From dfcf4cf5f1e87a29f0d9fcc5ff2bba47258893bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C5=82gorzata=20Ksionek?= Date: Thu, 18 Jul 2019 10:27:02 +0200 Subject: Add captcha if there are multiple failed login attempts Add method to store session ids by ip Add new specs for storing session ids Add cleaning up records after login Add retrieving anonymous sessions Add login recaptcha setting Add new setting to sessions controller Add conditions for showing captcha Add sessions controller specs Add admin settings specs for login protection Add new settings to api Add stub to devise spec Add new translation key Add cr remarks Rename class call Add cr remarks Change if-clause for consistency Add cr remarks Add code review remarks Refactor AnonymousSession class Add changelog entry Move AnonymousSession class to lib Move store unauthenticated sessions to sessions controller Move link to recaptcha info Regenerate text file Improve copy on the spam page Change action filter for storing anonymous sessions Fix rubocop offences Add code review remarks --- config/initializers/warden.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'config') diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb index 1d2bb2bce0a..d8a4da8cdf9 100644 --- a/config/initializers/warden.rb +++ b/config/initializers/warden.rb @@ -19,6 +19,7 @@ Rails.application.configure do |config| Warden::Manager.after_authentication(scope: :user) do |user, auth, opts| ActiveSession.cleanup(user) + Gitlab::AnonymousSession.new(auth.request.remote_ip, session_id: auth.request.session.id).cleanup_session_per_ip_entries end Warden::Manager.after_set_user(scope: :user, only: :fetch) do |user, auth, opts| -- cgit v1.2.1 From e0826b0cb522dc4a112f6617c6fb222f6e3f4ce2 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Fri, 19 Jul 2019 14:12:02 +1200 Subject: Override hostname when connecting via Kubeclient Kubeclient uses rest-client. We hack into to access the net/http object so that we can patch to connect to the resolved IP + set hostname_override. Add specs for discord. The discord integration also uses rest-client, so since we patched rest-client, spec that the DNS rebinding protection works --- .../initializers/rest-client-hostname_override.rb | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 config/initializers/rest-client-hostname_override.rb (limited to 'config') diff --git a/config/initializers/rest-client-hostname_override.rb b/config/initializers/rest-client-hostname_override.rb new file mode 100644 index 00000000000..bc1b70bd73f --- /dev/null +++ b/config/initializers/rest-client-hostname_override.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +module RestClient + class Request + attr_accessor :hostname_override + + module UrlBlocker + def transmit(uri, req, payload, &block) + begin + ip, hostname_override = Gitlab::UrlBlocker.validate!(uri, allow_local_network: allow_settings_local_requests?, + allow_localhost: allow_settings_local_requests?, + dns_rebind_protection: dns_rebind_protection?) + + self.hostname_override = hostname_override + rescue Gitlab::UrlBlocker::BlockedUrlError => e + raise ArgumentError, "URL '#{uri}' is blocked: #{e.message}" + end + + # Gitlab::UrlBlocker returns a Addressable::URI which we need to coerce + # to URI so that rest-client can use it to determine if it's a + # URI::HTTPS or not. It uses it to set `net.use_ssl` to true or not: + # + # https://github.com/rest-client/rest-client/blob/f450a0f086f1cd1049abbef2a2c66166a1a9ba71/lib/restclient/request.rb#L656 + ip_as_uri = URI.parse(ip) + super(ip_as_uri, req, payload, &block) + end + + def net_http_object(hostname, port) + super.tap do |http| + http.hostname_override = hostname_override if hostname_override + end + end + + private + + def dns_rebind_protection? + return false if Gitlab.http_proxy_env? + + Gitlab::CurrentSettings.dns_rebinding_protection_enabled? + end + + def allow_settings_local_requests? + Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + end + end + + prepend UrlBlocker + end +end -- cgit v1.2.1 From d1de6fd4d867ee817a1979e05344e580d33c7759 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Wed, 21 Aug 2019 11:59:58 +1200 Subject: Column was renamed in 12.2 --- config/initializers/rest-client-hostname_override.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/initializers/rest-client-hostname_override.rb b/config/initializers/rest-client-hostname_override.rb index bc1b70bd73f..80b123ebe61 100644 --- a/config/initializers/rest-client-hostname_override.rb +++ b/config/initializers/rest-client-hostname_override.rb @@ -40,7 +40,7 @@ module RestClient end def allow_settings_local_requests? - Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services? end end -- cgit v1.2.1 From 41d52bbfe9725a93013ea6b072efcdc16e591b14 Mon Sep 17 00:00:00 2001 From: Jan Provaznik Date: Tue, 9 Jul 2019 20:51:42 +0200 Subject: Add direct upload support for personal snippets --- config/routes/uploads.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config') diff --git a/config/routes/uploads.rb b/config/routes/uploads.rb index 920f8454ce2..096ef146e07 100644 --- a/config/routes/uploads.rb +++ b/config/routes/uploads.rb @@ -30,6 +30,10 @@ scope path: :uploads do to: 'uploads#create', constraints: { model: /personal_snippet|user/, id: /\d+/ }, as: 'upload' + + post ':model/authorize', + to: 'uploads#authorize', + constraints: { model: /personal_snippet|user/ } end # Redirect old note attachments path to new uploads path. -- cgit v1.2.1 From ad05e488636ebe05b4985dbf3c7d912fd8d56f49 Mon Sep 17 00:00:00 2001 From: Brett Walker Date: Wed, 20 Feb 2019 17:51:55 -0600 Subject: Add support for using a Camo proxy server User images and videos will get proxied through the Camo server in order to keep malicious sites from collecting the IP address of users. --- config/initializers/asset_proxy_settings.rb | 6 ++++++ config/initializers/fill_shards.rb | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 config/initializers/asset_proxy_settings.rb (limited to 'config') diff --git a/config/initializers/asset_proxy_settings.rb b/config/initializers/asset_proxy_settings.rb new file mode 100644 index 00000000000..92247aba1b8 --- /dev/null +++ b/config/initializers/asset_proxy_settings.rb @@ -0,0 +1,6 @@ +# +# Asset proxy settings +# +ActiveSupport.on_load(:active_record) do + Banzai::Filter::AssetProxyFilter.initialize_settings +end diff --git a/config/initializers/fill_shards.rb b/config/initializers/fill_shards.rb index 18e067c8854..cad662e12f3 100644 --- a/config/initializers/fill_shards.rb +++ b/config/initializers/fill_shards.rb @@ -1,3 +1,5 @@ -if Shard.connected? && !Gitlab::Database.read_only? +# The `table_exists?` check is needed because during our migration rollback testing, +# `Shard.connected?` could be cached and return true even though the table doesn't exist +if Shard.connected? && Shard.table_exists? && !Gitlab::Database.read_only? Shard.populate! end -- cgit v1.2.1