summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/assets/javascripts/work_items/components/item_title.vue6
-rw-r--r--app/controllers/oauth/jira_dvcs/authorizations_controller.rb13
-rw-r--r--app/finders/notes_finder.rb2
-rw-r--r--app/models/ci/build.rb10
-rw-r--r--app/models/integration.rb2
-rw-r--r--app/models/integrations/datadog.rb1
-rw-r--r--app/models/integrations/prometheus.rb31
-rw-r--r--app/services/groups/transfer_service.rb2
-rw-r--r--app/services/resource_access_tokens/create_service.rb2
9 files changed, 56 insertions, 13 deletions
diff --git a/app/assets/javascripts/work_items/components/item_title.vue b/app/assets/javascripts/work_items/components/item_title.vue
index 6aa3c54705c..1c0fed2dde9 100644
--- a/app/assets/javascripts/work_items/components/item_title.vue
+++ b/app/assets/javascripts/work_items/components/item_title.vue
@@ -29,6 +29,11 @@ export default {
handleSubmit() {
this.$refs.titleEl.blur();
},
+ handlePaste(e) {
+ e.preventDefault();
+ const text = e.clipboardData.getData('text');
+ this.$refs.titleEl.innerText = text;
+ },
},
};
</script>
@@ -48,6 +53,7 @@ export default {
:contenteditable="!disabled"
class="gl-px-4 gl-py-3 gl-ml-n4 gl-border gl-border-white gl-rounded-base gl-display-block"
:class="{ 'gl-hover-border-gray-200 gl-pseudo-placeholder': !disabled }"
+ @paste="handlePaste"
@blur="handleBlur"
@keyup="handleInput"
@keydown.enter.exact="handleSubmit"
diff --git a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
index 613999f4ca7..03921761f45 100644
--- a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
+++ b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
@@ -8,6 +8,8 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController
skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token
+ before_action :validate_redirect_uri, only: :new
+
feature_category :integrations
# 1. Rewire Jira OAuth initial request to our stablished OAuth authorization URL.
@@ -56,4 +58,15 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController
def normalize_scope(scope)
scope == 'repo' ? 'api' : scope
end
+
+ def validate_redirect_uri
+ client = Doorkeeper::OAuth::Client.find(params[:client_id])
+ return render_404 unless client
+
+ return true if Doorkeeper::OAuth::Helpers::URIChecker.valid_for_authorization?(
+ params['redirect_uri'], client.redirect_uri
+ )
+
+ render_403
+ end
end
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb
index 7890502cf0e..c542ffbce7e 100644
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -117,7 +117,7 @@ class NotesFinder
when "snippet", "project_snippet"
SnippetsFinder.new(@current_user, project: @project).execute # rubocop: disable CodeReuse/Finder
when "personal_snippet"
- PersonalSnippet.all
+ SnippetsFinder.new(@current_user, only_personal: true).execute # rubocop: disable CodeReuse/Finder
else
raise "invalid target_type '#{noteable_type}'"
end
diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index f8b3777841d..1e70dd171ed 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -74,6 +74,7 @@ module Ci
delegate :trigger_short_token, to: :trigger_request, allow_nil: true
delegate :ensure_persistent_ref, to: :pipeline
delegate :enable_debug_trace!, to: :metadata
+ delegate :debug_trace_enabled?, to: :metadata
serialize :options # rubocop:disable Cop/ActiveRecordSerialize
serialize :yaml_variables, Gitlab::Serializer::Ci::Variables # rubocop:disable Cop/ActiveRecordSerialize
@@ -1069,11 +1070,10 @@ module Ci
end
def debug_mode?
- # TODO: Have `debug_mode?` check against data on sent back from runner
- # to capture all the ways that variables can be set.
- # See (https://gitlab.com/gitlab-org/gitlab/-/issues/290955)
- variables['CI_DEBUG_TRACE']&.value&.casecmp('true') == 0 ||
- variables['CI_DEBUG_SERVICES']&.value&.casecmp('true') == 0
+ # perform the check on both sides in case the runner version is old
+ debug_trace_enabled? ||
+ Gitlab::Utils.to_boolean(variables['CI_DEBUG_SERVICES']&.value, default: false) ||
+ Gitlab::Utils.to_boolean(variables['CI_DEBUG_TRACE']&.value, default: false)
end
def drop_with_exit_code!(failure_reason, exit_code)
diff --git a/app/models/integration.rb b/app/models/integration.rb
index 8bef8b08c19..d3006f00ba1 100644
--- a/app/models/integration.rb
+++ b/app/models/integration.rb
@@ -510,7 +510,7 @@ class Integration < ApplicationRecord
end
def api_field_names
- fields.reject { _1[:type] == 'password' }.pluck(:name)
+ fields.reject { _1[:type] == 'password' || _1[:name] == 'webhook' }.pluck(:name)
end
def form_fields
diff --git a/app/models/integrations/datadog.rb b/app/models/integrations/datadog.rb
index 80eecc14d0f..3b3c7d8f2cd 100644
--- a/app/models/integrations/datadog.rb
+++ b/app/models/integrations/datadog.rb
@@ -15,6 +15,7 @@ module Integrations
TAG_KEY_VALUE_RE = %r{\A [\w-]+ : .*\S.* \z}x.freeze
field :datadog_site,
+ exposes_secrets: true,
placeholder: DEFAULT_DOMAIN,
help: -> do
ERB::Util.html_escape(
diff --git a/app/models/integrations/prometheus.rb b/app/models/integrations/prometheus.rb
index 142f466018b..2f0995e9ab0 100644
--- a/app/models/integrations/prometheus.rb
+++ b/app/models/integrations/prometheus.rb
@@ -3,6 +3,7 @@
module Integrations
class Prometheus < BaseMonitoring
include PrometheusAdapter
+ include Gitlab::Utils::StrongMemoize
field :manual_configuration,
type: 'checkbox',
@@ -81,7 +82,7 @@ module Integrations
allow_local_requests: allow_local_api_url?
)
- if behind_iap?
+ if behind_iap? && iap_client
# Adds the Authorization header
options[:headers] = iap_client.apply({})
end
@@ -106,6 +107,22 @@ module Integrations
should_return_client?
end
+ alias_method :google_iap_service_account_json_raw, :google_iap_service_account_json
+ private :google_iap_service_account_json_raw
+
+ MASKED_VALUE = '*' * 8
+
+ def google_iap_service_account_json
+ json = google_iap_service_account_json_raw
+ return json unless json.present?
+
+ Gitlab::Json.parse(json)
+ .then { |hash| hash.transform_values { MASKED_VALUE } }
+ .then { |hash| Gitlab::Json.generate(hash) }
+ rescue Gitlab::Json.parser_error
+ json
+ end
+
private
delegate :allow_local_requests_from_web_hooks_and_services?, to: :current_settings, private: true
@@ -155,17 +172,21 @@ module Integrations
end
def clean_google_iap_service_account
- return unless google_iap_service_account_json
+ json = google_iap_service_account_json_raw
+ return unless json.present?
- google_iap_service_account_json
- .then { |json| Gitlab::Json.parse(json) }
- .except('token_credential_uri')
+ Gitlab::Json.parse(json).except('token_credential_uri')
+ rescue Gitlab::Json.parser_error
+ {}
end
def iap_client
@iap_client ||= Google::Auth::Credentials
.new(clean_google_iap_service_account, target_audience: google_iap_audience_client_id)
.client
+ rescue StandardError
+ nil
end
+ strong_memoize_attr :iap_client
end
end
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 0a9705181ba..7e9fd9dad54 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -51,6 +51,7 @@ module Groups
publish_event(old_root_ancestor_id)
end
+ # Overridden in EE
def ensure_allowed_transfer
raise_transfer_error(:group_is_already_root) if group_is_already_root?
raise_transfer_error(:same_parent_as_current) if same_parent?
@@ -208,6 +209,7 @@ module Groups
raise TransferError, localized_error_messages[message]
end
+ # Overridden in EE
def localized_error_messages
{
database_not_supported: s_('TransferGroup|Database is not supported.'),
diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb
index c6948536053..f6fe23b4555 100644
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -125,7 +125,7 @@ module ResourceAccessTokens
def do_not_allow_owner_access_level_for_project_bot?(access_level)
resource.is_a?(Project) &&
- access_level == Gitlab::Access::OWNER &&
+ access_level.to_i == Gitlab::Access::OWNER &&
!current_user.can?(:manage_owners, resource)
end
end
View Lorry Controller Status