Merge remote-tracking branch 'dev/17-1-stable-ee' into 17-1-stable-ee

3c66e9a0 · GitLab Release Tools Bot · 4e69a1c8 · 84cf95d6 · 3c66e9a0 · 3c66e9a0
Commit 3c66e9a0 authored 5 months ago by GitLab Release Tools Bot
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,38 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 17.1.7 (2024-09-11)
+
+### Fixed (2 changes)
+
+- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1647a587baa81d368cbc3d566598707cb590f430)
+- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/08ed4596fbd90d9a75f1223d864eaf4e137bfaba) **GitLab Enterprise Edition**
+
+### Changed (1 change)
+
+- [Add callout in the admin area about OpenSSL v3](https://gitlab.com/gitlab-org/security/gitlab/-/commit/03c10c261c9a8e9fee2e5d27a76d187c36ba5104)
+
+### Security (18 changes)
+
+- [Revert 'security-psk-fix-external-wiki-integration-dos-17-1' into '17-1"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ade7fc8bea4032ca5bb532672efcd5a4dec3d6e8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4455))
+- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b4e1ecff528c075bb8fe89c83700673f52cc1eb4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4434))
+- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8234ed61fa7f5bd4da874b9c390d86dd36de7ad1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4350))
+- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d0c8dcecec6c0b1fad95755c2ea5b781680ceb66) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4445))
+- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e616eef4f91e39d3d98ec1535d7f9bef3a9a0e10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4448))
+- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e358f0c4fadb53715fbe2d5dc031e071193c971c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4442))
+- [[17.1] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/428ec2f74d1bea5bdcdcac1c8f636a6d800f1441) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4357))
+- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/6745cd87ea94fb0f0da8693c1ca1908f13593c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4439))
+- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ff8085ff4f2fd49cf8c6ae205ee0c31349e970c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4406))
+- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/225aa66cd4086800aac24a31dfdcc067f7fc978a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4429))
+- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9c6ad85f4a22c95d86352da8e15e6bd85de33bf2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4427))
+- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0ee3b0c7e86cd1f2d11decd28e970e9588cb4c2c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4421))
+- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/850650bb443ff41b49c8ec6e0aa732c0d12f4562) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4371))
+- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ae880e3a6bef6e520ebf5f41e2b0965791dd199) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4383))
+- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ea51fb0d0c37d54fd5c3aa797327d1149084d01) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4389))
+- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a1859fb40667b0414fe2456885765f57066a073) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4397))
+- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ced539e3fd51cf1bdf136cdceb520af90229e1fa) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4353))
+- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3e22e9791084827757da7c990c40992a330f8adf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4380))
+
 ## 17.1.6 (2024-08-21)
  
 ### Security (1 change)
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-17.1.6
\ No newline at end of file
+17.1.7
\ No newline at end of file
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
-17.1.6
\ No newline at end of file
+17.1.7
\ No newline at end of file
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
-17.1.6
\ No newline at end of file
+17.1.7
\ No newline at end of file
--- a/VERSION
+++ b/VERSION
-17.1.6-ee
\ No newline at end of file
+17.1.7-ee
\ No newline at end of file
--- a/app/controllers/concerns/preferred_language_switcher.rb
+++ b/app/controllers/concerns/preferred_language_switcher.rb
@@ -38,12 +38,12 @@ def browser_languages
  strong_memoize_attr :browser_languages
  
  def marketing_site_language
-    return [] unless params[:glm_source]
+    # Our marketing site will be the only thing we are sure of the language placement in the url for.
+    locale = params[:glm_source]&.match(%r{\A#{ApplicationHelper.promo_host}/([a-z]{2})-([a-z]{2})}i)&.captures
  
-    locale = params[:glm_source].scan(%r{(\w{2})-(\w{2})}).flatten
-
-    return [] if locale.empty?
+    return [] if locale.blank?
  
+    # This is local and then locale_region - the marketing site will always send locale-region pairs like fr-fr.
    [locale[0], "#{locale[0]}_#{locale[1]}"]
  end
 end

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -188,12 +188,10 @@ def redirect_identity_linked
  def redirect_authorize_identity_link(identity_linker)
    state = SecureRandom.uuid
    session[:identity_link_state] = state
+    session[:identity_link_provider] = identity_linker.provider
+    session[:identity_link_extern_uid] = identity_linker.uid
  
-    redirect_to new_user_settings_identities_path(
-      provider: identity_linker.provider,
-      extern_uid: identity_linker.uid,
-      state: state
-    )
+    redirect_to new_user_settings_identities_path(state: state)
  end
  
  def build_auth_user(auth_user_class)

--- a/app/controllers/projects/environments_controller.rb
+++ b/app/controllers/projects/environments_controller.rb
@@ -119,7 +119,7 @@ def update
  def stop
    return render_404 unless @environment.available?
  
-    stop_actions = @environment.stop_with_actions!(current_user)
+    stop_actions = @environment.stop_with_actions!
    job = stop_actions.first if stop_actions&.count == 1
  
    action_or_env_url =

--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -33,7 +33,13 @@ def index
  end
  
  def downloads
-    redirect_to link.url
+    parsed_redirect_uri = URI.parse(link.url)
+
+    if internal_url?(parsed_redirect_uri)
+      redirect_to link.url
+    else
+      render "projects/releases/redirect", locals: { redirect_uri: parsed_redirect_uri }, layout: false
+    end
  end
  
  def latest_permalink
@@ -79,4 +85,8 @@ def fetch_latest_tag
  def validate_suffix_path
    Gitlab::PathTraversal.check_path_traversal!(params[:suffix_path]) if params[:suffix_path]
  end
+
+  def internal_url?(redirect_url)
+    redirect_url.host == Gitlab.config.gitlab.host && redirect_url.port == Gitlab.config.gitlab.port
+  end
 end
--- a/app/controllers/user_settings/identities_controller.rb
+++ b/app/controllers/user_settings/identities_controller.rb
@@ -5,16 +5,18 @@ class IdentitiesController < ApplicationController
    feature_category :system_access
  
    before_action :verify_state, only: [:new]
+    before_action :assign_variables_from_session
+    before_action :verify_session_variables
  
    def new
      # rubocop:disable CodeReuse/ActiveRecord -- Specific use-case
      @identity = current_user.identities
-                              .with_extern_uid(params[:provider], params[:extern_uid])
-                              .first_or_initialize(extern_uid: params[:extern_uid])
+                              .with_extern_uid(@provider, @extern_uid)
+                              .first_or_initialize(extern_uid: @extern_uid)
      # rubocop:enable CodeReuse/ActiveRecord
  
      if @identity.persisted?
-        session.delete(:identity_link_state)
+        delete_session_variables
        return redirect_to profile_account_path, notice: _('Identity already exists')
      end
  
@@ -22,15 +24,14 @@ def new
    end
  
    def create
-      identity = current_user.identities.new(identity_params)
+      identity = current_user.identities.new(provider: @provider, extern_uid: @extern_uid)
      notice = if identity.save
                 _('Authentication method updated')
               else
                 format(_('Error linking identity: %{errors}'), errors: identity.errors.full_messages.to_sentence)
               end
  
-      session.delete(:identity_link_state)
-
+      delete_session_variables
      redirect_to profile_account_path, notice: notice
    end
  
@@ -40,8 +41,23 @@ def verify_state
      render_403 unless session[:identity_link_state] == params[:state]
    end
  
-    def identity_params
-      params.require(:identity).permit(:provider, :extern_uid)
+    def assign_variables_from_session
+      @provider = session[:identity_link_provider]
+      @extern_uid = session[:identity_link_extern_uid]
+    end
+
+    def verify_session_variables
+      return if @provider && @extern_uid
+
+      delete_session_variables
+      redirect_to profile_account_path,
+        notice: _('Error linking identity: Provider and Extern UID must be in the session.')
+    end
+
+    def delete_session_variables
+      session.delete(:identity_link_state)
+      session.delete(:identity_link_provider)
+      session.delete(:identity_link_extern_uid)
    end
  end
 end
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -353,7 +353,7 @@ def wait_for_stop?
    stop_actions.present?
  end
  
-  def stop_with_actions!(current_user)
+  def stop_with_actions!
    return unless available?
  
    stop!
@@ -365,7 +365,7 @@ def stop_with_actions!(current_user)
        stop_action,
        name: 'environment_stop_with_actions'
      ) do |job|
-        actions << job.play(current_user)
+        actions << job.play(job.user)
      rescue StateMachines::InvalidTransition
        # Ci::PlayBuildService rescues an error of StateMachines::InvalidTransition and fall back to retry. However,
        # Ci::PlayBridgeService doesn't rescue it, so we're ignoring the error if it's not playable.

--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -30,42 +30,42 @@ class RunnerPolicy < BasePolicy
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_maintainer_owned_groups_inheriting_shared_runners) do
-      @user.developer_maintainer_owned_groups.with_shared_runners_enabled.any?
+    condition(:any_maintainer_owned_groups_inheriting_shared_runners) do
+      @user.owned_or_maintainers_groups.with_shared_runners_enabled.any?
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_projects_inheriting_shared_runners) do
-      @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any?
+    condition(:any_maintainer_projects_inheriting_shared_runners) do
+      @user.authorized_projects(Gitlab::Access::MAINTAINER).with_shared_runners_enabled.any?
    end
  
    with_options score: 10
    condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do
-      # Check if any projects where user is a developer+ are inheriting group runners
+      # Check if any projects where user is a maintainer+ are inheriting group runners
      @subject.groups&.any? do |group|
        group.all_projects
             .with_group_runners_enabled
-             .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER)
+             .visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER)
             .exists?
      end
    end
  
    with_options score: 6
-    condition(:developer_in_any_associated_projects) do
-      # Check if runner is associated to any projects where user is a developer+
-      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER).exists?
+    condition(:maintainer_in_any_associated_projects) do
+      # Check if runner is associated to any projects where user is a maintainer+
+      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER).exists?
    end
  
    with_options score: 8
-    condition(:developer_in_any_associated_groups) do
-      user_group_ids = @user.developer_maintainer_owned_groups.select(:id)
+    condition(:maintainer_in_any_associated_groups) do
+      user_group_ids = @user.owned_or_maintainers_groups.select(:id)
  
      # Check for direct group relationships
      next true if user_group_ids.id_in(@subject.group_ids).any?
  
      # Check for indirect group relationships
      GroupGroupLink
-        .with_developer_maintainer_owner_access
+        .with_owner_or_maintainer_access
        .groups_accessible_via(user_group_ids)
        .id_in(@subject.group_ids)
        .any?
@@ -82,19 +82,19 @@ class RunnerPolicy < BasePolicy
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_maintainer_owned_groups_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_owned_groups_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_projects_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_project_runner & developer_in_any_associated_projects }.policy do
+    rule { is_project_runner & maintainer_in_any_associated_projects }.policy do
      enable :read_runner
    end
  
-    rule { is_group_runner & developer_in_any_associated_groups }.policy do
+    rule { is_group_runner & maintainer_in_any_associated_groups }.policy do
      enable :read_runner
    end
  

--- a/app/services/environments/stop_service.rb
+++ b/app/services/environments/stop_service.rb
@@ -15,7 +15,7 @@ def execute(environment)
      if params[:force]
        environment.stop_complete!
      else
-        environment.stop_with_actions!(current_user)
+        environment.stop_with_actions!
      end
  
      unless environment.saved_change_to_attribute?(:state)

--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@@ -24,7 +24,7 @@
        = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
      %p
        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
-        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub('www.', '')
+        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
        - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
  %div

--- a/app/views/projects/releases/_release.atom.builder
+++ b/app/views/projects/releases/_release.atom.builder
@@ -9,7 +9,7 @@ xml.entry do
  xml.id        release_url
  xml.link      href: release_url
  xml.title     truncate(release.name, length: 160)
-  xml.summary   strip_signature(release.commit.message)
+  xml.summary   strip_signature(release.commit.message) if can?(current_user, :read_code, @project)
  xml.content   markdown_field(release, :description), type: 'html'
  xml.updated   release.updated_at.xmlschema
  xml.published release.released_at.xmlschema

--- a/app/views/projects/releases/redirect.html.haml
+++ b/app/views/projects/releases/redirect.html.haml
+.tree-holder
+  %h2= _("You are being redirected away from GitLab")
+  %p= _("Redirect url is an external url, it may contain user-generated content and malicious code. Do not continue unless you trust the author and source.")
+
+%div
+  - redirect_link_start = '<a href="%{redirect_uri}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: redirect_uri }
+  = html_escape(s_('%{redirect_link_start} Click here to redirect to %{redirect_uri_val} %{redirect_link_end}')) % { redirect_uri_val: redirect_uri, redirect_link_start: redirect_link_start, redirect_link_end: '</a>'.html_safe }
--- a/app/views/user_settings/identities/new.html.haml
+++ b/app/views/user_settings/identities/new.html.haml
@@ -12,8 +12,6 @@
    = safe_format(_('To allow %{strongOpen}%{provider}%{strongClose} to manage your GitLab account %{strongOpen}%{username}%{strongClose} (%{email}) after you sign in successfully using single sign-on, select %{strongOpen}Authorize%{strongClose}.'), tag_pair(tag.strong, :strongOpen, :strongClose), provider: provider, username: current_user.username, email: current_user.email)
  
 = gitlab_ui_form_for(@identity, url: user_settings_identities_path, method: :post) do |f|
-  = f.hidden_field :provider, value: @identity.provider
-  = f.hidden_field :extern_uid, value: @identity.extern_uid
  = render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true) do
    = _("Authorize")
  = render Pajamas::ButtonComponent.new(href: profile_account_path, block: true) do

--- a/app/workers/environments/auto_stop_worker.rb
+++ b/app/workers/environments/auto_stop_worker.rb
@@ -9,12 +9,7 @@ class AutoStopWorker
    feature_category :continuous_delivery
  
    def perform(environment_id, params = {})
-      Environment.find_by_id(environment_id).try do |environment|
-        stop_actions = environment.stop_actions
-
-        user = stop_actions.last&.user
-        environment.stop_with_actions!(user)
-      end
+      Environment.find_by_id(environment_id).try(&:stop_with_actions!)
    end
  end
 end
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -111,7 +111,9 @@
    config.middleware.delete BetterErrors::Middleware
  end
  
-  config.middleware.insert_before(ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}])
+  config.middleware.insert_before(
+    ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}, %r{^/v2$}, %r{^/v2/}]
+  )
  
  config.log_level = Gitlab::Utils.to_rails_log_level(ENV["GITLAB_LOG_LEVEL"], :debug)
 end
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
 # frozen_string_literal: true
  
+require 'gitlab/middleware/strip_cookies'
+
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb
  
@@ -75,4 +77,8 @@
  config.action_mailer.raise_delivery_errors = true
  
  config.eager_load = true
+
+  config.middleware.insert_before(
+    ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/v2$}, %r{^/v2/}]
+  )
 end