From ef77d7f75069ca5f71261d80bc9caea59168cba2 Mon Sep 17 00:00:00 2001
From: GitLab Bot
<p> & © Æ Ď
+<p> & © Æ Ď
¾ ℋ ⅆ
∲ ≧̸</p>
@@ -7344,11 +7344,11 @@ stripped in this way:
@@ -7356,12 +7356,12 @@ stripped in this way:
-` `
+` `
` `
-<p><code> </code>
+<p><code> </code>
<code> </code></p>
@@ -7832,11 +7832,11 @@ not part of a [left-flanking delimiter run]:
@@ -9790,7 +9790,7 @@ Other [Unicode whitespace] like non-breaking space doesn't work.
-[link](/url "title")
+[link](/url "title")
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 70535496b12..6f8d34ea387 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -203,6 +203,10 @@ module API
render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400)
end
+ unless can?(current_user, :read_code, target_project)
+ forbidden!("You don't have access to this fork's parent project")
+ end
+
cache_key = compare_cache_key(current_user, user_project, target_project, declared_params)
cache_action(cache_key, expires_in: 1.minute) do
diff --git a/lib/gitlab/unicode.rb b/lib/gitlab/unicode.rb
index b49c5647dab..f291ea1b4ee 100644
--- a/lib/gitlab/unicode.rb
+++ b/lib/gitlab/unicode.rb
@@ -9,6 +9,12 @@ module Gitlab
# https://idiosyncratic-ruby.com/41-proper-unicoding.html
BIDI_REGEXP = /\p{Bidi Control}/.freeze
+ # Regular expression for identifying space characters
+ #
+ # In web browsers space characters can be confused with simple
+ # spaces which may be misleading
+ SPACE_REGEXP = /\p{Space_Separator}/.freeze
+
class << self
# Warning message used to highlight bidi characters in the GUI
def bidi_warning
diff --git a/lib/rouge/formatters/html_gitlab.rb b/lib/rouge/formatters/html_gitlab.rb
index 436739bed12..a7e95a96b8b 100644
--- a/lib/rouge/formatters/html_gitlab.rb
+++ b/lib/rouge/formatters/html_gitlab.rb
@@ -25,7 +25,10 @@ module Rouge
yield %()
line.each do |token, value|
- yield highlight_unicode_control_characters(span(token, value.chomp! || value))
+ value = value.chomp! || value
+ value = replace_space_characters(value)
+
+ yield highlight_unicode_control_characters(span(token, value))
end
yield ellipsis if @ellipsis_indexes.include?(@line_number - 1) && @ellipsis_svg.present?
@@ -42,6 +45,10 @@ module Rouge
%(#{@ellipsis_svg})
end
+ def replace_space_characters(text)
+ text.gsub(Gitlab::Unicode::SPACE_REGEXP, ' ')
+ end
+
def highlight_unicode_control_characters(text)
text.gsub(Gitlab::Unicode::BIDI_REGEXP) do |char|
%(#{char})
diff --git a/spec/controllers/admin/hooks_controller_spec.rb b/spec/controllers/admin/hooks_controller_spec.rb
index 4101bd7f658..4e68ffdda2a 100644
--- a/spec/controllers/admin/hooks_controller_spec.rb
+++ b/spec/controllers/admin/hooks_controller_spec.rb
@@ -59,6 +59,7 @@ RSpec.describe Admin::HooksController do
enable_ssl_verification: false,
url_variables: [
{ key: 'token', value: 'some secret value' },
+ { key: 'baz', value: 'qux' },
{ key: 'foo', value: nil }
]
}
@@ -71,7 +72,7 @@ RSpec.describe Admin::HooksController do
expect(flash[:notice]).to include('was updated')
expect(hook).to have_attributes(hook_params.except(:url_variables))
expect(hook).to have_attributes(
- url_variables: { 'token' => 'some secret value', 'baz' => 'woo' }
+ url_variables: { 'token' => 'some secret value', 'baz' => 'qux' }
)
end
end
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index a4f7c92f5cd..c7d2b1fa3af 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
include GoogleApi::CloudPlatformHelpers
include KubernetesHelpers
- let_it_be(:project) { create(:project) }
+ let_it_be_with_reload(:project) { create(:project) }
let(:user) { create(:user) }
@@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
expect(response).to redirect_to(new_user_session_path)
end
end
+
+ context 'with a public project' do
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ end
+
+ context 'with guest user' do
+ let(:prometheus_body) { nil }
+
+ before do
+ project.add_guest(user)
+ end
+
+ it 'returns 404' do
+ get :prometheus_proxy, params: prometheus_proxy_params
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+ end
end
end
diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
index 68d50cf19f0..6b0c164e432 100644
--- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
+++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe Projects::Environments::PrometheusApiController do
let_it_be(:user) { create(:user) }
- let_it_be(:project) { create(:project) }
+ let_it_be_with_reload(:project) { create(:project) }
let_it_be(:proxyable) { create(:environment, project: project) }
before do
@@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do
expect(response).to redirect_to(new_user_session_path)
end
end
+
+ context 'with a public project' do
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ end
+
+ context 'with guest user' do
+ let(:prometheus_body) { nil }
+
+ before do
+ project.add_guest(user)
+ end
+
+ it 'returns 404' do
+ get :prometheus_proxy, params: prometheus_proxy_params
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+ end
end
end
end
diff --git a/spec/factories/project_hooks.rb b/spec/factories/project_hooks.rb
index 946b3925ee9..d84e287d765 100644
--- a/spec/factories/project_hooks.rb
+++ b/spec/factories/project_hooks.rb
@@ -7,7 +7,7 @@ FactoryBot.define do
project
trait :url_variables do
- url_variables { { 'abc' => 'supers3cret' } }
+ url_variables { { 'abc' => 'supers3cret', 'def' => 'foobar' } }
end
trait :token do
diff --git a/spec/helpers/hooks_helper_spec.rb b/spec/helpers/hooks_helper_spec.rb
index a6cfbfe86ca..d8fa64e099a 100644
--- a/spec/helpers/hooks_helper_spec.rb
+++ b/spec/helpers/hooks_helper_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe HooksHelper do
it 'returns proper data' do
expect(subject).to match(
url: project_hook.url,
- url_variables: Gitlab::Json.dump([{ key: 'abc' }])
+ url_variables: Gitlab::Json.dump([{ key: 'abc' }, { key: 'def' }])
)
end
end
diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb
index 79bfdb262c0..6fc1b395fc8 100644
--- a/spec/lib/rouge/formatters/html_gitlab_spec.rb
+++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe Rouge::Formatters::HTMLGitlab do
+RSpec.describe Rouge::Formatters::HTMLGitlab, feature_category: :source_code_management do
describe '#format' do
subject { described_class.format(tokens, **options) }
@@ -67,5 +67,24 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do
is_expected.to include(%{}).exactly(4).times
end
end
+
+ context 'when space characters and zero-width spaces are used' do
+ let(:lang) { 'ruby' }
+ let(:tokens) { lexer.lex(code, continue: false) }
+
+ let(:code) do
+ <<~JS
+ def\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u202f\u205f\u3000hello
+ JS
+ end
+
+ it 'replaces the space characters with spaces' do
+ is_expected.to eq(
+ "" \
+ "def hello" \
+ ""
+ )
+ end
+ end
end
end
diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb
index 72958a54e10..ad5f01fe056 100644
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -242,6 +242,22 @@ RSpec.describe WebHook, feature_category: :integrations do
expect(hook.url_variables).to eq({})
end
+ it 'resets url variables if url is changed and url variables are appended' do
+ hook.url = 'http://suspicious.example.com/{abc}/{foo}'
+ hook.url_variables = hook.url_variables.merge('foo' => 'bar')
+
+ expect(hook).not_to be_valid
+ expect(hook.url_variables).to eq({})
+ end
+
+ it 'resets url variables if url is changed and url variables are removed' do
+ hook.url = 'http://suspicious.example.com/{abc}'
+ hook.url_variables = hook.url_variables.except("def")
+
+ expect(hook).not_to be_valid
+ expect(hook.url_variables).to eq({})
+ end
+
it 'does not reset url variables if both url and url variables are changed' do
hook.url = 'http://example.com/{one}/{two}'
hook.url_variables = { 'one' => 'foo', 'two' => 'bar' }
@@ -249,6 +265,18 @@ RSpec.describe WebHook, feature_category: :integrations do
expect(hook).to be_valid
expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' })
end
+
+ context 'without url variables' do
+ subject(:hook) { build_stubbed(:project_hook, project: project, url: 'http://example.com') }
+
+ it 'does not reset url variables' do
+ hook.url = 'http://example.com/{one}/{two}'
+ hook.url_variables = { 'one' => 'foo', 'two' => 'bar' }
+
+ expect(hook).to be_valid
+ expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' })
+ end
+ end
end
it "only consider these branch filter strategies are valid" do
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index c29446c1f38..0c359b80fb5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
end
end
+ describe 'read_prometheus', feature_category: :metrics do
+ using RSpec::Parameterized::TableSyntax
+
+ before do
+ project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+ end
+
+ let(:policy) { :read_prometheus }
+
+ where(:project_visibility, :role, :allowed) do
+ :public | :anonymous | false
+ :public | :guest | false
+ :public | :reporter | true
+ :internal | :anonymous | false
+ :internal | :guest | false
+ :internal | :reporter | true
+ :private | :anonymous | false
+ :private | :guest | false
+ :private | :reporter | true
+ end
+
+ with_them do
+ let(:current_user) { public_send(role) }
+ let(:project) { public_send("#{project_visibility}_project") }
+
+ if params[:allowed]
+ it { is_expected.to be_allowed(policy) }
+ else
+ it { is_expected.not_to be_allowed(policy) }
+ end
+ end
+ end
+
describe 'update_max_artifacts_size' do
context 'when no user' do
let(:current_user) { anonymous }
@@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { guest }
it { is_expected.to be_allowed(:metrics_dashboard) }
- it { is_expected.to be_allowed(:read_prometheus) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { anonymous }
it { is_expected.to be_allowed(:metrics_dashboard) }
- it { is_expected.to be_allowed(:read_prometheus) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
@@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
end
@@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { guest }
it { is_expected.to be_allowed(:metrics_dashboard) }
- it { is_expected.to be_allowed(:read_prometheus) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
it { is_expected.to be_allowed(:read_deployment) }
it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
end
end
@@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
end
@@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
let(:current_user) { guest }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
context 'with anonymous' do
let(:current_user) { anonymous }
it { is_expected.to be_disallowed(:metrics_dashboard) }
+ it { is_expected.to be_disallowed(:read_prometheus) }
end
end
end
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 555ba2bc978..be26fe24061 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -573,6 +573,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do
context 'when authenticated', 'as a developer' do
it_behaves_like 'repository compare' do
let(:current_user) { user }
+
+ context 'when user does not have read access to the parent project' do
+ let_it_be(:group) { create(:group) }
+ let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) }
+
+ before do
+ forked_project.add_guest(current_user)
+ end
+
+ it 'returns 403 error' do
+ get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id }
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project")
+ end
+ end
end
end
diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb
index 5736bf885be..b4250fcf04d 100644
--- a/spec/services/web_hook_service_spec.rb
+++ b/spec/services/web_hook_service_spec.rb
@@ -130,8 +130,8 @@ RSpec.describe WebHookService, :request_store, :clean_gitlab_redis_shared_state,
context 'there is userinfo' do
before do
project_hook.update!(
- url: 'http://{one}:{two}@example.com',
- url_variables: { 'one' => 'a', 'two' => 'b' }
+ url: 'http://{foo}:{bar}@example.com',
+ url_variables: { 'foo' => 'a', 'bar' => 'b' }
)
stub_full_request('http://example.com', method: :post)
end
--
cgit v1.2.1
From 22afa6177e5cdd2843502d425cb584135a35df60 Mon Sep 17 00:00:00 2001
From: GitLab Bot
Date: Wed, 29 Mar 2023 23:54:01 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
---
.../behaviors/markdown/render_observability.js | 45 ++++++++++------
app/assets/javascripts/pages/projects/project.js | 3 +-
app/assets/javascripts/repository/index.js | 7 +--
.../repository/utils/ref_switcher_utils.js | 27 ++++++----
app/controllers/concerns/confirm_email_warning.rb | 14 +++--
app/controllers/projects/blob_controller.rb | 10 ++++
app/controllers/projects/refs_controller.rb | 2 +-
app/controllers/projects/tree_controller.rb | 9 ++++
app/controllers/projects_controller.rb | 10 +++-
app/views/projects/tree/_tree_header.html.haml | 2 +-
lib/banzai/filter/inline_observability_filter.rb | 16 ++++--
lib/extracts_ref.rb | 14 ++++-
locale/gitlab.pot | 3 ++
.../concerns/confirm_email_warning_spec.rb | 34 +++++++++++-
spec/controllers/projects/blob_controller_spec.rb | 33 ++++++++++--
spec/controllers/projects/refs_controller_spec.rb | 2 +-
spec/controllers/projects/tree_controller_spec.rb | 37 ++++++++++---
spec/controllers/projects_controller_spec.rb | 63 ++++++++++++++++++++++
spec/features/admin/users/user_spec.rb | 30 +++++++++++
.../markdown/render_observability_spec.js | 12 ++++-
.../repository/utils/ref_switcher_utils_spec.js | 29 ++++++++--
.../filter/inline_observability_filter_spec.rb | 52 ++++++++++++++++++
22 files changed, 395 insertions(+), 59 deletions(-)
diff --git a/app/assets/javascripts/behaviors/markdown/render_observability.js b/app/assets/javascripts/behaviors/markdown/render_observability.js
index 704d85cf22e..d5d46c10efd 100644
--- a/app/assets/javascripts/behaviors/markdown/render_observability.js
+++ b/app/assets/javascripts/behaviors/markdown/render_observability.js
@@ -7,23 +7,36 @@ export function getFrameSrc(url) {
}
const mountVueComponent = (element) => {
- const url = [element.dataset.frameUrl];
+ const { frameUrl, observabilityUrl } = element.dataset;
- return new Vue({
- el: element,
- render(h) {
- return h('iframe', {
- style: {
- height: '366px',
- width: '768px',
- },
- attrs: {
- src: getFrameSrc(url),
- frameBorder: '0',
- },
- });
- },
- });
+ try {
+ if (
+ !observabilityUrl ||
+ !frameUrl ||
+ new URL(frameUrl)?.host !== new URL(observabilityUrl).host
+ )
+ return;
+
+ // eslint-disable-next-line no-new
+ new Vue({
+ el: element,
+ render(h) {
+ return h('iframe', {
+ style: {
+ height: '366px',
+ width: '768px',
+ },
+ attrs: {
+ src: getFrameSrc(frameUrl),
+ frameBorder: '0',
+ },
+ });
+ },
+ });
+ } catch (e) {
+ // eslint-disable-next-line no-console
+ console.error(e);
+ }
};
export default function renderObservability(elements) {
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index 5773737c41b..a4b3b83a855 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -110,9 +110,10 @@ export default class Project {
const urlParams = { [fieldName]: ref };
if (params.group === BRANCH_GROUP_NAME) {
urlParams.ref_type = BRANCH_REF_TYPE;
- } else {
+ } else if (params.group === TAG_GROUP_NAME) {
urlParams.ref_type = TAG_REF_TYPE;
}
+
link.href = mergeUrlParams(urlParams, linkTarget);
}
diff --git a/app/assets/javascripts/repository/index.js b/app/assets/javascripts/repository/index.js
index 494e270a66c..95e0c94527b 100644
--- a/app/assets/javascripts/repository/index.js
+++ b/app/assets/javascripts/repository/index.js
@@ -2,7 +2,7 @@ import { GlButton } from '@gitlab/ui';
import Vue from 'vue';
import Vuex from 'vuex';
import { parseBoolean } from '~/lib/utils/common_utils';
-import { escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
+import { joinPaths, escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
import { __ } from '~/locale';
import initWebIdeLink from '~/pages/projects/shared/web_ide_link';
import PerformancePlugin from '~/performance/vue_performance_plugin';
@@ -121,7 +121,7 @@ export default function setupVueRepositoryList() {
if (!refSwitcherEl) return false;
- const { projectId, projectRootPath } = refSwitcherEl.dataset;
+ const { projectId, projectRootPath, refType } = refSwitcherEl.dataset;
return new Vue({
el: refSwitcherEl,
@@ -129,7 +129,8 @@ export default function setupVueRepositoryList() {
return createElement(RefSelector, {
props: {
projectId,
- value: ref,
+ value: refType ? joinPaths('refs', refType, ref) : ref,
+ useSymbolicRefNames: true,
},
on: {
input(selectedRef) {
diff --git a/app/assets/javascripts/repository/utils/ref_switcher_utils.js b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
index c62f7f709c4..bcad4a2c822 100644
--- a/app/assets/javascripts/repository/utils/ref_switcher_utils.js
+++ b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
@@ -16,22 +16,29 @@ const getNamespaceTargetRegex = (ref) => new RegExp(`(/-/(blob|tree))/${ref}/(.*
* @param {string} selectedRef - The selected ref from the ref dropdown.
*/
export function generateRefDestinationPath(projectRootPath, ref, selectedRef) {
- const currentPath = window.location.pathname;
- const encodedHash = '%23';
+ const url = new URL(window.location.href);
+ const currentPath = url.pathname;
+ let refType = null;
let namespace = '/-/tree';
let target;
+ let actualRef = selectedRef;
+
+ const matches = selectedRef.match(/^refs\/(heads|tags)\/(.+)/);
+ if (matches) {
+ [, refType, actualRef] = matches;
+ }
+ if (refType) {
+ url.searchParams.set('ref_type', refType);
+ } else {
+ url.searchParams.delete('ref_type');
+ }
+
const NAMESPACE_TARGET_REGEX = getNamespaceTargetRegex(ref);
const match = NAMESPACE_TARGET_REGEX.exec(currentPath);
if (match) {
[, namespace, , target] = match;
}
+ url.pathname = joinPaths(projectRootPath, namespace, actualRef, target);
- const destinationPath = joinPaths(
- projectRootPath,
- namespace,
- encodeURI(selectedRef).replace(/#/g, encodedHash),
- target,
- );
-
- return `${destinationPath}${window.location.hash}`;
+ return url.toString();
}
diff --git a/app/controllers/concerns/confirm_email_warning.rb b/app/controllers/concerns/confirm_email_warning.rb
index ec5140bf223..2711c823275 100644
--- a/app/controllers/concerns/confirm_email_warning.rb
+++ b/app/controllers/concerns/confirm_email_warning.rb
@@ -1,6 +1,7 @@
# frozen_string_literal: true
module ConfirmEmailWarning
+ include Gitlab::Utils::StrongMemoize
extend ActiveSupport::Concern
included do
@@ -17,11 +18,9 @@ module ConfirmEmailWarning
return unless current_user
return if current_user.confirmed?
- email = current_user.unconfirmed_email || current_user.email
-
flash.now[:warning] = format(
confirm_warning_message,
- email: email,
+ email: email_to_display,
resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
update_link: view_context.link_to(_('Update it'), profile_path)
).html_safe
@@ -29,7 +28,16 @@ module ConfirmEmailWarning
private
+ def email
+ current_user.unconfirmed_email || current_user.email
+ end
+ strong_memoize_attr :email
+
def confirm_warning_message
_("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.")
end
+
+ def email_to_display
+ html_escape(email)
+ end
end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 59cea00e26b..b71af82535a 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -31,6 +31,7 @@ class Projects::BlobController < Projects::ApplicationController
before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
before_action :commit, except: [:new, :create]
+ before_action :check_for_ambiguous_ref, only: [:show]
before_action :blob, except: [:new, :create]
before_action :require_branch_head, only: [:edit, :update]
before_action :editor_variables, except: [:show, :preview, :diff]
@@ -145,6 +146,15 @@ class Projects::BlobController < Projects::ApplicationController
end
end
+ def check_for_ambiguous_ref
+ @ref_type = ref_type
+
+ if @ref_type == ExtractsRef::BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+ branch = @project.repository.find_branch(@ref)
+ redirect_to project_blob_path(@project, File.join(branch.target, @path))
+ end
+ end
+
def commit
@commit ||= @repository.commit(@ref)
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 4c2bd2a9d42..f55fc2242a4 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -22,7 +22,7 @@ class Projects::RefsController < Projects::ApplicationController
when "tree"
project_tree_path(@project, @id)
when "blob"
- project_blob_path(@project, @id)
+ project_blob_path(@project, @id, ref_type: ref_type)
when "graph"
project_network_path(@project, @id, ref_type: ref_type)
when "graphs"
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 737a6290431..1f7912e15df 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -28,6 +28,15 @@ class Projects::TreeController < Projects::ApplicationController
def show
return render_404 unless @commit
+ @ref_type = ref_type
+ if @ref_type == BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+ branch = @project.repository.find_branch(@ref)
+ if branch
+ redirect_to project_tree_path(@project, branch.target)
+ return
+ end
+ end
+
if tree.entries.empty?
if @repository.blob_at(@commit.id, @path)
redirect_to project_blob_path(@project, File.join(@ref, @path))
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 71ad747b6b1..d71b782c62b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -171,11 +171,19 @@ class ProjectsController < Projects::ApplicationController
flash.now[:alert] = _("Project '%{project_name}' queued for deletion.") % { project_name: @project.name }
end
+ if ambiguous_ref?(@project, @ref)
+ branch = @project.repository.find_branch(@ref)
+
+ # The files view would render a ref other than the default branch
+ # This redirect can be removed once the view is fixed
+ redirect_to(project_tree_path(@project, branch.target), alert: _("The default branch of this project clashes with another ref"))
+ return
+ end
+
respond_to do |format|
format.html do
@notification_setting = current_user.notification_settings_for(@project) if current_user
@project = @project.present(current_user: current_user)
-
render_landing_page
end
diff --git a/app/views/projects/tree/_tree_header.html.haml b/app/views/projects/tree/_tree_header.html.haml
index 6cd3c584f2a..d494d9cc36d 100644
--- a/app/views/projects/tree/_tree_header.html.haml
+++ b/app/views/projects/tree/_tree_header.html.haml
@@ -2,7 +2,7 @@
.tree-ref-container.gl-display-flex.gl-flex-wrap.gl-gap-2.mb-2.mb-md-0
.tree-ref-holder.gl-max-w-26
- #js-tree-ref-switcher{ data: { project_id: @project.id, project_root_path: project_path(@project) } }
+ #js-tree-ref-switcher{ data: { project_id: @project.id, ref_type: @ref_type.to_s, project_root_path: project_path(@project) } }
#js-repo-breadcrumb{ data: breadcrumb_data_attributes }
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 334c04f2b59..50d4aac70cc 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,5 +1,7 @@
# frozen_string_literal: true
+require 'uri'
+
module Banzai
module Filter
class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -15,7 +17,8 @@ module Banzai
doc.document.create_element(
'div',
class: 'js-render-observability',
- 'data-frame-url': url
+ 'data-frame-url': url,
+ 'data-observability-url': Gitlab::Observability.observability_url
)
end
@@ -28,8 +31,15 @@ module Banzai
# obtained from the target link
def element_to_embed(node)
url = node['href']
-
- create_element(url)
+ uri = URI.parse(url)
+ observability_uri = URI.parse(Gitlab::Observability.observability_url)
+
+ if uri.scheme == observability_uri.scheme &&
+ uri.port == observability_uri.port &&
+ uri.host.casecmp?(observability_uri.host) &&
+ uri.path.downcase.exclude?("auth/start")
+ create_element(url)
+ end
end
private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
# Can be extended for different types of repository object, e.g. Project or Snippet
module ExtractsRef
InvalidPathError = Class.new(StandardError)
-
+ BRANCH_REF_TYPE = 'heads'
+ TAG_REF_TYPE = 'tags'
# Given a string containing both a Git tree-ish, such as a branch or tag, and
# a filesystem path joined by forward slashes, attempts to separate the two.
#
@@ -91,7 +92,7 @@ module ExtractsRef
def ref_type
return unless params[:ref_type].present?
- params[:ref_type] == 'tags' ? 'tags' : 'heads'
+ params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
end
private
@@ -154,4 +155,13 @@ module ExtractsRef
def repository_container
raise NotImplementedError
end
+
+ def ambiguous_ref?(project, ref)
+ return true if project.repository.ambiguous_ref?(ref)
+
+ return false unless ref&.starts_with?('refs/')
+
+ unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+ project.repository.commit(unprefixed_ref).present?
+ end
end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 88a17b7d697..695b567039e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42698,6 +42698,9 @@ msgstr ""
msgid "The default branch for this project has been changed. Please update your bookmarks."
msgstr ""
+msgid "The default branch of this project clashes with another ref"
+msgstr ""
+
msgid "The dependency list details information about the components used within your project."
msgstr ""
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index 334c156e1ae..b8a4b94aa66 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe ConfirmEmailWarning do
+RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
before do
stub_feature_flags(soft_email_confirmation: true)
end
@@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do
it { is_expected.to set_confirm_warning_for(user.email) }
end
end
+
+ context 'when user is being impersonated' do
+ let(:impersonator) { create(:admin) }
+
+ before do
+ allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
+
+ get :index
+ end
+
+ it { is_expected.to set_confirm_warning_for(user.email) }
+
+ context 'when impersonated user email has html in their email' do
+ let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com