Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq into jarv/dev-to-gitlab-2019-04-02

69b65a6b · John Jarvis · 1b6fe3ae · 3e81a5ba · 69b65a6b · 69b65a6b
Commit 69b65a6b authored 5 years ago by John Jarvis
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,34 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 11.9.3 (2019-03-27)
+
+### Security (8 changes)
+
+- Disallow guest users from accessing Releases.
+- Fix PDF.js vulnerability.
+- Hide "related branches" when user does not have permission.
+- Fix XSS in resolve conflicts form.
+- Added rake task for removing EXIF data from existing uploads.
+- Return cached languages if they've been detected before.
+- Disallow updating namespace when updating a project.
+- Use UntrustedRegexp for matching refs policy.
+
+
+## 11.9.2 (2019-03-26)
+
+### Security (8 changes)
+
+- Disallow guest users from accessing Releases.
+- Fix PDF.js vulnerability.
+- Hide "related branches" when user does not have permission.
+- Fix XSS in resolve conflicts form.
+- Added rake task for removing EXIF data from existing uploads.
+- Return cached languages if they've been detected before.
+- Disallow updating namespace when updating a project.
+- Use UntrustedRegexp for matching refs policy.
+
+
 ## 11.9.1 (2019-03-25)
  
 ### Fixed (7 changes)
@@ -548,6 +576,32 @@ entry.
 - Creates mixin to reduce code duplication between CE and EE in graph component.
  
  
+## 11.7.10 (2019-03-28)
+
+### Security (7 changes)
+
+- Disallow guest users from accessing Releases.
+- Fix PDF.js vulnerability.
+- Hide "related branches" when user does not have permission.
+- Fix XSS in resolve conflicts form.
+- Added rake task for removing EXIF data from existing uploads.
+- Disallow updating namespace when updating a project.
+- Use UntrustedRegexp for matching refs policy.
+
+
+## 11.7.8 (2019-03-26)
+
+### Security (7 changes)
+
+- Disallow guest users from accessing Releases.
+- Fix PDF.js vulnerability.
+- Hide "related branches" when user does not have permission.
+- Fix XSS in resolve conflicts form.
+- Added rake task for removing EXIF data from existing uploads.
+- Disallow updating namespace when updating a project.
+- Use UntrustedRegexp for matching refs policy.
+
+
 ## 11.7.7 (2019-03-19)
  
 ### Security (2 changes)

--- a/GITLAB_WORKHORSE_VERSION
+++ b/GITLAB_WORKHORSE_VERSION
-8.3.1
+8.3.3
--- a/app/assets/javascripts/issue.js
+++ b/app/assets/javascripts/issue.js
@@ -16,7 +16,9 @@ export default class Issue {
    Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
  
    Issue.initMergeRequests();
-    Issue.initRelatedBranches();
+    if (document.querySelector('#related-branches')) {
+      Issue.initRelatedBranches();
+    }
  
    this.closeButtons = $('a.btn-close');
    this.reopenButtons = $('a.btn-reopen');

--- a/app/assets/javascripts/pdf/index.vue
+++ b/app/assets/javascripts/pdf/index.vue
@@ -28,7 +28,7 @@ export default {
  },
  watch: { pdf: 'load' },
  mounted() {
-    pdfjsLib.PDFJS.workerSrc = workerSrc;
+    pdfjsLib.GlobalWorkerOptions.workerSrc = workerSrc;
    if (this.hasPDF) this.load();
  },
  methods: {

--- a/app/controllers/projects/graphs_controller.rb
+++ b/app/controllers/projects/graphs_controller.rb
@@ -46,12 +46,8 @@ class Projects::GraphsController < Projects::ApplicationController
  
  def get_languages
    @languages =
-      if @project.repository_languages.present?
-        @project.repository_languages.map do |lang|
-          { value: lang.share, label: lang.name, color: lang.color, highlight: lang.color }
-        end
-      else
-        @project.repository.languages
+      ::Projects::RepositoryLanguagesService.new(@project, current_user).execute.map do |lang|
+        { value: lang.share, label: lang.name, color: lang.color, highlight: lang.color }
      end
  end
  

--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController
  before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
  
  before_action :authorize_import_issues!, only: [:import_csv]
+  before_action :authorize_download_code!, only: [:related_branches]
  
  before_action :set_suggested_issues_feature_flags, only: [:new]
  

--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -47,7 +47,7 @@ class ProjectsController < Projects::ApplicationController
  end
  
  def create
-    @project = ::Projects::CreateService.new(current_user, project_params).execute
+    @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
  
    if @project.saved?
      cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
@@ -328,9 +328,9 @@ class ProjectsController < Projects::ApplicationController
  end
  # rubocop: enable CodeReuse/ActiveRecord
  
-  def project_params
+  def project_params(attributes: [])
    params.require(:project)
-      .permit(project_params_attributes)
+      .permit(project_params_attributes + attributes)
  end
  
  def project_params_attributes
@@ -349,11 +349,10 @@ class ProjectsController < Projects::ApplicationController
      :last_activity_at,
      :lfs_enabled,
      :name,
-      :namespace_id,
      :only_allow_merge_if_all_discussions_are_resolved,
      :only_allow_merge_if_pipeline_succeeds,
-      :printing_merge_request_link_enabled,
      :path,
+      :printing_merge_request_link_enabled,
      :public_builds,
      :request_access_enabled,
      :runners_token,
@@ -375,6 +374,10 @@ class ProjectsController < Projects::ApplicationController
    ]
  end
  
+  def project_params_create_attributes
+    [:namespace_id]
+  end
+
  def custom_import_params
    {}
  end

--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -133,6 +133,10 @@ class Label < ApplicationRecord
    1
  end
  
+  def self.by_ids(ids)
+    where(id: ids)
+  end
+
  def open_issues_count(user = nil)
    issues_count(user, state: 'opened')
  end

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy
    enable :read_cycle_analytics
    enable :award_emoji
    enable :read_pages_content
-    enable :read_release
  end
  
  # These abilities are not allowed to admins that are not members of the project,
@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy
    enable :read_deployment
    enable :read_merge_request
    enable :read_sentry_issue
+    enable :read_release
  end
  
  # We define `:public_user_access` separately because there are cases in gitlab-ee

--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -70,10 +70,14 @@ class IssuableBaseService < BaseService
  end
  
  def filter_labels
-    filter_labels_in_param(:add_label_ids)
-    filter_labels_in_param(:remove_label_ids)
-    filter_labels_in_param(:label_ids)
-    find_or_create_label_ids
+    params[:add_label_ids] = labels_service.filter_labels_ids_in_param(:add_label_ids) if params[:add_label_ids]
+    params[:remove_label_ids] = labels_service.filter_labels_ids_in_param(:remove_label_ids) if params[:remove_label_ids]
+
+    if params[:label_ids]
+      params[:label_ids] = labels_service.filter_labels_ids_in_param(:label_ids)
+    elsif params[:labels]
+      params[:label_ids] = labels_service.find_or_create_by_titles.map(&:id)
+    end
  end
  
  def filter_labels_in_param(key)
@@ -99,6 +103,10 @@ class IssuableBaseService < BaseService
    end.compact
  end
  
+  def labels_service
+    @labels_service ||= ::Labels::AvailableLabelsService.new(current_user, parent, params)
+  end
+
  def process_label_ids(attributes, existing_label_ids: nil)
    label_ids = attributes.delete(:label_ids)
    add_label_ids = attributes.delete(:add_label_ids)
@@ -116,10 +124,6 @@ class IssuableBaseService < BaseService
    new_label_ids.uniq
  end
  
-  def available_labels
-    @available_labels ||= LabelsFinder.new(current_user, project_id: @project.id, include_ancestor_groups: true).execute
-  end
-
  def handle_quick_actions_on_create(issuable)
    merge_quick_actions_into_params!(issuable)
  end

--- a/app/services/labels/available_labels_service.rb
+++ b/app/services/labels/available_labels_service.rb
+# frozen_string_literal: true
+module Labels
+  class AvailableLabelsService
+    attr_reader :current_user, :parent, :params
+
+    def initialize(current_user, parent, params)
+      @current_user = current_user
+      @parent = parent
+      @params = params
+    end
+
+    def find_or_create_by_titles
+      labels = params.delete(:labels)
+
+      return [] unless labels
+
+      labels = labels.split(',') if labels.is_a?(String)
+
+      labels.map do |label_name|
+        label = Labels::FindOrCreateService.new(
+          current_user,
+          parent,
+          include_ancestor_groups: true,
+          title: label_name.strip,
+          available_labels: available_labels
+        ).execute
+
+        label
+      end.compact
+    end
+
+    def filter_labels_ids_in_param(key)
+      return [] if params[key].to_a.empty?
+
+      # rubocop:disable CodeReuse/ActiveRecord
+      available_labels.by_ids(params[key]).pluck(:id)
+      # rubocop:enable CodeReuse/ActiveRecord
+    end
+
+    private
+
+    def available_labels
+      @available_labels ||= LabelsFinder.new(current_user, finder_params).execute
+    end
+
+    def finder_params
+      params = { include_ancestor_groups: true }
+
+      case parent
+      when Group
+        params[:group_id] = parent.id
+        params[:only_group_labels] = true
+      when Project
+        params[:project_id] = parent.id
+      end
+
+      params
+    end
+  end
+end
--- a/app/services/projects/detect_repository_languages_service.rb
+++ b/app/services/projects/detect_repository_languages_service.rb
@@ -2,7 +2,7 @@
  
 module Projects
  class DetectRepositoryLanguagesService < BaseService
-    attr_reader :detected_repository_languages, :programming_languages
+    attr_reader :programming_languages
  
    # rubocop: disable CodeReuse/ActiveRecord
    def execute
@@ -25,6 +25,8 @@ module Projects
          RepositoryLanguage.table_name,
          detection.insertions(matching_programming_languages)
        )
+
+        set_detected_repository_languages
      end
  
      project.repository_languages.reload
@@ -56,5 +58,11 @@ module Projects
      retry
    end
    # rubocop: enable CodeReuse/ActiveRecord
+
+    def set_detected_repository_languages
+      return if project.detected_repository_languages?
+
+      project.update_column(:detected_repository_languages, true)
+    end
  end
 end
--- a/app/services/projects/repository_languages_service.rb
+++ b/app/services/projects/repository_languages_service.rb
+# frozen_string_literal: true
+
+module Projects
+  class RepositoryLanguagesService < BaseService
+    def execute
+      perform_language_detection unless project.detected_repository_languages?
+      persisted_repository_languages
+    end
+
+    private
+
+    def perform_language_detection
+      if persisted_repository_languages.blank?
+        ::DetectRepositoryLanguagesWorker.perform_async(project.id, current_user.id)
+      else
+        project.update_column(:detected_repository_languages, true)
+      end
+    end
+
+    def persisted_repository_languages
+      project.repository_languages
+    end
+  end
+end
--- a/app/views/projects/issues/show.html.haml
+++ b/app/views/projects/issues/show.html.haml
@@ -80,8 +80,9 @@
    #merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
      // This element is filled in using JavaScript.
  
-    #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
-      // This element is filled in using JavaScript.
+    - if can?(current_user, :download_code, @project)
+      #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
+        // This element is filled in using JavaScript.
  
  .content-block.emoji-block.emoji-block-sticky
    .row

--- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
+++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
@@ -6,7 +6,7 @@
  .form-group.row
    .col-md-4
      %h4= _('Resolve conflicts on source branch')
-      .resolve-info
+      .resolve-info{ "v-pre": true }
        = translation.html_safe
    .col-md-8
      %label.label-bold{ "for" => "commit-message" }

--- a/changelogs/unreleased/disallow-guests-to-access-releases.yml
+++ b/changelogs/unreleased/disallow-guests-to-access-releases.yml
+---
+title: Disallow guest users from accessing Releases
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-55503-fix-pdf-js-vulnerability.yml
+++ b/changelogs/unreleased/security-55503-fix-pdf-js-vulnerability.yml
+---
+title: Fix PDF.js vulnerability
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-56224.yml
+++ b/changelogs/unreleased/security-56224.yml
+---
+title: Hide "related branches" when user does not have permission
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
+++ b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
+---
+title: Fix XSS in resolve conflicts form
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-exif-migration.yml
+++ b/changelogs/unreleased/security-exif-migration.yml
+---
+title: Added rake task for removing EXIF data from existing uploads.
+merge_request:
+author:
+type: security