Skip to content
Snippets Groups Projects
Commit 3f91efcd authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable

parents ec377c38 24cecbe1
No related branches found
No related tags found
No related merge requests found
Please view this file on the master branch, on stable branches it's out of date.
 
## 12.4.7
### Security (2 changes)
- Don't publish drafts if user can't create notes.
- Remove protected tag access when group is removed.
## 12.4.6
 
### Security (1 change)
Loading
Loading
Loading
Loading
@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
 
## 12.4.8
### Security (1 change)
- Fix private objects exposure when using Project Import functionality.
## 12.4.7
 
### Security (5 changes)
Loading
Loading
12.4.7
12.4.8
Loading
Loading
@@ -35,7 +35,7 @@ def check_changelog(path)
fail "`title` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["title"].nil?
fail "`type` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["type"].nil?
 
if yaml["merge_request"].nil?
if yaml["merge_request"].nil? && !helper.security_mr?
message "Consider setting `merge_request` to #{gitlab.mr_json["iid"]} in #{gitlab.html_link(path)}. #{SEE_DOC}"
elsif yaml["merge_request"] != gitlab.mr_json["iid"] && !ce_port_changelog?(path)
fail "Merge request ID was not set to #{gitlab.mr_json["iid"]}! #{SEE_DOC}"
Loading
Loading
Loading
Loading
@@ -32,7 +32,7 @@ end
 
has_pick_into_stable_label = gitlab.mr_labels.find { |label| label.start_with?('Pick into') }
 
if gitlab.branch_for_base != "master" && !has_pick_into_stable_label
if gitlab.branch_for_base != "master" && !has_pick_into_stable_label && !helper.security_mr?
warn "Most of the time, merge requests should target `master`. Otherwise, please set the relevant `Pick into X.Y` label."
end
 
Loading
Loading
Loading
Loading
@@ -167,6 +167,12 @@ module Gitlab
labels - current_mr_labels
end
 
def security_mr?
return false unless gitlab_helper
gitlab_helper.mr_json['web_url'].include?('/gitlab-org/security/')
end
private
 
def has_database_scoped_labels?(current_mr_labels)
Loading
Loading
Loading
Loading
@@ -3,8 +3,8 @@
module Gitlab
module ImportExport
class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
 
def self.clean(*args)
new(*args).clean
Loading
Loading
Loading
Loading
@@ -26,17 +26,48 @@ def emit_errors(static_analysis)
end
end
 
tasks = [
%w[bin/rake lint:all],
%w[bundle exec license_finder],
%w[yarn run eslint],
%w[yarn run stylelint],
%w[yarn run prettier-all],
%w[bundle exec rubocop --parallel],
%w[scripts/lint-conflicts.sh],
%w[scripts/lint-rugged]
]
ALLOWED_WARNINGS = [
# https://github.com/browserslist/browserslist/blob/d0ec62eb48c41c218478cd3ac28684df051cc865/node.js#L329
# warns if caniuse-lite package is older than 6 months. Ignore this
# warning message so that GitLab backports don't fail.
"Browserslist: caniuse-lite is outdated. Please run next command `yarn upgrade`"
].freeze
 
def warning_count(static_analysis)
static_analysis.warned_results
.reject { |result| ALLOWED_WARNINGS.include?(result.stderr.strip) }
.count
end
def jobs_to_run(node_index, node_total)
all_tasks = [
%w[bin/rake lint:all],
%w[bundle exec license_finder],
%w[yarn run eslint],
%w[yarn run stylelint],
%w[yarn run prettier-all],
%w[bundle exec rubocop --parallel],
%w[scripts/lint-conflicts.sh],
%w[scripts/lint-rugged]
]
case node_total
when 1
all_tasks
when 2
rake_lint_all, *rest_jobs = all_tasks
case node_index
when 1
[rake_lint_all]
else
rest_jobs
end
else
raise "Parallelization > 2 (currently set to #{node_total}) isn't supported yet!"
end
end
tasks = jobs_to_run((ENV['CI_NODE_INDEX'] || 1).to_i, (ENV['CI_NODE_TOTAL'] || 1).to_i)
static_analysis = Gitlab::Popen::Runner.new
 
static_analysis.run(tasks) do |cmd, &run|
Loading
Loading
@@ -62,7 +93,7 @@ elsif static_analysis.all_success?
 
emit_warnings(static_analysis)
 
exit 2
exit 2 if warning_count(static_analysis).nonzero?
else
puts 'Some static analyses failed:'
 
Loading
Loading
Loading
Loading
@@ -312,4 +312,26 @@ describe Gitlab::Danger::Helper do
it { is_expected.to match_array(['database', 'database::review pending']) }
end
end
describe '#security_mr?' do
it 'returns false when `gitlab_helper` is unavailable' do
expect(helper).to receive(:gitlab_helper).and_return(nil)
expect(helper).not_to be_security_mr
end
it 'returns false when on a normal merge request' do
expect(fake_gitlab).to receive(:mr_json)
.and_return('web_url' => 'https://gitlab.com/gitlab-org/gitlab/merge_requests/1')
expect(helper).not_to be_security_mr
end
it 'returns true when on a security merge request' do
expect(fake_gitlab).to receive(:mr_json)
.and_return('web_url' => 'https://gitlab.com/gitlab-org/security/gitlab/merge_requests/1')
expect(helper).to be_security_mr
end
end
end
Loading
Loading
@@ -23,11 +23,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
'legit_html' => '<p>legit html</p>',
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345,
'custom_attributes' => 'whatever',
'some_attributes_metadata' => 'whatever',
'group_id' => 99,
'commit_id' => 99,
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
'note_ids' => [1, 2, 3],
'attributes' => {
'issue_ids' => [1, 2, 3],
'merge_request_ids' => [1, 2, 3],
'note_ids' => [1, 2, 3]
},
'variables_attributes' => {
'id' => 1
}
}
end
 
Loading
Loading
@@ -38,7 +48,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
'random_id_in_the_middle' => 99,
'notid' => 99,
'group_id' => 99,
'commit_id' => 99
'commit_id' => 99,
'custom_attributes' => 'whatever'
}
end
 
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment