Merge remote-tracking branch 'dev/17-3-stable-ee' into 17-3-stable-ee

9a1dee98 · GitLab Release Tools Bot · 0f6f26aa · a141138e · 9a1dee98 · 9a1dee98
Commit 9a1dee98 authored 5 months ago by GitLab Release Tools Bot
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,40 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 17.3.2 (2024-09-11)
+
+### Fixed (3 changes)
+
+- [Update Access data on sync even if data didn’t changed](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4ef29892400e4cfd9d77ae2ed11d577cf94bf026)
+- [Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e2eba0a9279b9f92d0adda8653474efb0ca1014a)
+- [Fix issue when resizing images in RTE](https://gitlab.com/gitlab-org/security/gitlab/-/commit/812f117e1fc8260121c1dfbeb5e503552aedca37)
+
+### Changed (1 change)
+
+- [Backport OpenSSL v3 callout to 17.3](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ba9718022b12e627375e166a8731e9cb83fd632b)
+
+### Security (19 changes)
+
+- [Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos-17-3' into '17-3-stable-ee'"](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4adb684182baacf3d351090265c94899b5db1eb3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4453))
+- [Fix the vulnerability in the glm_source parameter](https://gitlab.com/gitlab-org/security/gitlab/-/commit/878cda6f69865a8a61d0a3e431ed365bb01fd7a0) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4436))
+- [Improve GraphQL log security](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8ab77ecaffab94c02d4d8054dd900ef853ddb492) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4400))
+- [Add permissions check to project creations from a project template](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9aaaaf465c69b9cf80f7b3906338a822f31adadd) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4443))
+- [Fix credentials disclosure in mirroring failure](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0c2d3c9417a1fccea08bdc817943685f058c7fa5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4446))
+- [Redirect url in the link validated for being external](https://gitlab.com/gitlab-org/security/gitlab/-/commit/219cfd97cc2771266d2e92c9bd2e87bad2cdceb4) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4440))
+- [[17.3] Update edit permissions for DAST profiles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/44638f2465398883881de00a84fea1f724bc3456) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4372))
+- [Commit information visible through release atom endpoint for guest users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7e4451c5eb6f7ae20ff9400660d9c8072d378522) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4437))
+- [Execute environment stop actions as the owner of the action](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e160b472c887a33122f9ef2894551b167a321377) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4404))
+- [Prevent code injection in Product Analytics funnels YAML](https://gitlab.com/gitlab-org/security/gitlab/-/commit/04ee196cf8dde5621404345a35a85c600e294536) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4431))
+- [Prevent users with admin_group_member custom ab. to manage custom roles](https://gitlab.com/gitlab-org/security/gitlab/-/commit/8a5aae28a61f67ccaf5a2c2fe7c24c4cc123d427) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4425))
+- [Fixed frontend regex to parse URI](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ae7d2fddff8fe064bde1bd9ab01bf10e219cbfa8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4419))
+- [Use session instead of params for identity linking](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7ae3008fd84476d8995fe9fa7ec0800219cd1370) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4369))
+- [Fix external wiki integration DoS by changing request to HEAD](https://gitlab.com/gitlab-org/security/gitlab/-/commit/20a6c608712831e7e9b072fbe0de61bb61105cdf) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4381))
+- [Restrict IPs for packages dependency proxy](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b894f3ca69858cceb80362e9f6a8c3d10bafe42a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4391))
+- [Strip out Set-Cookie header from dependencyproxy auth response](https://gitlab.com/gitlab-org/security/gitlab/-/commit/cafae257663e5e0e2c410fd642c18c2b549b3451) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4399))
+- [Fix open redirect due to additional slash added](https://gitlab.com/gitlab-org/security/gitlab/-/commit/4fe66b1075a6023fcb2b5ce219b7ce0037a183b1) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4374))
+- [Group Developers can view group runners](https://gitlab.com/gitlab-org/security/gitlab/-/commit/084025e6a0ee601f4509ab2f9541d5a9a2c91d44) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4378))
+- [Enforce Pipeline execution policy variables for template rules](https://gitlab.com/gitlab-org/security/gitlab/-/commit/5dd7d992fcdcb23dfc32a47977b51303042b1be8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4393))
+
 ## 17.3.1 (2024-08-20)
  
 ### Fixed (3 changes)
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-17.3.1
\ No newline at end of file
+17.3.2
\ No newline at end of file
--- a/GITLAB_KAS_VERSION
+++ b/GITLAB_KAS_VERSION
-17.3.1
\ No newline at end of file
+17.3.2
\ No newline at end of file
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
-17.3.1
\ No newline at end of file
+17.3.2
\ No newline at end of file
--- a/VERSION
+++ b/VERSION
-17.3.1-ee
\ No newline at end of file
+17.3.2-ee
\ No newline at end of file
--- a/app/controllers/concerns/preferred_language_switcher.rb
+++ b/app/controllers/concerns/preferred_language_switcher.rb
@@ -38,12 +38,12 @@ def browser_languages
  strong_memoize_attr :browser_languages
  
  def marketing_site_language
-    return [] unless params[:glm_source]
+    # Our marketing site will be the only thing we are sure of the language placement in the url for.
+    locale = params[:glm_source]&.match(%r{\A#{ApplicationHelper.promo_host}/([a-z]{2})-([a-z]{2})}i)&.captures
  
-    locale = params[:glm_source].scan(%r{(\w{2})-(\w{2})}).flatten
-
-    return [] if locale.empty?
+    return [] if locale.blank?
  
+    # This is local and then locale_region - the marketing site will always send locale-region pairs like fr-fr.
    [locale[0], "#{locale[0]}_#{locale[1]}"]
  end
 end

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -190,12 +190,10 @@ def redirect_identity_linked
  def redirect_authorize_identity_link(identity_linker)
    state = SecureRandom.uuid
    session[:identity_link_state] = state
+    session[:identity_link_provider] = identity_linker.provider
+    session[:identity_link_extern_uid] = identity_linker.uid
  
-    redirect_to new_user_settings_identities_path(
-      provider: identity_linker.provider,
-      extern_uid: identity_linker.uid,
-      state: state
-    )
+    redirect_to new_user_settings_identities_path(state: state)
  end
  
  def build_auth_user(auth_user_class)

--- a/app/controllers/projects/environments_controller.rb
+++ b/app/controllers/projects/environments_controller.rb
@@ -119,7 +119,7 @@ def update
  def stop
    return render_404 unless @environment.available?
  
-    stop_actions = @environment.stop_with_actions!(current_user)
+    stop_actions = @environment.stop_with_actions!
    job = stop_actions.first if stop_actions&.count == 1
  
    action_or_env_url =

--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -33,7 +33,13 @@ def index
  end
  
  def downloads
-    redirect_to link.url
+    parsed_redirect_uri = URI.parse(link.url)
+
+    if internal_url?(parsed_redirect_uri)
+      redirect_to link.url
+    else
+      render "projects/releases/redirect", locals: { redirect_uri: parsed_redirect_uri }, layout: false
+    end
  end
  
  def latest_permalink
@@ -79,4 +85,8 @@ def fetch_latest_tag
  def validate_suffix_path
    Gitlab::PathTraversal.check_path_traversal!(params[:suffix_path]) if params[:suffix_path]
  end
+
+  def internal_url?(redirect_url)
+    redirect_url.host == Gitlab.config.gitlab.host && redirect_url.port == Gitlab.config.gitlab.port
+  end
 end
--- a/app/controllers/user_settings/identities_controller.rb
+++ b/app/controllers/user_settings/identities_controller.rb
@@ -5,16 +5,18 @@ class IdentitiesController < ApplicationController
    feature_category :system_access
  
    before_action :verify_state, only: [:new]
+    before_action :assign_variables_from_session
+    before_action :verify_session_variables
  
    def new
      # rubocop:disable CodeReuse/ActiveRecord -- Specific use-case
      @identity = current_user.identities
-                              .with_extern_uid(params[:provider], params[:extern_uid])
-                              .first_or_initialize(extern_uid: params[:extern_uid])
+                              .with_extern_uid(@provider, @extern_uid)
+                              .first_or_initialize(extern_uid: @extern_uid)
      # rubocop:enable CodeReuse/ActiveRecord
  
      if @identity.persisted?
-        session.delete(:identity_link_state)
+        delete_session_variables
        return redirect_to profile_account_path, notice: _('Identity already exists')
      end
  
@@ -22,15 +24,14 @@ def new
    end
  
    def create
-      identity = current_user.identities.new(identity_params)
+      identity = current_user.identities.new(provider: @provider, extern_uid: @extern_uid)
      notice = if identity.save
                 _('Authentication method updated')
               else
                 format(_('Error linking identity: %{errors}'), errors: identity.errors.full_messages.to_sentence)
               end
  
-      session.delete(:identity_link_state)
-
+      delete_session_variables
      redirect_to profile_account_path, notice: notice
    end
  
@@ -40,8 +41,23 @@ def verify_state
      render_403 unless session[:identity_link_state] == params[:state]
    end
  
-    def identity_params
-      params.require(:identity).permit(:provider, :extern_uid)
+    def assign_variables_from_session
+      @provider = session[:identity_link_provider]
+      @extern_uid = session[:identity_link_extern_uid]
+    end
+
+    def verify_session_variables
+      return if @provider && @extern_uid
+
+      delete_session_variables
+      redirect_to profile_account_path,
+        notice: _('Error linking identity: Provider and Extern UID must be in the session.')
+    end
+
+    def delete_session_variables
+      session.delete(:identity_link_state)
+      session.delete(:identity_link_provider)
+      session.delete(:identity_link_extern_uid)
    end
  end
 end
--- a/app/models/ci/processable.rb
+++ b/app/models/ci/processable.rb
@@ -266,5 +266,3 @@ def dependencies
    end
  end
 end
-
-Ci::Processable.prepend_mod
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -353,7 +353,7 @@ def wait_for_stop?
    stop_actions.present?
  end
  
-  def stop_with_actions!(current_user)
+  def stop_with_actions!
    return unless available?
  
    stop!
@@ -365,7 +365,7 @@ def stop_with_actions!(current_user)
        stop_action,
        name: 'environment_stop_with_actions'
      ) do |job|
-        actions << job.play(current_user)
+        actions << job.play(job.user)
      rescue StateMachines::InvalidTransition
        # Ci::PlayBuildService rescues an error of StateMachines::InvalidTransition and fall back to retry. However,
        # Ci::PlayBridgeService doesn't rescue it, so we're ignoring the error if it's not playable.

--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -30,42 +30,42 @@ class RunnerPolicy < BasePolicy
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_maintainer_owned_groups_inheriting_shared_runners) do
-      @user.developer_maintainer_owned_groups.with_shared_runners_enabled.any?
+    condition(:any_maintainer_owned_groups_inheriting_shared_runners) do
+      @user.owned_or_maintainers_groups.with_shared_runners_enabled.any?
    end
  
    with_options scope: :user, score: 5
-    condition(:any_developer_projects_inheriting_shared_runners) do
-      @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any?
+    condition(:any_maintainer_projects_inheriting_shared_runners) do
+      @user.authorized_projects(Gitlab::Access::MAINTAINER).with_shared_runners_enabled.any?
    end
  
    with_options score: 10
    condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do
-      # Check if any projects where user is a developer+ are inheriting group runners
+      # Check if any projects where user is a maintainer+ are inheriting group runners
      @subject.groups&.any? do |group|
        group.all_projects
             .with_group_runners_enabled
-             .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER)
+             .visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER)
             .exists?
      end
    end
  
    with_options score: 6
-    condition(:developer_in_any_associated_projects) do
-      # Check if runner is associated to any projects where user is a developer+
-      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER).exists?
+    condition(:maintainer_in_any_associated_projects) do
+      # Check if runner is associated to any projects where user is a maintainer+
+      @subject.projects.visible_to_user_and_access_level(@user, Gitlab::Access::MAINTAINER).exists?
    end
  
    with_options score: 8
-    condition(:developer_in_any_associated_groups) do
-      user_group_ids = @user.developer_maintainer_owned_groups.select(:id)
+    condition(:maintainer_in_any_associated_groups) do
+      user_group_ids = @user.owned_or_maintainers_groups.select(:id)
  
      # Check for direct group relationships
      next true if user_group_ids.id_in(@subject.group_ids).any?
  
      # Check for indirect group relationships
      GroupGroupLink
-        .with_developer_maintainer_owner_access
+        .with_owner_or_maintainer_access
        .groups_accessible_via(user_group_ids)
        .id_in(@subject.group_ids)
        .any?
@@ -82,19 +82,19 @@ class RunnerPolicy < BasePolicy
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_maintainer_owned_groups_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_owned_groups_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do
+    rule { is_instance_runner & any_maintainer_projects_inheriting_shared_runners }.policy do
      enable :read_runner
    end
  
-    rule { is_project_runner & developer_in_any_associated_projects }.policy do
+    rule { is_project_runner & maintainer_in_any_associated_projects }.policy do
      enable :read_runner
    end
  
-    rule { is_group_runner & developer_in_any_associated_groups }.policy do
+    rule { is_group_runner & maintainer_in_any_associated_groups }.policy do
      enable :read_runner
    end
  

--- a/app/services/environments/stop_service.rb
+++ b/app/services/environments/stop_service.rb
@@ -15,7 +15,7 @@ def execute(environment)
      if params[:force]
        environment.stop_complete!
      else
-        environment.stop_with_actions!(current_user)
+        environment.stop_with_actions!
      end
  
      unless environment.saved_change_to_attribute?(:state)

--- a/app/views/doorkeeper/authorizations/new.html.haml
+++ b/app/views/doorkeeper/authorizations/new.html.haml
@@ -29,7 +29,7 @@
          = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
      %p
        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
-        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub('www.', '')
+        - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
        - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
  %div

--- a/app/views/projects/releases/_release.atom.builder
+++ b/app/views/projects/releases/_release.atom.builder
@@ -9,7 +9,7 @@ xml.entry do
  xml.id        release_url
  xml.link      href: release_url
  xml.title     truncate(release.name, length: 160)
-  xml.summary   strip_signature(release.commit.message)
+  xml.summary   strip_signature(release.commit.message) if can?(current_user, :read_code, @project)
  xml.content   markdown_field(release, :description), type: 'html'
  xml.updated   release.updated_at.xmlschema
  xml.published release.released_at.xmlschema

--- a/app/views/projects/releases/redirect.html.haml
+++ b/app/views/projects/releases/redirect.html.haml
+.tree-holder
+  %h2= _("You are being redirected away from GitLab")
+  %p= _("Redirect url is an external url, it may contain user-generated content and malicious code. Do not continue unless you trust the author and source.")
+
+%div
+  - redirect_link_start = '<a href="%{redirect_uri}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: redirect_uri }
+  = html_escape(s_('%{redirect_link_start} Click here to redirect to %{redirect_uri_val} %{redirect_link_end}')) % { redirect_uri_val: redirect_uri, redirect_link_start: redirect_link_start, redirect_link_end: '</a>'.html_safe }
--- a/app/views/user_settings/identities/new.html.haml
+++ b/app/views/user_settings/identities/new.html.haml
@@ -12,8 +12,6 @@
    = safe_format(_('To allow %{strongOpen}%{provider}%{strongClose} to manage your GitLab account %{strongOpen}%{username}%{strongClose} (%{email}) after you sign in successfully using single sign-on, select %{strongOpen}Authorize%{strongClose}.'), tag_pair(tag.strong, :strongOpen, :strongClose), provider: provider, username: current_user.username, email: current_user.email)
  
 = gitlab_ui_form_for(@identity, url: user_settings_identities_path, method: :post) do |f|
-  = f.hidden_field :provider, value: @identity.provider
-  = f.hidden_field :extern_uid, value: @identity.extern_uid
  = render Pajamas::ButtonComponent.new(type: :submit, variant: :confirm, block: true) do
    = _("Authorize")
  = render Pajamas::ButtonComponent.new(href: profile_account_path, block: true) do

--- a/app/workers/environments/auto_stop_worker.rb
+++ b/app/workers/environments/auto_stop_worker.rb
@@ -9,12 +9,7 @@ class AutoStopWorker
    feature_category :continuous_delivery
  
    def perform(environment_id, params = {})
-      Environment.find_by_id(environment_id).try do |environment|
-        stop_actions = environment.stop_actions
-
-        user = stop_actions.last&.user
-        environment.stop_with_actions!(user)
-      end
+      Environment.find_by_id(environment_id).try(&:stop_with_actions!)
    end
  end
 end
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -116,7 +116,9 @@
    config.middleware.delete BetterErrors::Middleware
  end
  
-  config.middleware.insert_before(ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}])
+  config.middleware.insert_before(
+    ActionDispatch::Cookies, Gitlab::Middleware::StripCookies, paths: [%r{^/assets/}, %r{^/v2$}, %r{^/v2/}]
+  )
  
  config.log_level = Gitlab::Utils.to_rails_log_level(ENV["GITLAB_LOG_LEVEL"], :debug)
 end