Merge remote-tracking branch 'dev/17-2-stable-ee' into 17-2-stable-ee

6fb0f3ab · GitLab Release Tools Bot · ad886c0b · e57a21de · 6fb0f3ab · 6fb0f3ab
Commit 6fb0f3ab authored 5 months ago by GitLab Release Tools Bot
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,40 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 17.2.5 (2024-09-11)
+
+### Fixed (2 changes)
+
+- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b61220ce14c6b2d199f6a6de6d0b79729c15676e)
+- [Backport Fixes Geo Replication Details view](https://gitlab.com/gitlab-org/security/gitlab/-/commit/88f24858dc28d1c1ebec07a45cc5e9ef587679cf) **GitLab Enterprise Edition**
+
+### Changed (2 changes)
+
+- [Backport OpenSSL v3 callout to 17.2](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0e1195a51214ced5cdfc93ef6cc785a93820f294)
+- [Update google-cloud-core and google-cloud-env gems](https://gitlab.com/gitlab-org/security/gitlab/-/commit/85d8fc43006e6b726e2b1887ccf30e2746a105d2)
+
+### Security (19 changes)
+
+- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos-17-2' into '17-2-stable-ee'"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/f81601ebba6655d25d1bfe2ff1568cc5fe96059d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4454))
+- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/676a3faddc5e93e38671f41c4e48ce48875364a3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4435))
+- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/306589f342b7f9aa118c582c55278574291f22c7) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4349))
+- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c5e57b452df8ea55f9a7f3870a79c41819f237d1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4444))
+- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2973e7765866d37c1910352fba1c01644d56bf32) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4447))
+- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7cdde56d9085dfa2bff8da57f4f9df3b21a2894d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4441))
+- [[17.2] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d71e9da0d204366439cdcf0fc577458a1069f089) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4356))
+- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3944f5b91d3d7ff7f30f616c8f5fadd77a6b6fe4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4438))
+- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5a037af920b2e621a8dd1b2761dd9cbbc6731ecc) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4405))
+- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/da77ff49ca023be82a3d1e0102c9d0caf8e7a498) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4430))
+- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d81400b571b46633603c6d6bfd2657806c9de506) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4426))
+- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/99bb822df8102f4e71fa473f11c8767e65759575) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4420))
+- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/114074f667aad583c557ea09350edb5226659d62) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4370))
+- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4b787a02964a696421d72ae847590d40cf8d2438) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4382))
+- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/fc752ed2f6aa9e3c46f5d7b4ee65f0d193f7ffc6) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4390))
+- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/25dbceaeb243aed695774b232e28cf106898dfbf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4398))
+- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/681c6c65912e20e08bbe942cb0b923cfc0db2345) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4352))
+- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9b96f9ad80262f2329f08328a2c6f6b10e5032dd) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4379))
+- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44d70919eb689f73c7c65a2db3476e205b375528) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4394))
+
 ## 17.2.4 (2024-08-21)
  
 ### Security (1 change)
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-17.2.4
\ No newline at end of file
+17.2.5
\ No newline at end of file
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
-17.2.4
\ No newline at end of file
+17.2.5
\ No newline at end of file
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
-17.2.4
\ No newline at end of file
+17.2.5
\ No newline at end of file
--- a/VERSION
+++ b/VERSION
-17.2.4-ee
\ No newline at end of file
+17.2.5-ee
\ No newline at end of file
--- a/app/controllers/concerns/preferred_language_switcher.rb
+++ b/app/controllers/concerns/preferred_language_switcher.rb
@@ -38,12 +38,12 @@ def browser_languages
  strong_memoize_attr :browser_languages
  
  def marketing_site_language
-    return [] unless params[:glm_source]
+    # Our marketing site will be the only thing we are sure of the language placement in the url for.
+    locale = params[:glm_source]&.match(%r{\A#{ApplicationHelper.promo_host}/([a-z]{2})-([a-z]{2})}i)&.captures
  
-    locale = params[:glm_source].scan(%r{(\w{2})-(\w{2})}).flatten
-
-    return [] if locale.empty?
+    return [] if locale.blank?
  
+    # This is local and then locale_region - the marketing site will always send locale-region pairs like fr-fr.
    [locale[0], "#{locale[0]}_#{locale[1]}"]
  end
 end

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -188,12 +188,10 @@ def redirect_identity_linked
  def redirect_authorize_identity_link(identity_linker)
    state = SecureRandom.uuid
    session[:identity_link_state] = state
+    session[:identity_link_provider] = identity_linker.provider
+    session[:identity_link_extern_uid] = identity_linker.uid
  
-    redirect_to new_user_settings_identities_path(
-      provider: identity_linker.provider,
-      extern_uid: identity_linker.uid,
-      state: state
-    )
+    redirect_to new_user_settings_identities_path(state: state)
  end
  
  def build_auth_user(auth_user_class)

--- a/app/controllers/projects/environments_controller.rb
+++ b/app/controllers/projects/environments_controller.rb
@@ -119,7 +119,7 @@ def update
  def stop
    return render_404 unless @environment.available?
  
-    stop_actions = @environment.stop_with_actions!(current_user)
+    stop_actions = @environment.stop_with_actions!
    job = stop_actions.first if stop_actions&.count == 1
  
    action_or_env_url =

--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -33,7 +33,13 @@ def index
  end
  
  def downloads
-    redirect_to link.url
+    parsed_redirect_uri = URI.parse(link.url)
+
+    if internal_url?(parsed_redirect_uri)
+      redirect_to link.url
+    else
+      render "projects/releases/redirect", locals: { redirect_uri: parsed_redirect_uri }, layout: false
+    end
  end
  
  def latest_permalink
@@ -79,4 +85,8 @@ def fetch_latest_tag
  def validate_suffix_path
    Gitlab::PathTraversal.check_path_traversal!(params[:suffix_path]) if params[:suffix_path]
  end
+
+  def internal_url?(redirect_url)
+    redirect_url.host == Gitlab.config.gitlab.host && redirect_url.port == Gitlab.config.gitlab.port
+  end
 end
--- a/app/controllers/user_settings/identities_controller.rb
+++ b/app/controllers/user_settings/identities_controller.rb
@@ -5,16 +5,18 @@ class IdentitiesController < ApplicationController
    feature_category :system_access
  
    before_action :verify_state, only: [:new]
+    before_action :assign_variables_from_session
+    before_action :verify_session_variables
  
    def new
      # rubocop:disable CodeReuse/ActiveRecord -- Specific use-case
      @identity = current_user.identities
-                              .with_extern_uid(params[:provider], params[:extern_uid])
-                              .first_or_initialize(extern_uid: params[:extern_uid])
+                              .with_extern_uid(@provider, @extern_uid)
+                              .first_or_initialize(extern_uid: @extern_uid)
      # rubocop:enable CodeReuse/ActiveRecord
  
      if @identity.persisted?
-        session.delete(:identity_link_state)
+        delete_session_variables
        return redirect_to profile_account_path, notice: _('Identity already exists')
      end
  
@@ -22,15 +24,14 @@ def new
    end
  
    def create
-      identity = current_user.identities.new(identity_params)
+      identity = current_user.identities.new(provider: @provider, extern_uid: @extern_uid)
      notice = if identity.save
                 _('Authentication method updated')
               else
                 format(_('Error linking identity: %{errors}'), errors: identity.errors.full_messages.to_sentence)
               end
  
-      session.delete(:identity_link_state)
-
+      delete_session_variables
      redirect_to profile_account_path, notice: notice
    end
  
@@ -40,8 +41,23 @@ def verify_state
      render_403 unless session[:identity_link_state] == params[:state]
    end
  
-    def identity_params
-      params.require(:identity).permit(:provider, :extern_uid)
+    def assign_variables_from_session
+      @provider = session[:identity_link_provider]
+      @extern_uid = session[:identity_link_extern_uid]
+    end
+
+    def verify_session_variables
+      return if @provider && @extern_uid
+
+      delete_session_variables
+      redirect_to profile_account_path,
+        notice: _('Error linking identity: Provider and Extern UID must be in the session.')
+    end
+
+    def delete_session_variables
+      session.delete(:identity_link_state)
+      session.delete(:identity_link_provider)
+      session.delete(:identity_link_extern_uid)
    end
  end
 end
--- a/app/models/ci/processable.rb
+++ b/app/models/ci/processable.rb
@@ -265,5 +265,3 @@ def dependencies
    end
  end
 end
-
-Ci::Processable.prepend_mod
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -353,7 +353,7 @@ def wait_for_stop?
    stop_actions.present?
  end
  
-  def stop_with_actions!(current_user)
+  def stop_with_actions!
    return unless available?
  
    stop!
@@ -365,7 +365,7 @@ def stop_with_actions!(current_user)
        stop_action,
        name: 'environment_stop_with_actions'
      ) do |job|
-        actions << job.play(current_user)
+        actions << job.play(job.user)
      rescue StateMachines::InvalidTransition
        # Ci::PlayBuildService rescues an error of StateMachines::InvalidTransition and fall back to retry. However,
        # Ci::PlayBridgeService doesn't rescue it, so we're ignoring the error if it's not playable.

--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -30,42 +30,42 @@ class RunnerPolicy < BasePolicy
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_maintainer_owned_groups_inheriting_shared_runners) do
-      @user.developer_maintainer_owned_groups.with_shared_runners_enabled.any?
+    condition(:any_maintainer_owned_groups_inheriting_shared_runners) do
+      @user.owned_or_maintainers_groups.with_shared_runners_enabled.any?
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_projects_inheriting_shared_runners) do
-      @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any?
+    condition(:any_maintainer_projects_inheriting_shared_runners) do
+      @user.authorized_projects(Gitlab::Access::MAINTAINER).with_shared_runners_enabled.any?
    end
  
    with_options score: 10
    condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do
-      # Check if any projects where user is a developer+ are inheriting group runners
+      # Check if any projects where user is a maintainer+ are inheriting group runners
      @subject.groups&.any? do |group|
        group.all_projects
             .with_group_runners_enabled
-             .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER)
+             .visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER)
             .exists?
      end
    end
  
    with_options score: 6
-    condition(:developer_in_any_associated_projects) do
-      # Check if runner is associated to any projects where user is a developer+
-      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER).exists?
+    condition(:maintainer_in_any_associated_projects) do
+      # Check if runner is associated to any projects where user is a maintainer+
+      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER).exists?
    end
  
    with_options score: 8
-    condition(:developer_in_any_associated_groups) do
-      user_group_ids = @user.developer_maintainer_owned_groups.select(:id)
+    condition(:maintainer_in_any_associated_groups) do
+      user_group_ids = @user.owned_or_maintainers_groups.select(:id)
  
      # Check for direct group relationships
      next true if user_group_ids.id_in(@subject.group_ids).any?
  
      # Check for indirect group relationships
      GroupGroupLink
-        .with_developer_maintainer_owner_access
+        .with_owner_or_maintainer_access
        .groups_accessible_via(user_group_ids)
        .id_in(@subject.group_ids)
        .any?
@@ -82,19 +82,19 @@ class RunnerPolicy < BasePolicy
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_maintainer_owned_groups_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_owned_groups_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_projects_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_project_runner & developer_in_any_associated_projects }.policy do
+    rule { is_project_runner & maintainer_in_any_associated_projects }.policy do
      enable :read_runner
    end
  
-    rule { is_group_runner & developer_in_any_associated_groups }.policy do
+    rule { is_group_runner & maintainer_in_any_associated_groups }.policy do
      enable :read_runner
    end
  

--- a/app/services/environments/stop_service.rb
+++ b/app/services/environments/stop_service.rb
@@ -15,7 +15,7 @@ def execute(environment)
      if params[:force]
        environment.stop_complete!
      else
-        environment.stop_with_actions!(current_user)
+        environment.stop_with_actions!
      end
  
      unless environment.saved_change_to_attribute?(:state)

--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@@ -29,7 +29,7 @@
          = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
      %p
        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
-        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub('www.', '')
+        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
        - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
  %div

--- a/app/views/projects/releases/_release.atom.builder
+++ b/app/views/projects/releases/_release.atom.builder
@@ -9,7 +9,7 @@ xml.entry do
  xml.id        release_url
  xml.link      href: release_url
  xml.title     truncate(release.name, length: 160)
-  xml.summary   strip_signature(release.commit.message)
+  xml.summary   strip_signature(release.commit.message) if can?(current_user, :read_code, @project)
  xml.content   markdown_field(release, :description), type: 'html'
  xml.updated   release.updated_at.xmlschema
  xml.published release.released_at.xmlschema

--- a/app/views/projects/releases/redirect.html.haml
+++ b/app/views/projects/releases/redirect.html.haml
+.tree-holder
+  %h2= _("You are being redirected away from GitLab")
+  %p= _("Redirect url is an external url, it may contain user-generated content and malicious code. Do not continue unless you trust the author and source.")
+
+%div
+  - redirect_link_start = '<a href="%{redirect_uri}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: redirect_uri }
+  = html_escape(s_('%{redirect_link_start} Click here to redirect to %{redirect_uri_val} %{redirect_link_end}')) % { redirect_uri_val: redirect_uri, redirect_link_start: redirect_link_start, redirect_link_end: '</a>'.html_safe }
--- a/app/views/user_settings/identities/new.html.haml
+++ b/app/views/user_settings/identities/new.html.haml
@@ -12,8 +12,6 @@
    = safe_format(_('To allow %{strongOpen}%{provider}%{strongClose} to manage your GitLab account %{strongOpen}%{username}%{strongClose} (%{email}) after you sign in successfully using single sign-on, select %{strongOpen}Authorize%{strongClose}.'), tag_pair(tag.strong, :strongOpen, :strongClose), provider: provider, username: current_user.username, email: current_user.email)
  
 = gitlab_ui_form_for(@identity, url: user_settings_identities_path, method: :post) do |f|
-  = f.hidden_field :provider, value: @identity.provider
-  = f.hidden_field :extern_uid, value: @identity.extern_uid
  = render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true) do
    = _("Authorize")
  = render Pajamas::ButtonComponent.new(href: profile_account_path, block: true) do

--- a/app/workers/environments/auto_stop_worker.rb
+++ b/app/workers/environments/auto_stop_worker.rb
@@ -9,12 +9,7 @@ class AutoStopWorker
    feature_category :continuous_delivery
  
    def perform(environment_id, params = {})
-      Environment.find_by_id(environment_id).try do |environment|
-        stop_actions = environment.stop_actions
-
-        user = stop_actions.last&.user
-        environment.stop_with_actions!(user)
-      end
+      Environment.find_by_id(environment_id).try(&:stop_with_actions!)
    end
  end
 end
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -111,7 +111,9 @@
    config.middleware.delete BetterErrors::Middleware
  end
  
-  config.middleware.insert_before(ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}])
+  config.middleware.insert_before(
+    ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}, %r{^/v2$}, %r{^/v2/}]
+  )
  
  config.log_level = Gitlab::Utils.to_rails_log_level(ENV["GITLAB_LOG_LEVEL"], :debug)
 end