Add latest changes from gitlab-org/security/gitlab@12-7-stable-ee

Gemfile

@@ -65,7 +65,7 @@ gem 'u2f', '~> 0.2.1'
 # GitLab Pages
 gem 'validates_hostname', '~> 1.0.6'
-gem 'rubyzip', '~> 1.3.0', require: 'zip'
+gem 'rubyzip', '~> 2.0.0', require: 'zip'
 # GitLab Pages letsencrypt support
 gem 'acme-client', '~> 2.0.2'

Gemfile.lock

@@ -262,7 +262,7 @@ GEM
     et-orbi (1.2.1)
       tzinfo
     eventmachine (1.2.7)
-    excon (0.62.0)
+    excon (0.71.1)
     execjs (2.6.0)
     expression_parser (0.9.0)
     extended-markdown-filter (0.6.0)
@@ -944,7 +944,7 @@ GEM
       sexp_processor (~> 4.9)
     rubyntlm (0.6.2)
     rubypants (0.2.0)
-    rubyzip (1.3.0)
+    rubyzip (2.0.0)
     rugged (0.28.4.1)
     safe_yaml (1.0.4)
     sanitize (4.6.6)
@@ -1343,7 +1343,7 @@ DEPENDENCIES
   ruby-prof (~> 1.0.0)
   ruby-progressbar
   ruby_parser (~> 3.8)
-  rubyzip (~> 1.3.0)
+  rubyzip (~> 2.0.0)
   rugged (~> 0.28)
   sanitize (~> 4.6)
   sassc-rails (~> 2.1.0)

app/assets/javascripts/groups_select.js

 import $ from 'jquery';
 import axios from './lib/utils/axios_utils';
 import Api from './api';
+import { escape } from 'lodash';
 import { normalizeHeaders } from './lib/utils/common_utils';
 import { __ } from '~/locale';
@@ -75,10 +76,12 @@ const groupsSelect = () => {
         }
       },
       formatResult(object) {
-        return `<div class='group-result'> <div class='group-name'>${object.full_name}</div> <div class='group-path'>${object.full_path}</div> </div>`;
+        return `<div class='group-result'> <div class='group-name'>${escape(
+          object.full_name,
+        )}</div> <div class='group-path'>${object.full_path}</div> </div>`;
       },
       formatSelection(object) {
-        return object.full_name;
+        return escape(object.full_name);
       },
       dropdownCssClass: 'ajax-groups-dropdown select2-infinite',
       // we do not want to escape markup since we are displaying html in results

app/controllers/application_controller.rb

@@ -5,6 +5,7 @@ require 'fogbugz'
 class ApplicationController < ActionController::Base
   include Gitlab::GonHelper
+  include Gitlab::NoCacheHeaders
   include GitlabRoutingHelper
   include PageLayoutHelper
   include SafeParamsHelper
@@ -55,7 +56,6 @@ class ApplicationController < ActionController::Base
   # Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security
   # concerns due to caching private data.
   DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store"
-  DEFAULT_GITLAB_CONTROL_NO_CACHE = "#{DEFAULT_GITLAB_CACHE_CONTROL}, no-cache"
   rescue_from Encoding::CompatibilityError do |exception|
     log_exception(exception)
@@ -247,9 +247,9 @@ class ApplicationController < ActionController::Base
   end
   def no_cache_headers
-    headers['Cache-Control'] = DEFAULT_GITLAB_CONTROL_NO_CACHE
-    headers['Pragma'] = 'no-cache' # HTTP 1.0 compatibility
-    headers['Expires'] = 'Fri, 01 Jan 1990 00:00:00 GMT'
+    DEFAULT_GITLAB_NO_CACHE_HEADERS.each do |k, v|
+      headers[k] = v
+    end
   end
   def default_headers

app/graphql/types/grafana_integration_type.rb

@@ -10,14 +10,19 @@ module Types
       description: 'Internal ID of the Grafana integration'
     field :grafana_url, GraphQL::STRING_TYPE, null: false,
       description: 'Url for the Grafana host for the Grafana integration'
-    field :token, GraphQL::STRING_TYPE, null: false,
-      description: 'API token for the Grafana integration'
     field :enabled, GraphQL::BOOLEAN_TYPE, null: false,
       description: 'Indicates whether Grafana integration is enabled'
-
     field :created_at, Types::TimeType, null: false,
           description: 'Timestamp of the issue\'s creation'
     field :updated_at, Types::TimeType, null: false,
           description: 'Timestamp of the issue\'s last activity'
+
+    field :token, GraphQL::STRING_TYPE, null: false,
+          deprecation_reason: 'Plain text token has been masked for security reasons',
+          description: 'API token for the Grafana integration. Field is permanently masked.'
+
+    def token
+      object.masked_token
+    end
   end
 end

app/helpers/projects_helper.rb

@@ -368,8 +368,8 @@ module ProjectsHelper
     @project.grafana_integration&.grafana_url
   end
-  def grafana_integration_token
-    @project.grafana_integration&.token
+  def grafana_integration_masked_token
+    @project.grafana_integration&.masked_token
   end
   def grafana_integration_enabled?

app/models/grafana_integration.rb

@@ -8,11 +8,13 @@ class GrafanaIntegration < ApplicationRecord
     algorithm: 'aes-256-gcm',
     key:       Settings.attr_encrypted_db_key_base_32
+  before_validation :check_token_changes
+
   validates :grafana_url,
             length: { maximum: 1024 },
             addressable_url: { enforce_sanitization: true, ascii_only: true }
-  validates :token, :project, presence: true
+  validates :encrypted_token, :project, presence: true
   validates :enabled, inclusion: { in: [true, false] }
@@ -23,4 +25,28 @@ class GrafanaIntegration < ApplicationRecord
     @client ||= ::Grafana::Client.new(api_url: grafana_url.chomp('/'), token: token)
   end
+
+  def masked_token
+    mask(encrypted_token)
+  end
+
+  def masked_token_was
+    mask(encrypted_token_was)
+  end
+
+  private
+
+  def token
+    decrypt(:token, encrypted_token)
+  end
+
+  def check_token_changes
+    return unless [encrypted_token_was, masked_token_was].include?(token)
+
+    clear_attribute_changes [:token, :encrypted_token, :encrypted_token_iv]
+  end
+
+  def mask(token)
+    token&.squish&.gsub(/./, '*')
+  end
 end

app/models/note.rb

@@ -545,7 +545,8 @@ class Note < ApplicationRecord
       # if they are not equal, then there are private/confidential references as well
       user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count
     else
-      referenced_mentionables(user).any?
+      refs = all_references(user)
+      refs.all.any? && refs.stateful_not_visible_counter == 0
     end
   end

app/models/project.rb

@@ -2341,6 +2341,10 @@ class Project < ApplicationRecord
     end
   end
+  def template_source?
+    false
+  end
+
   private
   def closest_namespace_setting(name)

app/services/projects/import_export/export_service.rb

@@ -4,6 +4,12 @@ module Projects
   module ImportExport
     class ExportService < BaseService
       def execute(after_export_strategy = nil, options = {})
+        unless project.template_source? || can?(current_user, :admin_project, project)
+          raise ::Gitlab::ImportExport::Error.new(
+            "User with ID: %s does not have permission to Project %s with ID: %s." %
+              [current_user.id, project.name, project.id])
+        end
+
         @shared = project.import_export_shared
         save_all!

app/views/projects/settings/operations/_grafana_integration.html.haml

 .js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
-  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token, enabled: grafana_integration_enabled?.to_s } } }
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_masked_token, enabled: grafana_integration_enabled?.to_s } } }

changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml

+---
+title: Bump rubyzip to 2.0.0
+merge_request:
+author: Utkarsh Gupta
+type: security

changelogs/unreleased/security-dependency-proxy-path-traversal.yml

+---
+title: Add constraint to group dependency proxy endpoint param
+merge_request:
+author:
+type: security

changelogs/unreleased/security-dos-via-asciidoc-includes.yml

+---
+title: Limit number of AsciiDoc includes per document
+merge_request:
+author:
+type: security

changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml

+---
+title: Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it. GraphQL api deprecate token field in GrafanaIntegration type.
+merge_request:
+author:
+type: security

changelogs/unreleased/security-fix-xss-on-project-templates.yml

+---
+title: Fix XSS vulnerability on custom project templates form
+merge_request:
+author:
+type: security

changelogs/unreleased/security-project_export_service_permission_check.yml

+---
+title: ImportExport::ExportService to require admin_project permission
+merge_request:
+author:
+type: security

changelogs/unreleased/security-reference-check.yml

+---
+title: Make sure that only system notes where all references are visible to user are exposed in GraphQL API.
+merge_request:
+author:
+type: security

changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml

+---
+title: Disable caching of repository/files/:file_path/raw API endpoint
+merge_request:
+author:
+type: security

changelogs/unreleased/security-update-excon-cve-2019-16779.yml

+---
+title: Update excon to 0.71.1 to fix CVE-2019-16779
+merge_request:
+author:
+type: security