Add latest changes from gitlab-org/security/gitlab@12-5-stable-ee

62f3248f · GitLab Bot · 586bb7dc · 62f3248f · 62f3248f · 62f3248f
Commit 62f3248f authored 5 years ago by GitLab Bot
--- a/app/services/projects/import_export/export_service.rb
+++ b/app/services/projects/import_export/export_service.rb
@@ -4,6 +4,12 @@ module Projects
  module ImportExport
    class ExportService < BaseService
      def execute(after_export_strategy = nil, options = {})
+        unless project.template_source? || can?(current_user, :admin_project, project)
+          raise ::Gitlab::ImportExport::Error.new(
+            "User with ID: %s does not have permission to Project %s with ID: %s." %
+              [current_user.id, project.name, project.id])
+        end
+
        @shared = project.import_export_shared
  
        save_all!

--- a/app/views/projects/settings/operations/_grafana_integration.html.haml
+++ b/app/views/projects/settings/operations/_grafana_integration.html.haml
 .js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
-  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token, enabled: grafana_integration_enabled?.to_s } } }
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_masked_token, enabled: grafana_integration_enabled?.to_s } } }
--- a/changelogs/unreleased/7597-add-template-repository-usage-to-the-usage-ping.yml
+++ b/changelogs/unreleased/7597-add-template-repository-usage-to-the-usage-ping.yml
+---
+title: Add template repository usage to the usage ping
+merge_request: 20126
+author: minghuan lei
+type: changed
--- a/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml
+++ b/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml
+---
+title: Update rack-cors to 1.0.6
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml
+++ b/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml
+---
+title: Update rdoc to 6.1.2
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml
+++ b/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml
+---
+title: Bump rubyzip to 2.0.0
+merge_request:
+author: Utkarsh Gupta
+type: security
--- a/changelogs/unreleased/security-35235-todos-cleanup.yml
+++ b/changelogs/unreleased/security-35235-todos-cleanup.yml
+---
+title: Cleanup todos for users from a removed linked group
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-commits-api-last-pipeline-status.yml
+++ b/changelogs/unreleased/security-commits-api-last-pipeline-status.yml
+---
+title: Disable access to last_pipeline in commits API for users without read permissions
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+++ b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml
+---
+title: Add constraint to group dependency proxy endpoint param
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
+++ b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
+---
+title: Limit number of AsciiDoc includes per document
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml
+++ b/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml
+---
+title: Prevent API access for unconfirmed users
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml
+++ b/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml
+---
+title: Enforce permission check when counting activity events
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml
+++ b/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml
+---
+title: Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it.
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml
+++ b/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml
+---
+title: Fix xss on frequent groups dropdown
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+++ b/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+---
+title: Fix XSS vulnerability on custom project templates form
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml
+++ b/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml
+---
+title: Protect internal CI builds from external overrides
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-project_export_service_permission_check.yml
+++ b/changelogs/unreleased/security-project_export_service_permission_check.yml
+---
+title: ImportExport::ExportService to require admin_project permission
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-reference-check.yml
+++ b/changelogs/unreleased/security-reference-check.yml
+---
+title: Make sure that only system notes where all references are visible to user are exposed in GraphQL API.
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml
+++ b/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml
+---
+title: Disable caching of repository/files/:file_path/raw API endpoint
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml
+++ b/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml
+---
+title: Make cross-repository comparisons happen in the source repository
+merge_request:
+author:
+type: security