKED_VALUE } } + .then { |hash| Gitlab::Json.generate(hash) } + rescue Gitlab::Json.parser_error + json + end + private delegate :allow_local_requests_from_web_hooks_and_services?, to: :current_settings, private: true @@ -155,17 +172,21 @@ module Integrations end def clean_google_iap_service_account - return unless google_iap_service_account_json + json = google_iap_service_account_json_raw + return unless json.present? - google_iap_service_account_json - .then { |json| Gitlab::Json.parse(json) } - .except('token_credential_uri') + Gitlab::Json.parse(json).except('token_credential_uri') + rescue Gitlab::Json.parser_error + {} end def iap_client @iap_client ||= Google::Auth::Credentials .new(clean_google_iap_service_account, target_audience: google_iap_audience_client_id) .client + rescue StandardError + nil end + strong_memoize_attr :iap_client end end diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb index 0a9705181ba..7e9fd9dad54 100644 --- a/app/services/groups/transfer_service.rb +++ b/app/services/groups/transfer_service.rb @@ -51,6 +51,7 @@ module Groups publish_event(old_root_ancestor_id) end + # Overridden in EE def ensure_allowed_transfer raise_transfer_error(:group_is_already_root) if group_is_already_root? raise_transfer_error(:same_parent_as_current) if same_parent? @@ -208,6 +209,7 @@ module Groups raise TransferError, localized_error_messages[message] end + # Overridden in EE def localized_error_messages { database_not_supported: s_('TransferGroup|Database is not supported.'), diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb index c6948536053..f6fe23b4555 100644 --- a/app/services/resource_access_tokens/create_service.rb +++ b/app/services/resource_access_tokens/create_service.rb @@ -125,7 +125,7 @@ module ResourceAccessTokens def do_not_allow_owner_access_level_for_project_bot?(access_level) resource.is_a?(Project) && - access_level == Gitlab::Access::OWNER && + access_level.to_i == Gitlab::Access::OWNER && !current_user.can?(:manage_owners, resource) end end |