From 616d6dc767ba33148a11768f3d73504368897ee9 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Fri, 31 Mar 2023 03:53:49 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-10-stable-ee --- Gemfile | 12 ++--- Gemfile.checksum | 7 ++- Gemfile.lock | 15 ++++++- config/initializers/action_mailer_hooks.rb | 1 - config/initializers/mail_encoding_patch.rb | 18 +------- .../email/hook/validate_addresses_interceptor.rb | 32 ------------- scripts/allowed_warnings.txt | 9 ++++ .../hook/validate_addresses_interceptor_spec.rb | 52 ---------------------- 8 files changed, 33 insertions(+), 113 deletions(-) delete mode 100644 lib/gitlab/email/hook/validate_addresses_interceptor.rb delete mode 100644 spec/lib/gitlab/email/hook/validate_addresses_interceptor_spec.rb diff --git a/Gemfile b/Gemfile index 8cafe3b8909..15995b07e1f 100644 --- a/Gemfile +++ b/Gemfile @@ -546,7 +546,7 @@ gem 'lru_redux' # Locked as long as quoted-printable encoding issues are not resolved # Monkey-patched in `config/initializers/mail_encoding_patch.rb` # See https://gitlab.com/gitlab-org/gitlab/issues/197386 -gem 'mail', '= 2.7.1' +gem 'mail', '= 2.8.1' gem 'mail-smtp_pool', '~> 0.1.0', path: 'vendor/gems/mail-smtp_pool', require: false gem 'microsoft_graph_mailer', '~> 0.1.0', path: 'vendor/gems/microsoft_graph_mailer' @@ -593,12 +593,8 @@ gem 'app_store_connect' # For phone verification gem 'telesignenterprise', '~> 2.2' -# Ruby 3 extracts net-protocol into a separate gem, while Ruby 2 has it built-in -# This condition installs the gem only for Ruby 3 to avoid warnings on Ruby 2 -# Can be removed when support for Ruby 2 is dropped -install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0.0") } do - # BufferedIO patch - gem 'net-protocol', '~> 0.1.3' -end +# BufferedIO patch +# Updating this version will require updating scripts/allowed_warnings.txt +gem 'net-protocol', '~> 0.1.3' gem 'duo_api', '~> 1.3' diff --git a/Gemfile.checksum b/Gemfile.checksum index 23b5df88a71..910c53f7ae8 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -99,6 +99,8 @@ {"name":"danger","version":"8.6.1","platform":"ruby","checksum":"d95eb58b41f68d3aaa9bbef697916b6b4d161a38819517c98562531be75cdfd8"}, {"name":"danger-gitlab","version":"8.0.0","platform":"ruby","checksum":"497dd7d0f6513913de651019223d8058cf494df10acbd17de92b175dfa04a3a8"}, {"name":"database_cleaner","version":"1.7.0","platform":"ruby","checksum":"bdf833c197afac7054015bcde2567c3834c366bbfe6a377c30151ca984b32016"}, +{"name":"date","version":"3.3.3","platform":"java","checksum":"584e0a582d1eb2207b4eaac089d8a43f2ca10bea02682f286099642f15c56cce"}, +{"name":"date","version":"3.3.3","platform":"ruby","checksum":"819792019d5712b748fb15f6dfaaedef14b0328723ef23583ea35f186774530f"}, {"name":"dead_end","version":"3.1.1","platform":"ruby","checksum":"1011df7f7c0149be004e11cbbc37747760227c55305cd902fd3c06e1394b2f5b"}, {"name":"debug_inspector","version":"1.1.0","platform":"ruby","checksum":"eaa5a2d0195e1d65fb4164e8e7e466cca2e7eb53bc5e608cf12b8bf02c3a8606"}, {"name":"deckar01-task_list","version":"2.3.2","platform":"ruby","checksum":"5a19092548d24309d8b2c2704d64cdc08a4a615823c9a722f4142edec1de8805"}, @@ -340,7 +342,7 @@ {"name":"lookbook","version":"1.5.3","platform":"ruby","checksum":"4a0ff475af85de0dcdf45a5541fbc40dd8f66669a559efe8297c1d7fee028b38"}, {"name":"lru_redux","version":"1.1.0","platform":"ruby","checksum":"ee71d0ccab164c51de146c27b480a68b3631d5b4297b8ffe8eda1c72de87affb"}, {"name":"lumberjack","version":"1.2.7","platform":"ruby","checksum":"a5c6aae6b4234f1420dbcd80b23e3bca0817bd239440dde097ebe3fa63c63b1f"}, -{"name":"mail","version":"2.7.1","platform":"ruby","checksum":"ec2a3d489f7510b90d8eaa3f6abaad7038cf1d663cdf8ee66d0214a0bdf99c03"}, +{"name":"mail","version":"2.8.1","platform":"ruby","checksum":"ec3b9fadcf2b3755c78785cb17bc9a0ca9ee9857108a64b6f5cfc9c0b5bfc9ad"}, {"name":"marcel","version":"1.0.2","platform":"ruby","checksum":"a013b677ef46cbcb49fd5c59b3d35803d2ee04dd75d8bfdc43533fc5a31f7e4e"}, {"name":"marginalia","version":"1.11.1","platform":"ruby","checksum":"cb63212ab63e42746e27595e912cb20408a1a28bcd0edde55d15b7c45fa289cf"}, {"name":"memoist","version":"0.16.2","platform":"ruby","checksum":"a52c53a3f25b5875151670b2f3fd44388633486dc0f09f9a7150ead1e3bf3c45"}, @@ -371,10 +373,13 @@ {"name":"nap","version":"1.1.0","platform":"ruby","checksum":"949691660f9d041d75be611bb2a8d2fd559c467537deac241f4097d9b5eea576"}, {"name":"nenv","version":"0.3.0","platform":"ruby","checksum":"d9de6d8fb7072228463bf61843159419c969edb34b3cef51832b516ae7972765"}, {"name":"net-http-persistent","version":"4.0.1","platform":"ruby","checksum":"2752f4cce05fd1c45e0537c6f3a98fa5a4899efd5f88e63c104ed5f05cbddef9"}, +{"name":"net-imap","version":"0.3.4","platform":"ruby","checksum":"a82a59e2a429433dc54cae5a8b2979ffe49da8c66085740811bfa337dc3729b5"}, {"name":"net-ldap","version":"0.17.1","platform":"ruby","checksum":"52571b55f9157120833ac1667f2969ce0139251811d0a9b64657c1c135069cf9"}, {"name":"net-ntp","version":"2.1.3","platform":"ruby","checksum":"5bc73f4102bde0d1872bd3b293608ae99d9f5007d744f21919c6a565eda9267d"}, +{"name":"net-pop","version":"0.1.2","platform":"ruby","checksum":"848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3"}, {"name":"net-protocol","version":"0.1.3","platform":"ruby","checksum":"ad43e2be965ede676683c047b2c3d76762aa49a764779d98312a10da04622c14"}, {"name":"net-scp","version":"3.0.0","platform":"ruby","checksum":"8fc6c80365b95230c6bfc529dbea3893d2d81724855bfb01cbf385866e1c902c"}, +{"name":"net-smtp","version":"0.3.3","platform":"ruby","checksum":"3d51dcaa981b74aff2d89cbe89de4503bc2d682365ea5176366e950a0d68d5b0"}, {"name":"net-ssh","version":"6.0.0","platform":"ruby","checksum":"6290ddcb232380cae79b772af924e12f57fe1dcd0f71254411dd21c04f7b13d0"}, {"name":"netrc","version":"0.11.0","platform":"ruby","checksum":"de1ce33da8c99ab1d97871726cba75151113f117146becbe45aa85cb3dabee3f"}, {"name":"nio4r","version":"2.5.8","platform":"java","checksum":"b2b1800f6bf7ce4b797ca8b639ad278a99c9c904fb087a91d944f38e4bd71401"}, diff --git a/Gemfile.lock b/Gemfile.lock index 1f1f566be37..b624e390851 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -344,6 +344,7 @@ GEM danger gitlab (~> 4.2, >= 4.2.0) database_cleaner (1.7.0) + date (3.3.3) dead_end (3.1.1) debug_inspector (1.1.0) deckar01-task_list (2.3.2) @@ -927,8 +928,11 @@ GEM zeitwerk (~> 2.5) lru_redux (1.1.0) lumberjack (1.2.7) - mail (2.7.1) + mail (2.8.1) mini_mime (>= 0.1.1) + net-imap + net-pop + net-smtp marcel (1.0.2) marginalia (1.11.1) actionpack (>= 5.2) @@ -972,12 +976,19 @@ GEM nenv (0.3.0) net-http-persistent (4.0.1) connection_pool (~> 2.2) + net-imap (0.3.4) + date + net-protocol net-ldap (0.17.1) net-ntp (2.1.3) + net-pop (0.1.2) + net-protocol net-protocol (0.1.3) timeout net-scp (3.0.0) net-ssh (>= 2.6.5, < 7.0.0) + net-smtp (0.3.3) + net-protocol net-ssh (6.0.0) netrc (0.11.0) nio4r (2.5.8) @@ -1790,7 +1801,7 @@ DEPENDENCIES loofah (~> 2.19.1) lookbook (~> 1.5, >= 1.5.3) lru_redux - mail (= 2.7.1) + mail (= 2.8.1) mail-smtp_pool (~> 0.1.0)! marginalia (~> 1.11.1) memory_profiler (~> 1.0) diff --git a/config/initializers/action_mailer_hooks.rb b/config/initializers/action_mailer_hooks.rb index fb09ed34bf6..46d5e387d9d 100644 --- a/config/initializers/action_mailer_hooks.rb +++ b/config/initializers/action_mailer_hooks.rb @@ -8,7 +8,6 @@ end ActionMailer::Base.register_interceptors( ::Gitlab::Email::Hook::AdditionalHeadersInterceptor, ::Gitlab::Email::Hook::EmailTemplateInterceptor, - ::Gitlab::Email::Hook::ValidateAddressesInterceptor, ::Gitlab::Email::Hook::DeliveryMetricsObserver ) diff --git a/config/initializers/mail_encoding_patch.rb b/config/initializers/mail_encoding_patch.rb index f72d4814856..7447cd26dcd 100644 --- a/config/initializers/mail_encoding_patch.rb +++ b/config/initializers/mail_encoding_patch.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -# Monkey patch mail 2.7.1 to fix quoted-printable issues with newlines +# Monkey patch mail 2.8.1 to fix quoted-printable issues with newlines # The issues upstream invalidate SMIME signatures under some conditions # This was working properly in 2.6.6 # @@ -8,22 +8,6 @@ # See https://github.com/mikel/mail/issues/1190 module Mail - module Encodings - # PATCH - # This reverts https://github.com/mikel/mail/pull/1113, which solves some - # encoding issues with binary attachments encoded in quoted-printable, but - # unfortunately breaks re-encoding of messages - class QuotedPrintable < SevenBit - def self.decode(str) - ::Mail::Utilities.to_lf str.gsub(/(?:=0D=0A|=0D|=0A)\r\n/, "\r\n").unpack1("M*") - end - - def self.encode(str) - ::Mail::Utilities.to_crlf([::Mail::Utilities.to_lf(str)].pack("M")) - end - end - end - class Body def encoded(transfer_encoding = nil, charset = nil) # PATCH diff --git a/lib/gitlab/email/hook/validate_addresses_interceptor.rb b/lib/gitlab/email/hook/validate_addresses_interceptor.rb deleted file mode 100644 index e63f047e63d..00000000000 --- a/lib/gitlab/email/hook/validate_addresses_interceptor.rb +++ /dev/null @@ -1,32 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module Email - module Hook - # Check for unsafe characters in the envelope-from and -to addresses. - # These are passed directly as arguments to sendmail and are liable to shell injection attacks: - # https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58 - class ValidateAddressesInterceptor - UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze - - def self.delivering_email(message) - addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to) - - addresses.each do |address| - next unless address.match?(UNSAFE_CHARACTERS) - - Gitlab::AuthLogger.info( - message: 'Skipping email with unsafe characters in address', - address: address, - subject: message.subject - ) - - message.perform_deliveries = false - - break - end - end - end - end - end -end diff --git a/scripts/allowed_warnings.txt b/scripts/allowed_warnings.txt index 19bd5d51a20..5310b806bbc 100644 --- a/scripts/allowed_warnings.txt +++ b/scripts/allowed_warnings.txt @@ -13,3 +13,12 @@ Type application/netcdf is already registered as a variant of application/netcdf # This warning is emitted by scripts/static-analysis. \*\*\*\* .+ had the following warning\(s\): + +# Ruby 3 extracts net-protocol into a separate gem, while Ruby 2 has it built-in. +# This can be removed when support for Ruby 2 is dropped. +2\.7\.0\/gems\/net-protocol-0\.1\.3\/lib\/net\/protocol\.rb:208: warning: already initialized constant Net::BufferedIO::BUFSIZE +ruby\/2\.7\.0\/net\/protocol\.rb:206: warning: previous definition of BUFSIZE was here +2\.7\.0\/gems\/net-protocol-0\.1\.3\/lib\/net\/protocol\.rb:504: warning: already initialized constant Net::NetPrivate::Socket +ruby\/2\.7\.0\/net\/protocol\.rb:503: warning: previous definition of Socket was here +2\.7\.0\/gems\/net-protocol-0\.1\.3\/lib\/net\/protocol\.rb:68: warning: already initialized constant Net::ProtocRetryError +ruby\/2\.7\.0\/net\/protocol\.rb:66: warning: previous definition of ProtocRetryError was here diff --git a/spec/lib/gitlab/email/hook/validate_addresses_interceptor_spec.rb b/spec/lib/gitlab/email/hook/validate_addresses_interceptor_spec.rb deleted file mode 100644 index a3f0158db40..00000000000 --- a/spec/lib/gitlab/email/hook/validate_addresses_interceptor_spec.rb +++ /dev/null @@ -1,52 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Gitlab::Email::Hook::ValidateAddressesInterceptor do - describe 'UNSAFE_CHARACTERS' do - subject { described_class::UNSAFE_CHARACTERS } - - it { is_expected.to match('\\') } - it { is_expected.to match("\x00") } - it { is_expected.to match("\x01") } - it { is_expected.not_to match('') } - it { is_expected.not_to match('user@example.com') } - it { is_expected.not_to match('foo-123+bar_456@example.com') } - end - - describe '.delivering_email' do - let(:mail) do - ActionMailer::Base.mail(to: 'test@mail.com', from: 'info@mail.com', subject: 'title', body: 'hello') - end - - let(:unsafe_email) { "evil+\x01$HOME@example.com" } - - it 'sends emails to normal addresses' do - expect(Gitlab::AuthLogger).not_to receive(:info) - expect { mail.deliver_now }.to change(ActionMailer::Base.deliveries, :count) - end - - [:from, :to, :cc, :bcc].each do |header| - it "does not send emails if the #{header.inspect} header contains unsafe characters" do - mail[header] = unsafe_email - - expect(Gitlab::AuthLogger).to receive(:info).with( - message: 'Skipping email with unsafe characters in address', - address: unsafe_email, - subject: mail.subject - ) - - expect { mail.deliver_now }.not_to change(ActionMailer::Base.deliveries, :count) - end - end - - [:reply_to].each do |header| - it "sends emails if the #{header.inspect} header contains unsafe characters" do - mail[header] = unsafe_email - - expect(Gitlab::AuthLogger).not_to receive(:info) - expect { mail.deliver_now }.to change(ActionMailer::Base.deliveries, :count) - end - end - end -end -- cgit v1.2.1