Merge remote-tracking branch 'dev/16-0-stable-ee' into 16-0-stable-ee

35cbb0be · GitLab Release Tools Bot · 848f8d91 · b989ef13 · 35cbb0be · 35cbb0be
Commit 35cbb0be authored 1 year ago by GitLab Release Tools Bot
--- a/.rubocop_todo/rspec/missing_feature_category.yml
+++ b/.rubocop_todo/rspec/missing_feature_category.yml
@@ -5126,7 +5126,6 @@ RSpec/MissingFeatureCategory:
    - 'spec/policies/ci/bridge_policy_spec.rb'
    - 'spec/policies/ci/build_policy_spec.rb'
    - 'spec/policies/ci/pipeline_policy_spec.rb'
-    - 'spec/policies/ci/pipeline_schedule_policy_spec.rb'
    - 'spec/policies/ci/trigger_policy_spec.rb'
    - 'spec/policies/clusters/agent_policy_spec.rb'
    - 'spec/policies/clusters/agent_token_policy_spec.rb'

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,28 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 16.0.8 (2023-08-01)
+
+### Fixed (1 change)
+
+- [Disable IAT verification by default](gitlab-org/security/gitlab@6d17a50539b8518da18bc68accc03b48d73173a0)
+
+### Security (13 changes)
+
+- [Prevent leaking emails of newly created users](gitlab-org/security/gitlab@b2872b398599cd7ee20c4119ae4c8e6ba2a6882d) ([merge request](gitlab-org/security/gitlab!3451))
+- [Added redirect to filtered params](gitlab-org/security/gitlab@49ffc2cc98af0e66305c8a653c74e0b92ee06ce8) ([merge request](gitlab-org/security/gitlab!3443))
+- [Relocate PlantUML config and disable SVG support](gitlab-org/security/gitlab@c6ded17a7d17ec8c3ed55cb94b8e6e524b6bbd5e) ([merge request](gitlab-org/security/gitlab!3440))
+- [Sanitize multiple hardlinks from import archives](gitlab-org/security/gitlab@9dabd8ebca50d8ea3781a0c4955a40cd07c453e7) ([merge request](gitlab-org/security/gitlab!3437))
+- [Validates project path availability](gitlab-org/security/gitlab@97e6ce4d15c8f4bcc7f60a560b789a023d391531) ([merge request](gitlab-org/security/gitlab!3428))
+- [Fix policy project assign](gitlab-org/security/gitlab@c1cca8ce8f24f6466563a50463e3254c5c423e97) ([merge request](gitlab-org/security/gitlab!3425))
+- [Fix pipeline schedule authorization for protected branch/tag](gitlab-org/security/gitlab@0c7017d993a33ef9fc693d4435505a4aea0141d1) ([merge request](gitlab-org/security/gitlab!3363))
+- [Mitigate autolink filter ReDOS](gitlab-org/security/gitlab@9072c630608a81645548b64b32d9f81bd258ba06) ([merge request](gitlab-org/security/gitlab!3432))
+- [Fix XSS vector in Web IDE](gitlab-org/security/gitlab@2832d1ae3b3e1bfc42bbeaeb29841a1e5fecac8a) ([merge request](gitlab-org/security/gitlab!3411))
+- [Mitigate project reference filter ReDOS](gitlab-org/security/gitlab@9c73619acaad3eb3605bf632f066bcee59b86566) ([merge request](gitlab-org/security/gitlab!3429))
+- [Add a stricter regex for the Harbor search param](gitlab-org/security/gitlab@c27e5e48a02d3411e84617b4fb7fd3f0fb49b618) ([merge request](gitlab-org/security/gitlab!3396))
+- [Update pipeline user to the last policy MR author](gitlab-org/security/gitlab@b1e9bcb33106ba7e279d5fd42c4f2c1727629f63) ([merge request](gitlab-org/security/gitlab!3393))
+- [Prohibit 40 character hex plus a hyphen if branch name is path](gitlab-org/security/gitlab@66c81ff6b50d0e53fc1f1b153439ad95614c9d09) ([merge request](gitlab-org/security/gitlab!3406))
+
 ## 16.0.7 (2023-07-04)
  
 ### Security (1 change)
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-16.0.7
\ No newline at end of file
+16.0.8
\ No newline at end of file
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
-16.0.7
\ No newline at end of file
+16.0.8
\ No newline at end of file
--- a/VERSION
+++ b/VERSION
-16.0.7-ee
\ No newline at end of file
+16.0.8-ee
\ No newline at end of file
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -21,7 +21,6 @@ def index
  end
  
  def new
-    @schedule = project.pipeline_schedules.new
  end
  
  def create
@@ -102,6 +101,15 @@ def schedule_params
        variables_attributes: [:id, :variable_type, :key, :secret_value, :_destroy])
  end
  
+  def new_schedule
+    # We need the `ref` here for `authorize_create_pipeline_schedule!`
+    @schedule ||= project.pipeline_schedules.new(ref: params.dig(:schedule, :ref))
+  end
+
+  def authorize_create_pipeline_schedule!
+    return access_denied! unless can?(current_user, :create_pipeline_schedule, new_schedule)
+  end
+
  def authorize_play_pipeline_schedule!
    return access_denied! unless can?(current_user, :play_pipeline_schedule, schedule)
  end

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -584,6 +584,8 @@ def self.integration_association_name(name)
  validates :max_artifacts_size, numericality: { only_integer: true, greater_than: 0, allow_nil: true }
  validates :suggestion_commit_message, length: { maximum: MAX_SUGGESTIONS_TEMPLATE_LENGTH }
  
+  validate :path_availability, if: :path_changed?
+
  # Scopes
  scope :pending_delete, -> { where(pending_delete: true) }
  scope :without_deleted, -> { where(pending_delete: false) }
@@ -3180,6 +3182,15 @@ def frozen_outbound_job_token_scopes?
  end
  strong_memoize_attr :frozen_outbound_job_token_scopes?
  
+  def path_availability
+    base, _, host = path.partition('.')
+
+    return unless host == Gitlab.config.pages&.dig('host')
+    return unless ProjectSetting.where(pages_unique_domain: base).exists?
+
+    errors.add(:path, s_('Project|already in use'))
+  end
+
  private
  
  def pages_unique_domain_enabled?

--- a/app/models/project_setting.rb
+++ b/app/models/project_setting.rb
@@ -52,6 +52,8 @@ class ProjectSetting < ApplicationRecord
  
  validate :validates_mr_default_target_self
  
+  validate :pages_unique_domain_availability, if: :pages_unique_domain_changed?
+
  attribute :legacy_open_source_license_available, default: -> do
    Feature.enabled?(:legacy_open_source_license_available, type: :ops)
  end
@@ -102,6 +104,15 @@ def require_unique_domain?
    pages_unique_domain_enabled ||
      pages_unique_domain_in_database.present?
  end
+
+  def pages_unique_domain_availability
+    host = Gitlab.config.pages&.dig('host')
+
+    return if host.blank?
+    return unless Project.where(path: "#{pages_unique_domain}.#{host}").exists?
+
+    errors.add(:pages_unique_domain, s_('ProjectSetting|already in use'))
+  end
 end
  
 ProjectSetting.prepend_mod
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -5,7 +5,18 @@ class PipelineSchedulePolicy < PipelinePolicy
    alias_method :pipeline_schedule, :subject
  
    condition(:protected_ref) do
-      ref_protected?(@user, @subject.project, @subject.project.repository.tag_exists?(@subject.ref), @subject.ref)
+      if full_ref?(@subject.ref)
+        is_tag = Gitlab::Git.tag_ref?(@subject.ref)
+        ref_name = Gitlab::Git.ref_name(@subject.ref)
+      else
+        # NOTE: this block should not be removed
+        # until the full ref validation is in place
+        # and all old refs are updated and validated
+        is_tag = @subject.project.repository.tag_exists?(@subject.ref)
+        ref_name = @subject.ref
+      end
+
+      ref_protected?(@user, @subject.project, is_tag, ref_name)
    end
  
    condition(:owner_of_schedule) do
@@ -31,6 +42,15 @@ class PipelineSchedulePolicy < PipelinePolicy
      enable :take_ownership_pipeline_schedule
    end
  
-    rule { protected_ref }.prevent :play_pipeline_schedule
+    rule { protected_ref }.policy do
+      prevent :play_pipeline_schedule
+      prevent :create_pipeline_schedule
+    end
+
+    private
+
+    def full_ref?(ref)
+      Gitlab::Git.tag_ref?(ref) || Gitlab::Git.branch_ref?(ref)
+    end
  end
 end
--- a/app/services/bulk_imports/archive_extraction_service.rb
+++ b/app/services/bulk_imports/archive_extraction_service.rb
@@ -49,11 +49,7 @@ def validate_tmpdir
    end
  
    def validate_symlink
-      raise(BulkImports::Error, 'Invalid file') if symlink?(filepath)
-    end
-
-    def symlink?(filepath)
-      File.lstat(filepath).symlink?
+      raise(BulkImports::Error, 'Invalid file') if Gitlab::Utils::FileInfo.linked?(filepath)
    end
  
    def extract_archive

--- a/app/services/bulk_imports/file_decompression_service.rb
+++ b/app/services/bulk_imports/file_decompression_service.rb
@@ -53,7 +53,7 @@ def validate_decompressed_file_size
    end
  
    def validate_symlink(filepath)
-      raise(ServiceError, 'Invalid file') if File.lstat(filepath).symlink?
+      raise(ServiceError, 'Invalid file') if Gitlab::Utils::FileInfo.linked?(filepath)
    end
  
    def decompress_file

--- a/config/application.rb
+++ b/config/application.rb
@@ -171,6 +171,7 @@ class Application < Rails::Application
    # - Any parameter containing `password`
    # - Any parameter containing `secret`
    # - Any parameter ending with `key`
+    # - Any parameter named `redirect`, filtered for security concerns of exposing sensitive information
    # - Two-factor tokens (:otp_attempt)
    # - Repo/Project Import URLs (:import_url)
    # - Build traces (:trace)
@@ -213,6 +214,7 @@ class Application < Rails::Application
      variables
      content
      sharedSecret
+      redirect
    )
  
    # Enable escaping HTML in JSON.

--- a/ee/app/graphql/mutations/security_policy/assign_security_policy_project.rb
+++ b/ee/app/graphql/mutations/security_policy/assign_security_policy_project.rb
@@ -30,6 +30,7 @@ def resolve(args)
  
        policy_project = find_policy_project(args[:security_policy_project_id])
        raise_resource_not_available_error! unless policy_project.present?
+        authorize!(policy_project)
  
        result = assign_project(project_or_group, policy_project)
        {

--- a/ee/app/models/ee/member.rb
+++ b/ee/app/models/ee/member.rb
@@ -171,7 +171,7 @@ def validate_email_verified
      return if group_saml_identity(root_ancestor: true).present?
      return if group.root_ancestor.scim_identities.for_user(user).exists?
  
-      errors.add(:user, email_not_verified)
+      errors.add(:user, _('is not verified.'))
    end
  
    def email_does_not_match_any_allowed_domains(email)
@@ -188,10 +188,6 @@ def matches_at_least_one_group_allowed_email_domain?(email)
      end
    end
  
-    def email_not_verified
-      _("email '%{email}' is not a verified email." % { email: user.email })
-    end
-
    def set_membership_activation
      self.state = ::Member::STATE_AWAITING unless has_capacity_left?
    end

--- a/ee/app/models/security/orchestration_policy_configuration.rb
+++ b/ee/app/models/security/orchestration_policy_configuration.rb
@@ -75,7 +75,7 @@ def policy_configuration_validation_errors(policy = policy_hash)
  
    def policy_last_updated_by
      strong_memoize(:policy_last_updated_by) do
-        policy_repo.last_commit_for_path(default_branch_or_main, POLICY_PATH)&.author
+        last_merge_request&.author
      end
    end
  
@@ -118,5 +118,9 @@ def policy_blob
        policy_repo.blob_data_at(default_branch_or_main, POLICY_PATH)
      end
    end
+
+    def last_merge_request
+      security_policy_management_project.merge_requests.merged.order_merged_at_desc.first
+    end
  end
 end
--- a/ee/spec/controllers/groups/group_members_controller_spec.rb
+++ b/ee/spec/controllers/groups/group_members_controller_spec.rb
@@ -173,7 +173,7 @@
            post :request_access, params: { group_id: group }
  
            expect(controller).to set_flash.to "Your request for access could not be processed: "\
-              "The member's email address email 'unverified@gitlab.com' is not a verified email."
+              "The member's email address is not verified."
            expect(response).to redirect_to(group_path(group))
            expect(group.requesters.exists?(user_id: requesting_user)).to be_falsey
            expect(group.users).not_to include requesting_user

--- a/ee/spec/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
+++ b/ee/spec/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
@@ -2,7 +2,7 @@
  
 require 'spec_helper'
  
-RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject do
+RSpec.describe Mutations::SecurityPolicy::AssignSecurityPolicyProject, feature_category: :security_policy_management do
  let(:mutation) { described_class.new(object: nil, context: { current_user: current_user }, field: nil) }
  
  describe '#resolve' do
@@ -28,6 +28,10 @@
            container.add_owner(owner)
          end
  
+          before_all do
+            policy_project.add_owner(owner)
+          end
+
          it 'assigns the security policy project' do
            result = subject
  

--- a/ee/spec/models/security/orchestration_policy_configuration_spec.rb
+++ b/ee/spec/models/security/orchestration_policy_configuration_spec.rb
@@ -933,21 +933,22 @@
  end
  
  describe '#policy_last_updated_by' do
-    let(:commit) { create(:commit, author: security_policy_management_project.first_owner) }
+    let(:merged_merge_request) do
+      create(:merge_request, :merged, author: security_policy_management_project.first_owner)
+    end
  
    subject(:policy_last_updated_by) { security_orchestration_policy_configuration.policy_last_updated_by }
  
    before do
-      allow(security_policy_management_project).to receive(:repository).and_return(repository)
-      allow(repository).to receive(:last_commit_for_path).with(default_branch, Security::OrchestrationPolicyConfiguration::POLICY_PATH).and_return(commit)
+      allow(security_policy_management_project).to receive(:merge_requests).and_return(MergeRequest.where(id: merged_merge_request&.id))
    end
  
-    context 'when last commit to policy file exists' do
+    context 'when last merged merge request to policy file exists' do
      it { is_expected.to eq(security_policy_management_project.first_owner) }
    end
  
-    context 'when last commit to policy file does not exist' do
-      let(:commit) {}
+    context 'when last merge request to policy file does not exist' do
+      let(:merged_merge_request) {}
  
      it { is_expected.to be_nil }
    end

--- a/ee/spec/requests/api/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/security_policy/assign_security_policy_project_spec.rb
@@ -40,6 +40,7 @@ def mutation_response
      context 'when user is an owner of the container' do
        before do
          container.add_owner(owner)
+          policy_project.add_owner(owner)
        end
  
        it 'assigns the security policy project', :aggregate_failures do

--- a/ee/spec/support/shared_examples/models/member_shared_examples.rb
+++ b/ee/spec/support/shared_examples/models/member_shared_examples.rb
@@ -72,7 +72,7 @@
      create(:allowed_email_domain, group: group, domain: 'acme.com')
    end
  
-    context 'when project parent has email domain feature switched on' do
+    context 'when group_allowed_email_domains is turned on' do
      before do
        stub_licensed_features(group_allowed_email_domains: true)
      end
@@ -113,11 +113,11 @@
        expect(build(member_type, source: source, user: nil, invite_email: 'invite@acme.com')).to be_valid
      end
  
-      it 'user emails matching allowed domain must be verified' do
-        project_member = build(member_type, source: source, user: unconfirmed_gitlab_user)
+      it 'user email must be verified' do
+        member = build(member_type, source: source, user: unconfirmed_gitlab_user)
  
-        expect(project_member).to be_invalid
-        expect(project_member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+        expect(member).to be_invalid
+        expect(member.errors[:user]).to include('is not verified.')
      end
  
      context 'with project bot users' do
@@ -167,11 +167,11 @@
          expect(build(member_type, source: nested_source, user: nil, invite_email: 'invite@acme.com')).to be_valid
        end
  
-        it 'user emails matching allowed domain must be verified' do
+        it 'user email must be verified' do
          member = build(member_type, source: nested_source, user: unconfirmed_gitlab_user)
  
          expect(member).to be_invalid
-          expect(member.errors[:user]).to include("email 'unverified@gitlab.com' is not a verified email.")
+          expect(member.errors[:user]).to include('is not verified.')
        end
  
        context 'with group SCIM users' do
@@ -198,7 +198,7 @@
      end
    end
  
-    context 'when project parent group has email domain feature switched off' do
+    context 'when group_allowed_email_domains is turned off' do
      before do
        stub_licensed_features(group_allowed_email_domains: false)
      end