Add latest changes from gitlab-org/security/gitlab@12-4-stable-ee

73e4dfe3 · GitLab Bot · ec377c38 · 73e4dfe3 · 73e4dfe3 · 73e4dfe3
Commit 73e4dfe3 authored 5 years ago by GitLab Bot
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.
  
+## 12.4.7
+
+### Security (2 changes)
+
+- Don't publish drafts if user can't create notes.
+- Remove protected tag access when group is removed.
+
+
 ## 12.4.6
  
 ### Security (1 change)

--- a/VERSION
+++ b/VERSION
-12.4.7
+12.4.7-ee
--- a/changelogs/unreleased/security-project-import-vn-master.yml
+++ b/changelogs/unreleased/security-project-import-vn-master.yml
+---
+title: Fix private objects exposure when using Project Import functionality
+merge_request:
+author:
+type: security
--- a/danger/changelog/Dangerfile
+++ b/danger/changelog/Dangerfile
@@ -35,7 +35,7 @@ def check_changelog(path)
  fail "`title` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["title"].nil?
  fail "`type` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["type"].nil?
  
-  if yaml["merge_request"].nil?
+  if yaml["merge_request"].nil? && !helper.security_mr?
    message "Consider setting `merge_request` to #{gitlab.mr_json["iid"]} in #{gitlab.html_link(path)}. #{SEE_DOC}"
  elsif yaml["merge_request"] != gitlab.mr_json["iid"] && !ce_port_changelog?(path)
    fail "Merge request ID was not set to #{gitlab.mr_json["iid"]}! #{SEE_DOC}"

--- a/danger/metadata/Dangerfile
+++ b/danger/metadata/Dangerfile
@@ -32,7 +32,7 @@ end
  
 has_pick_into_stable_label = gitlab.mr_labels.find { |label| label.start_with?('Pick into') }
  
-if gitlab.branch_for_base != "master" && !has_pick_into_stable_label
+if gitlab.branch_for_base != "master" && !has_pick_into_stable_label && !helper.security_mr?
  warn "Most of the time, merge requests should target `master`. Otherwise, please set the relevant `Pick into X.Y` label."
 end
  

--- a/lib/gitlab/danger/helper.rb
+++ b/lib/gitlab/danger/helper.rb
@@ -167,6 +167,12 @@ module Gitlab
        labels - current_mr_labels
      end
  
+      def security_mr?
+        return false unless gitlab_helper
+
+        gitlab_helper.mr_json['web_url'].include?('/gitlab-org/security/')
+      end
+
      private
  
      def has_database_scoped_labels?(current_mr_labels)

--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -3,8 +3,8 @@
 module Gitlab
  module ImportExport
    class AttributeCleaner
-      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
+      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
  
      def self.clean(*args)
        new(*args).clean

--- a/scripts/static-analysis
+++ b/scripts/static-analysis
@@ -26,17 +26,48 @@ def emit_errors(static_analysis)
  end
 end
  
-tasks = [
-  %w[bin/rake lint:all],
-  %w[bundle exec license_finder],
-  %w[yarn run eslint],
-  %w[yarn run stylelint],
-  %w[yarn run prettier-all],
-  %w[bundle exec rubocop --parallel],
-  %w[scripts/lint-conflicts.sh],
-  %w[scripts/lint-rugged]
-]
+ALLOWED_WARNINGS = [
+  # https://github.com/browserslist/browserslist/blob/d0ec62eb48c41c218478cd3ac28684df051cc865/node.js#L329
+  # warns if caniuse-lite package is older than 6 months. Ignore this
+  # warning message so that GitLab backports don't fail.
+  "Browserslist: caniuse-lite is outdated. Please run next command `yarn upgrade`"
+].freeze
  
+def warning_count(static_analysis)
+  static_analysis.warned_results
+    .reject { |result| ALLOWED_WARNINGS.include?(result.stderr.strip) }
+    .count
+end
+
+def jobs_to_run(node_index, node_total)
+  all_tasks = [
+    %w[bin/rake lint:all],
+    %w[bundle exec license_finder],
+    %w[yarn run eslint],
+    %w[yarn run stylelint],
+    %w[yarn run prettier-all],
+    %w[bundle exec rubocop --parallel],
+    %w[scripts/lint-conflicts.sh],
+    %w[scripts/lint-rugged]
+  ]
+
+  case node_total
+  when 1
+    all_tasks
+  when 2
+    rake_lint_all, *rest_jobs = all_tasks
+    case node_index
+    when 1
+      [rake_lint_all]
+    else
+      rest_jobs
+    end
+  else
+    raise "Parallelization > 2 (currently set to #{node_total}) isn't supported yet!"
+  end
+end
+
+tasks = jobs_to_run((ENV['CI_NODE_INDEX'] || 1).to_i, (ENV['CI_NODE_TOTAL'] || 1).to_i)
 static_analysis = Gitlab::Popen::Runner.new
  
 static_analysis.run(tasks) do |cmd, &run|
@@ -62,7 +93,7 @@ elsif static_analysis.all_success?
  
  emit_warnings(static_analysis)
  
-  exit 2
+  exit 2 if warning_count(static_analysis).nonzero?
 else
  puts 'Some static analyses failed:'
  

--- a/spec/lib/gitlab/danger/helper_spec.rb
+++ b/spec/lib/gitlab/danger/helper_spec.rb
@@ -312,4 +312,26 @@ describe Gitlab::Danger::Helper do
      it { is_expected.to match_array(['database', 'database::review pending']) }
    end
  end
+
+  describe '#security_mr?' do
+    it 'returns false when `gitlab_helper` is unavailable' do
+      expect(helper).to receive(:gitlab_helper).and_return(nil)
+
+      expect(helper).not_to be_security_mr
+    end
+
+    it 'returns false when on a normal merge request' do
+      expect(fake_gitlab).to receive(:mr_json)
+        .and_return('web_url' => 'https://gitlab.com/gitlab-org/gitlab/merge_requests/1')
+
+      expect(helper).not_to be_security_mr
+    end
+
+    it 'returns true when on a security merge request' do
+      expect(fake_gitlab).to receive(:mr_json)
+        .and_return('web_url' => 'https://gitlab.com/gitlab-org/security/gitlab/merge_requests/1')
+
+      expect(helper).to be_security_mr
+    end
+  end
 end
--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -23,11 +23,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
      'legit_html' => '<p>legit html</p>',
      '_html' => '<p>perfectly ordinary html</p>',
      'cached_markdown_version' => 12345,
+      'custom_attributes' => 'whatever',
+      'some_attributes_metadata' => 'whatever',
      'group_id' => 99,
      'commit_id' => 99,
      'issue_ids' => [1, 2, 3],
      'merge_request_ids' => [1, 2, 3],
-      'note_ids' => [1, 2, 3]
+      'note_ids' => [1, 2, 3],
+      'attributes' => {
+        'issue_ids' => [1, 2, 3],
+        'merge_request_ids' => [1, 2, 3],
+        'note_ids' => [1, 2, 3]
+      },
+      'variables_attributes' => {
+        'id' => 1
+      }
    }
  end
  
@@ -38,7 +48,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
      'random_id_in_the_middle' => 99,
      'notid' => 99,
      'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'custom_attributes' => 'whatever'
    }
  end