Merge remote-tracking branch 'dev/master'

13ea4b38 · Felipe Artur · caeb4597 · 45c94aba · 13ea4b38 · 13ea4b38
Commit 13ea4b38 authored 6 years ago by Felipe Artur
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,24 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 11.1.2 (2018-07-26)
+
+### Security (4 changes)
+
+- Adding CSRF protection to Hooks test action.
+- Don't expose project names in GitHub counters.
+- Don't expose project names in various counters.
+- Fixed XSS in branch name in Web IDE.
+
+### Fixed (1 change)
+
+- Escapes milestone and label's names on flash notice when promoting them.
+
+### Performance (1 change)
+
+- Fix slow Markdown rendering. !20820
+
+
 ## 11.1.1 (2018-07-23)
  
 ### Fixed (2 changes)
@@ -253,6 +271,20 @@ entry.
 - Use monospaced font for MR diff commit link ref on GFM.
  
  
+## 11.0.5 (2018-07-26)
+
+### Security (4 changes)
+
+- Don't expose project names in various counters.
+- Don't expose project names in GitHub counters.
+- Adding CSRF protection to Hooks test action.
+- Fixed XSS in branch name in Web IDE.
+
+### Fixed (1 change)
+
+- Escapes milestone and label's names on flash notice when promoting them.
+
+
 ## 11.0.4 (2018-07-17)
  
 ### Security (1 change)

--- a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
+++ b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
 <script>
+import _ from 'underscore';
 import { mapActions, mapState, mapGetters } from 'vuex';
 import { sprintf, __ } from '~/locale';
 import * as consts from '../../stores/modules/commit/constants';
@@ -14,7 +15,7 @@ export default {
    commitToCurrentBranchText() {
      return sprintf(
        __('Commit to %{branchName} branch'),
-        { branchName: `<strong class="monospace">${this.currentBranchId}</strong>` },
+        { branchName: `<strong class="monospace">${_.escape(this.currentBranchId)}</strong>` },
        false,
      );
    },

--- a/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue
 <script>
 import $ from 'jquery';
+import _ from 'underscore';
 import JobNameComponent from './job_name_component.vue';
 import JobComponent from './job_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -46,7 +47,7 @@ export default {
  
  computed: {
    tooltipText() {
-      return `${this.job.name} - ${this.job.status.label}`;
+      return _.escape(`${this.job.name} - ${this.job.status.label}`);
    },
  },
  

--- a/app/assets/javascripts/pipelines/components/graph/graph_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/graph_component.vue
 <script>
+import _ from 'underscore';
 import LoadingIcon from '~/vue_shared/components/loading_icon.vue';
 import StageColumnComponent from './stage_column_component.vue';
  
@@ -26,7 +27,8 @@ export default {
  
  methods: {
    capitalizeStageName(name) {
-      return name.charAt(0).toUpperCase() + name.slice(1);
+      const escapedName = _.escape(name);
+      return escapedName.charAt(0).toUpperCase() + escapedName.slice(1);
    },
  
    isFirstColumn(index) {

--- a/app/assets/javascripts/pipelines/components/graph/job_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/job_component.vue
 <script>
+import _ from 'underscore';
 import ActionComponent from './action_component.vue';
 import JobNameComponent from './job_name_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -61,7 +62,7 @@ export default {
      const textBuilder = [];
  
      if (this.job.name) {
-        textBuilder.push(this.job.name);
+        textBuilder.push(_.escape(this.job.name));
      }
  
      if (this.job.name && this.status.tooltip) {
@@ -69,7 +70,7 @@ export default {
      }
  
      if (this.status.tooltip) {
-        textBuilder.push(`${this.job.status.tooltip}`);
+        textBuilder.push(this.job.status.tooltip);
      }
  
      return textBuilder.join(' ');

--- a/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
+++ b/app/assets/javascripts/pipelines/components/graph/stage_column_component.vue
 <script>
+import _ from 'underscore';
 import JobComponent from './job_component.vue';
 import DropdownJobComponent from './dropdown_job_component.vue';
  
@@ -37,7 +38,7 @@ export default {
    },
  
    jobId(job) {
-      return `ci-badge-${job.name}`;
+      return `ci-badge-${_.escape(job.name)}`;
    },
  
    buildConnnectorClass(index) {

--- a/app/controllers/projects/labels_controller.rb
+++ b/app/controllers/projects/labels_controller.rb
@@ -112,7 +112,7 @@ class Projects::LabelsController < Projects::ApplicationController
    begin
      return render_404 unless promote_service.execute(@label)
  
-      flash[:notice] = "#{@label.title} promoted to <a href=\"#{group_labels_path(@project.group)}\">group label</a>.".html_safe
+      flash[:notice] = flash_notice_for(@label, @project.group)
      respond_to do |format|
        format.html do
          redirect_to(project_labels_path(@project), status: :see_other)
@@ -135,6 +135,15 @@ class Projects::LabelsController < Projects::ApplicationController
    end
  end
  
+  def flash_notice_for(label, group)
+    notice = ''.html_safe
+    notice << label.title
+    notice << ' promoted to '
+    notice << view_context.link_to('<u>group label</u>'.html_safe, group_labels_path(group))
+    notice << '.'
+    notice
+  end
+
  protected
  
  def label_params

--- a/app/controllers/projects/milestones_controller.rb
+++ b/app/controllers/projects/milestones_controller.rb
@@ -76,8 +76,8 @@ class Projects::MilestonesController < Projects::ApplicationController
  
  def promote
    promoted_milestone = Milestones::PromoteService.new(project, current_user).execute(milestone)
+    flash[:notice] = flash_notice_for(promoted_milestone, project.group)
  
-    flash[:notice] = "#{milestone.title} promoted to <a href=\"#{group_milestone_path(project.group, promoted_milestone.iid)}\"><u>group milestone</u></a>.".html_safe
    respond_to do |format|
      format.html do
        redirect_to project_milestones_path(project)
@@ -90,6 +90,15 @@ class Projects::MilestonesController < Projects::ApplicationController
    redirect_to milestone, alert: error.message
  end
  
+  def flash_notice_for(milestone, group)
+    notice = ''.html_safe
+    notice << milestone.title
+    notice << ' promoted to '
+    notice << view_context.link_to('<u>group milestone</u>'.html_safe, group_milestone_path(group, milestone.iid))
+    notice << '.'
+    notice
+  end
+
  def destroy
    return access_denied! unless can?(current_user, :admin_milestone, @project)
  

--- a/app/helpers/hooks_helper.rb
+++ b/app/helpers/hooks_helper.rb
@@ -10,7 +10,7 @@ module HooksHelper
  
    trigger_human_name = trigger.to_s.tr('_', ' ').camelize
  
-    link_to path, rel: 'nofollow' do
+    link_to path, rel: 'nofollow', method: :post do
      content_tag(:span, trigger_human_name)
    end
  end

--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@@ -48,13 +48,13 @@ class RemoteMirror < ActiveRecord::Base
    state :failed
  
    after_transition any => :started do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_running, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_running)
  
      remote_mirror.update(last_update_started_at: Time.now)
    end
  
    after_transition started: :finished do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_finished, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_finished)
  
      timestamp = Time.now
      remote_mirror.update!(
@@ -63,7 +63,7 @@ class RemoteMirror < ActiveRecord::Base
    end
  
    after_transition started: :failed do |remote_mirror, _|
-      Gitlab::Metrics.add_event(:remote_mirrors_failed, path: remote_mirror.project.full_path)
+      Gitlab::Metrics.add_event(:remote_mirrors_failed)
  
      remote_mirror.update(last_update_at: Time.now)
    end

--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -1029,7 +1029,7 @@ class Repository
  end
  
  def repository_event(event, tags = {})
-    Gitlab::Metrics.add_event(event, { path: full_path }.merge(tags))
+    Gitlab::Metrics.add_event(event, tags)
  end
  
  def initialize_raw_repository

--- a/app/views/projects/jobs/_sidebar.html.haml
+++ b/app/views/projects/jobs/_sidebar.html.haml
@@ -86,7 +86,7 @@
      - HasStatus::ORDERED_STATUSES.each do |build_status|
        - builds.select{|build| build.status == build_status}.each do |build|
          .build-job{ class: sidebar_build_class(build, @build), data: { stage: build.stage } }
-            - tooltip = build.tooltip_message
+            - tooltip = sanitize(build.tooltip_message)
            = link_to(project_job_path(@project, build), data: { toggle: 'tooltip', html: 'true', title: tooltip, container: 'body' }) do
              = sprite_icon('arrow-right', size:16, css_class: 'icon-arrow-right')
              %span{ class: "ci-status-icon-#{build.status}" }

--- a/app/workers/concerns/gitlab/github_import/object_importer.rb
+++ b/app/workers/concerns/gitlab/github_import/object_importer.rb
@@ -22,7 +22,7 @@ module Gitlab
  
        importer_class.new(object, project, client).execute
  
-        counter.increment(project: project.full_path)
+        counter.increment
      end
  
      def counter

--- a/app/workers/repository_fork_worker.rb
+++ b/app/workers/repository_fork_worker.rb
@@ -23,9 +23,7 @@ class RepositoryForkWorker
  def fork_repository(target_project, source_repository_storage_name, source_disk_path)
    return unless start_fork(target_project)
  
-    Gitlab::Metrics.add_event(:fork_repository,
-                              source_path: source_disk_path,
-                              target_path: target_project.disk_path)
+    Gitlab::Metrics.add_event(:fork_repository)
  
    result = gitlab_shell.fork_repository(source_repository_storage_name, source_disk_path,
                                          target_project.repository_storage, target_project.disk_path)

--- a/app/workers/repository_import_worker.rb
+++ b/app/workers/repository_import_worker.rb
@@ -11,9 +11,7 @@ class RepositoryImportWorker
  
    return unless start_import(project)
  
-    Gitlab::Metrics.add_event(:import_repository,
-                              import_url: project.import_url,
-                              path: project.full_path)
+    Gitlab::Metrics.add_event(:import_repository)
  
    service = Projects::ImportService.new(project, project.creator)
    result = service.execute

--- a/changelogs/unreleased/48617-promoting-milestone.yml
+++ b/changelogs/unreleased/48617-promoting-milestone.yml
+---
+title: Escapes milestone and label's names on flash notice when promoting them
+merge_request:
+author:
+type: fixed
--- a/changelogs/unreleased/security-fj-missing-csrf-system-hooks.yml
+++ b/changelogs/unreleased/security-fj-missing-csrf-system-hooks.yml
+---
+title: Adding CSRF protection to Hooks test action
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-ide-branch-name-xss.yml
+++ b/changelogs/unreleased/security-ide-branch-name-xss.yml
+---
+title: Fixed XSS in branch name in Web IDE
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/sh-revert-markdown-changes.yml
+++ b/changelogs/unreleased/sh-revert-markdown-changes.yml
---
-title: Fix slow Markdown rendering
-merge_request: 20820
-author:
-type: performance
--- a/config/routes/admin.rb
+++ b/config/routes/admin.rb
@@ -54,7 +54,7 @@ namespace :admin do
  
  resources :hooks, only: [:index, :create, :edit, :update, :destroy] do
    member do
-      get :test
+      post :test
    end
  
    resources :hook_logs, only: [:show] do