Merge branch '11-7-stable' of dev.gitlab.org:gitlab/gitlabhq into 11-7-stable

CHANGELOG.md

@@ -2,6 +2,55 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 11.7.8 (2019-03-26)
+
+### Security (7 changes)
+
+- Disallow guest users from accessing Releases.
+- Fix PDF.js vulnerability.
+- Hide "related branches" when user does not have permission.
+- Fix XSS in resolve conflicts form.
+- Added rake task for removing EXIF data from existing uploads.
+- Disallow updating namespace when updating a project.
+- Use UntrustedRegexp for matching refs policy.
+
+
+## 11.7.7 (2019-03-19)
+
+### Security (2 changes)
+
+- Remove project serialization in quick actions response.
+- Fixed ability to see private groups by users not belonging to given group.
+
+
+## 11.7.6 (2019-02-28)
+
+### Security (22 changes)
+
+- Stop linking to unrecognized package sources. !55518
+- Don't allow non-members to see private related MRs.
+- Fix potential Addressable::URI::InvalidURIError.
+- Do not display impersonated sessions under active sessions and remove ability to revoke session.
+- Display only information visible to current user on the Milestone page.
+- Show only merge requests visible to user on milestone detail page.
+- Disable issue boards API when issues are disabled.
+- Don't show new issue link after move when a user does not have permissions.
+- Fix git clone revealing private repo's presence.
+- Fix blind SSRF in Prometheus integration by checking URL before querying.
+- Check snippet attached file to be moved is within designated directory.
+- Check if desired milestone for an issue is available.
+- Fix arbitrary file read via diffs during import.
+- Display the correct number of MRs a user has access to.
+- Forbid creating discussions for users with restricted access.
+- Do not disclose milestone titles for unauthorized users.
+- Validate session key when authorizing with GCP to create a cluster.
+- Block local URLs for Kubernetes integration.
+- Limit mermaid rendering to 5K characters.
+- Remove the possibility to share a project with a group that a user is not a member of.
+- Fix leaking private repository information in API.
+- Prevent releases links API to leak tag existance.
+
+
 ## 11.7.5 (2019-02-06)
 ### Fixed (8 changes)

GITLAB_WORKHORSE_VERSION

-8.0.2
+8.0.3

VERSION

-11.7.5
+11.7.8

app/assets/javascripts/issue.js

@@ -16,7 +16,9 @@ export default class Issue {
     Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
     Issue.initMergeRequests();
-    Issue.initRelatedBranches();
+    if (document.querySelector('#related-branches')) {
+      Issue.initRelatedBranches();
+    }
     this.closeButtons = $('a.btn-close');
     this.reopenButtons = $('a.btn-reopen');

app/assets/javascripts/pdf/index.vue

@@ -28,7 +28,7 @@ export default {
   },
   watch: { pdf: 'load' },
   mounted() {
-    pdfjsLib.PDFJS.workerSrc = workerSrc;
+    pdfjsLib.GlobalWorkerOptions.workerSrc = workerSrc;
     if (this.hasPDF) this.load();
   },
   methods: {

app/controllers/concerns/notes_actions.rb

@@ -54,7 +54,7 @@ module NotesActions
     respond_to do |format|
       format.json do
         json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
         }
         if @note.persisted? && return_discussion?

app/controllers/projects/issues_controller.rb

@@ -38,6 +38,7 @@ class Projects::IssuesController < Projects::ApplicationController
   before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
   before_action :authorize_import_issues!, only: [:import_csv]
+  before_action :authorize_download_code!, only: [:related_branches]
   before_action :set_suggested_issues_feature_flags, only: [:new]

app/controllers/projects_controller.rb

@@ -46,7 +46,7 @@ class ProjectsController < Projects::ApplicationController
   end
   def create
-    @project = ::Projects::CreateService.new(current_user, project_params).execute
+    @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
     if @project.saved?
       cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
@@ -327,9 +327,9 @@ class ProjectsController < Projects::ApplicationController
   end
   # rubocop: enable CodeReuse/ActiveRecord
-  def project_params
+  def project_params(attributes: [])
     params.require(:project)
-      .permit(project_params_attributes)
+      .permit(project_params_attributes + attributes)
   end
   def project_params_attributes
@@ -348,11 +348,10 @@ class ProjectsController < Projects::ApplicationController
       :last_activity_at,
       :lfs_enabled,
       :name,
-      :namespace_id,
       :only_allow_merge_if_all_discussions_are_resolved,
       :only_allow_merge_if_pipeline_succeeds,
-      :printing_merge_request_link_enabled,
       :path,
+      :printing_merge_request_link_enabled,
       :public_builds,
       :request_access_enabled,
       :runners_token,
@@ -374,6 +373,10 @@ class ProjectsController < Projects::ApplicationController
     ]
   end
+  def project_params_create_attributes
+    [:namespace_id]
+  end
+
   def custom_import_params
     {}
   end

app/models/label.rb

@@ -126,6 +126,10 @@ class Label < ActiveRecord::Base
     fuzzy_search(query, [:title, :description])
   end
+  def self.by_ids(ids)
+    where(id: ids)
+  end
+
   def open_issues_count(user = nil)
     issues_count(user, state: 'opened')
   end

app/policies/group_policy.rb

@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
   rule { admin }.enable :read_group
   rule { has_projects }.policy do
-    enable :read_group
     enable :read_label
   end

app/policies/project_policy.rb

@@ -178,7 +178,6 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
     enable :award_emoji
     enable :read_pages_content
-    enable :read_release
   end
   # These abilities are not allowed to admins that are not members of the project,
@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy
     enable :read_deployment
     enable :read_merge_request
     enable :read_sentry_issue
+    enable :read_release
   end
   # We define `:public_user_access` separately because there are cases in gitlab-ee

app/services/issuable_base_service.rb

@@ -70,10 +70,14 @@ class IssuableBaseService < BaseService
   end
   def filter_labels
-    filter_labels_in_param(:add_label_ids)
-    filter_labels_in_param(:remove_label_ids)
-    filter_labels_in_param(:label_ids)
-    find_or_create_label_ids
+    params[:add_label_ids] = labels_service.filter_labels_ids_in_param(:add_label_ids) if params[:add_label_ids]
+    params[:remove_label_ids] = labels_service.filter_labels_ids_in_param(:remove_label_ids) if params[:remove_label_ids]
+
+    if params[:label_ids]
+      params[:label_ids] = labels_service.filter_labels_ids_in_param(:label_ids)
+    elsif params[:labels]
+      params[:label_ids] = labels_service.find_or_create_by_titles.map(&:id)
+    end
   end
   # rubocop: disable CodeReuse/ActiveRecord
@@ -101,6 +105,10 @@ class IssuableBaseService < BaseService
     end.compact
   end
+  def labels_service
+    @labels_service ||= ::Labels::AvailableLabelsService.new(current_user, parent, params)
+  end
+
   def process_label_ids(attributes, existing_label_ids: nil)
     label_ids = attributes.delete(:label_ids)
     add_label_ids = attributes.delete(:add_label_ids)
@@ -118,10 +126,6 @@ class IssuableBaseService < BaseService
     new_label_ids
   end
-  def available_labels
-    @available_labels ||= LabelsFinder.new(current_user, project_id: @project.id, include_ancestor_groups: true).execute
-  end
-
   def handle_quick_actions_on_create(issuable)
     merge_quick_actions_into_params!(issuable)
   end

app/services/labels/available_labels_service.rb

+# frozen_string_literal: true
+module Labels
+  class AvailableLabelsService
+    attr_reader :current_user, :parent, :params
+
+    def initialize(current_user, parent, params)
+      @current_user = current_user
+      @parent = parent
+      @params = params
+    end
+
+    def find_or_create_by_titles
+      labels = params.delete(:labels)
+
+      return [] unless labels
+
+      labels = labels.split(',') if labels.is_a?(String)
+
+      labels.map do |label_name|
+        label = Labels::FindOrCreateService.new(
+          current_user,
+          parent,
+          include_ancestor_groups: true,
+          title: label_name.strip,
+          available_labels: available_labels
+        ).execute
+
+        label
+      end.compact
+    end
+
+    def filter_labels_ids_in_param(key)
+      return [] if params[key].to_a.empty?
+
+      # rubocop:disable CodeReuse/ActiveRecord
+      available_labels.by_ids(params[key]).pluck(:id)
+      # rubocop:enable CodeReuse/ActiveRecord
+    end
+
+    private
+
+    def available_labels
+      @available_labels ||= LabelsFinder.new(current_user, finder_params).execute
+    end
+
+    def finder_params
+      params = { include_ancestor_groups: true }
+
+      case parent
+      when Group
+        params[:group_id] = parent.id
+        params[:only_group_labels] = true
+      when Project
+        params[:project_id] = parent.id
+      end
+
+      params
+    end
+  end
+end

app/views/projects/issues/show.html.haml

@@ -74,8 +74,9 @@
     #merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
       // This element is filled in using JavaScript.
-    #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
-      // This element is filled in using JavaScript.
+    - if can?(current_user, :download_code, @project)
+      #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
+        // This element is filled in using JavaScript.
   .content-block.emoji-block.emoji-block-sticky
     .row

app/views/projects/merge_requests/conflicts/_submit_form.html.haml

@@ -6,7 +6,7 @@
   .form-group.row
     .col-md-4
       %h4= _('Resolve conflicts on source branch')
-      .resolve-info
+      .resolve-info{ "v-pre": true }
         = translation.html_safe
     .col-md-8
       %label.label-bold{ "for" => "commit-message" }

changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml

----
-title: Remove the possibility to share a project with a group that a user is not a member
-  of
-merge_request:
-author:
-type: security

changelogs/unreleased/51971-milestones-visibility.yml

----
-title: Check if desired milestone for an issue is available
-merge_request:
-author:
-type: security

changelogs/unreleased/57227-absolute-uri-missing-hierarchical-segment.yml

----
-title: Fix potential Addressable::URI::InvalidURIError
-merge_request:
-author:
-type: security

changelogs/unreleased/57534_filter_impersonated_sessions.yml

----
-title: Do not display impersonated sessions under active sessions and remove ability
-  to revoke session
-merge_request:
-author:
-type: security

changelogs/unreleased/security-2774-milestones-detail.yml

----
-title: Display only information visible to current user on the Milestone page
-merge_request:
-author:
-type: security