Merge branch 'latest-security-to-master-21-03-18' into 'master'

Introduce latest security changes to `master` See merge request gitlab-org/gitlab-ce!17905

Merge branch 'latest-security-to-master-21-03-18' into 'master'
3f07ba16 · Douwe Maan · c0169753 · 2eab1fd2 · 3f07ba16 · 3f07ba16
Commit 3f07ba16 authored 6 years ago by Douwe Maan
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -118,6 +118,9 @@ Gitlab/ModuleWithInstanceVariables:
    - spec/support/**/*.rb
    - features/steps/**/*.rb
  
+Gitlab/HTTParty:
+  Enabled: true
+
 GitlabSecurity/PublicSend:
  Enabled: true
  Exclude:

--- a/Gemfile
+++ b/Gemfile
@@ -38,7 +38,7 @@ gem 'devise', '~> 4.2'
 gem 'doorkeeper', '~> 4.3'
 gem 'doorkeeper-openid_connect', '~> 1.3'
 gem 'omniauth', '~> 1.8'
-gem 'omniauth-auth0', '~> 1.4.1'
+gem 'omniauth-auth0', '~> 2.0.0'
 gem 'omniauth-azure-oauth2', '~> 0.0.9'
 gem 'omniauth-cas3', '~> 1.1.4'
 gem 'omniauth-facebook', '~> 4.0.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -527,8 +527,8 @@ GEM
    omniauth (1.8.1)
      hashie (>= 3.4.6, < 3.6.0)
      rack (>= 1.6.2, < 3)
-    omniauth-auth0 (1.4.1)
-      omniauth-oauth2 (~> 1.1)
+    omniauth-auth0 (2.0.0)
+      omniauth-oauth2 (~> 1.4)
    omniauth-authentiq (0.3.1)
      omniauth-oauth2 (~> 1.3, >= 1.3.1)
    omniauth-azure-oauth2 (0.0.9)
@@ -1105,7 +1105,7 @@ DEPENDENCIES
  oauth2 (~> 1.4)
  octokit (~> 4.8)
  omniauth (~> 1.8)
-  omniauth-auth0 (~> 1.4.1)
+  omniauth-auth0 (~> 2.0.0)
  omniauth-authentiq (~> 0.3.1)
  omniauth-azure-oauth2 (~> 0.0.9)
  omniauth-cas3 (~> 1.1.4)

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -95,6 +95,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    handle_omniauth
  end
  
+  def auth0
+    if oauth['uid'].blank?
+      fail_auth0_login
+    else
+      handle_omniauth
+    end
+  end
+
  private
  
  def handle_omniauth
@@ -170,6 +178,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    redirect_to new_user_session_path
  end
  
+  def fail_auth0_login
+    flash[:alert] = 'Wrong extern UID provided. Make sure Auth0 is configured correctly.'
+
+    redirect_to new_user_session_path
+  end
+
  def handle_disabled_provider
    label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
    flash[:alert] = "Signing in using #{label} has been disabled"

--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -245,7 +245,8 @@ module ApplicationSettingsHelper
      :usage_ping_enabled,
      :user_default_external,
      :user_oauth_applications,
-      :version_check_enabled
+      :version_check_enabled,
+      :allow_local_requests_from_hooks_and_services
    ]
  end
 end
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -330,7 +330,8 @@ class ApplicationSetting < ActiveRecord::Base
      usage_ping_enabled: Settings.gitlab['usage_ping_enabled'],
      gitaly_timeout_fast: 10,
      gitaly_timeout_medium: 30,
-      gitaly_timeout_default: 55
+      gitaly_timeout_default: 55,
+      allow_local_requests_from_hooks_and_services: false
    }
  end
  

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -38,6 +38,9 @@ class Project < ActiveRecord::Base
    attachments: 2
  }.freeze
  
+  # Valids ports to import from
+  VALID_IMPORT_PORTS = [22, 80, 443].freeze
+
  cache_markdown_field :description, pipeline: :description
  
  delegate :feature_available?, :builds_enabled?, :wiki_enabled?,

--- a/app/models/project_services/assembla_service.rb
+++ b/app/models/project_services/assembla_service.rb
 class AssemblaService < Service
-  include HTTParty
-
  prop_accessor :token, :subdomain
  validates :token, presence: true, if: :activated?
  
@@ -31,6 +29,6 @@ class AssemblaService < Service
    return unless supported_events.include?(data[:object_kind])
  
    url = "https://atlas.assembla.com/spaces/#{subdomain}/github_tool?secret_key=#{token}"
-    AssemblaService.post(url, body: { payload: data }.to_json, headers: { 'Content-Type' => 'application/json' })
+    Gitlab::HTTP.post(url, body: { payload: data }.to_json, headers: { 'Content-Type' => 'application/json' })
  end
 end
--- a/app/models/project_services/bamboo_service.rb
+++ b/app/models/project_services/bamboo_service.rb
@@ -117,14 +117,14 @@ class BambooService < CiService
    url = build_url(path)
  
    if username.blank? && password.blank?
-      HTTParty.get(url, verify: false)
+      Gitlab::HTTP.get(url, verify: false)
    else
      url << '&os_authType=basic'
-      HTTParty.get(url, verify: false,
-                        basic_auth: {
-                          username: username,
-                          password: password
-                        })
+      Gitlab::HTTP.get(url, verify: false,
+                            basic_auth: {
+                              username: username,
+                              password: password
+                            })
    end
  end
 end
--- a/app/models/project_services/buildkite_service.rb
+++ b/app/models/project_services/buildkite_service.rb
@@ -71,7 +71,7 @@ class BuildkiteService < CiService
  end
  
  def calculate_reactive_cache(sha, ref)
-    response = HTTParty.get(commit_status_path(sha), verify: false)
+    response = Gitlab::HTTP.get(commit_status_path(sha), verify: false)
  
    status =
      if response.code == 200 && response['status']

--- a/app/models/project_services/campfire_service.rb
+++ b/app/models/project_services/campfire_service.rb
 class CampfireService < Service
-  include HTTParty
-
  prop_accessor :token, :subdomain, :room
  validates :token, presence: true, if: :activated?
  
@@ -31,7 +29,6 @@ class CampfireService < Service
  def execute(data)
    return unless supported_events.include?(data[:object_kind])
  
-    self.class.base_uri base_uri
    message = build_message(data)
    speak(self.room, message, auth)
  end
@@ -69,14 +66,14 @@ class CampfireService < Service
        }
      }
    }
-    res = self.class.post(path, auth.merge(body))
+    res = Gitlab::HTTP.post(path, base_uri: base_uri, **auth.merge(body))
    res.code == 201 ? res : nil
  end
  
  # Returns a list of rooms, or [].
  # https://github.com/basecamp/campfire-api/blob/master/sections/rooms.md#get-rooms
  def rooms(auth)
-    res = self.class.get("/rooms.json", auth)
+    res = Gitlab::HTTP.get("/rooms.json", base_uri: base_uri, **auth)
    res.code == 200 ? res["rooms"] : []
  end
  

--- a/app/models/project_services/drone_ci_service.rb
+++ b/app/models/project_services/drone_ci_service.rb
@@ -49,7 +49,7 @@ class DroneCiService < CiService
  end
  
  def calculate_reactive_cache(sha, ref)
-    response = HTTParty.get(commit_status_path(sha, ref), verify: enable_ssl_verification)
+    response = Gitlab::HTTP.get(commit_status_path(sha, ref), verify: enable_ssl_verification)
  
    status =
      if response.code == 200 && response['status']

--- a/app/models/project_services/external_wiki_service.rb
+++ b/app/models/project_services/external_wiki_service.rb
 class ExternalWikiService < Service
-  include HTTParty
-
  prop_accessor :external_wiki_url
  
  validates :external_wiki_url, presence: true, url: true, if: :activated?
@@ -24,7 +22,7 @@ class ExternalWikiService < Service
  end
  
  def execute(_data)
-    @response = HTTParty.get(properties['external_wiki_url'], verify: true) rescue nil
+    @response = Gitlab::HTTP.get(properties['external_wiki_url'], verify: true) rescue nil
    if @response != 200
      nil
    end

--- a/app/models/project_services/issue_tracker_service.rb
+++ b/app/models/project_services/issue_tracker_service.rb
@@ -77,13 +77,13 @@ class IssueTrackerService < Service
    result = false
  
    begin
-      response = HTTParty.head(self.project_url, verify: true)
+      response = Gitlab::HTTP.head(self.project_url, verify: true)
  
      if response
        message = "#{self.type} received response #{response.code} when attempting to connect to #{self.project_url}"
        result = true
      end
-    rescue HTTParty::Error, Timeout::Error, SocketError, Errno::ECONNRESET, Errno::ECONNREFUSED, OpenSSL::SSL::SSLError => error
+    rescue Gitlab::HTTP::Error, Timeout::Error, SocketError, Errno::ECONNRESET, Errno::ECONNREFUSED, OpenSSL::SSL::SSLError => error
      message = "#{self.type} had an error when trying to connect to #{self.project_url}: #{error.message}"
    end
    Rails.logger.info(message)

--- a/app/models/project_services/mock_ci_service.rb
+++ b/app/models/project_services/mock_ci_service.rb
@@ -52,7 +52,7 @@ class MockCiService < CiService
  #
  #
  def commit_status(sha, ref)
-    response = HTTParty.get(commit_status_path(sha), verify: false)
+    response = Gitlab::HTTP.get(commit_status_path(sha), verify: false)
    read_commit_status(response)
  rescue Errno::ECONNREFUSED
    :error

--- a/app/models/project_services/packagist_service.rb
+++ b/app/models/project_services/packagist_service.rb
 class PackagistService < Service
-  include HTTParty
-
  prop_accessor :username, :token, :server
  
  validates :username, presence: true, if: :activated?

--- a/app/models/project_services/pivotaltracker_service.rb
+++ b/app/models/project_services/pivotaltracker_service.rb
 class PivotaltrackerService < Service
-  include HTTParty
-
  API_ENDPOINT = 'https://www.pivotaltracker.com/services/v5/source_commits'.freeze
  
  prop_accessor :token, :restrict_to_branch
@@ -52,7 +50,7 @@ class PivotaltrackerService < Service
          'message' => commit[:message]
        }
      }
-      PivotaltrackerService.post(
+      Gitlab::HTTP.post(
        API_ENDPOINT,
        body: message.to_json,
        headers: {

--- a/app/models/project_services/pushover_service.rb
+++ b/app/models/project_services/pushover_service.rb
 class PushoverService < Service
-  include HTTParty
-  base_uri 'https://api.pushover.net/1'
+  BASE_URI = 'https://api.pushover.net/1'.freeze
  
  prop_accessor :api_key, :user_key, :device, :priority, :sound
  validates :api_key, :user_key, :priority, presence: true, if: :activated?
@@ -99,6 +98,6 @@ class PushoverService < Service
      pushover_data[:sound] = sound
    end
  
-    PushoverService.post('/messages.json', body: pushover_data)
+    Gitlab::HTTP.post('/messages.json', base_uri: BASE_URI, body: pushover_data)
  end
 end
--- a/app/models/project_services/teamcity_service.rb
+++ b/app/models/project_services/teamcity_service.rb
@@ -83,7 +83,7 @@ class TeamcityService < CiService
  
    branch = Gitlab::Git.ref_name(data[:ref])
  
-    HTTParty.post(
+    Gitlab::HTTP.post(
      build_url('httpAuth/app/rest/buildQueue'),
      body: "<build branchName=\"#{branch}\">"\
            "<buildType id=\"#{build_type}\"/>"\
@@ -134,10 +134,10 @@ class TeamcityService < CiService
  end
  
  def get_path(path)
-    HTTParty.get(build_url(path), verify: false,
-                                  basic_auth: {
-                                    username: username,
-                                    password: password
-                                  })
+    Gitlab::HTTP.get(build_url(path), verify: false,
+                                      basic_auth: {
+                                        username: username,
+                                        password: password
+                                      })
  end
 end
--- a/app/services/projects/import_service.rb
+++ b/app/services/projects/import_service.rb
@@ -28,7 +28,7 @@ module Projects
  
    def add_repository_to_project
      if project.external_import? && !unknown_url?
-        raise Error, 'Blocked import URL.' if Gitlab::UrlBlocker.blocked_url?(project.import_url)
+        raise Error, 'Blocked import URL.' if Gitlab::UrlBlocker.blocked_url?(project.import_url, valid_ports: Project::VALID_IMPORT_PORTS)
      end
  
      # We should skip the repository for a GitHub import or GitLab project import,