Merge remote-tracking branch 'dev/12-7-stable' into 12-7-stable

b9a33e93 · GitLab Release Tools Bot · efed756a · 2c062854 · b9a33e93 · b9a33e93
Commit b9a33e93 authored 5 years ago by GitLab Release Tools Bot
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -21,6 +21,14 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:deactivated) { @user&.deactivated? }
  
+  desc "User email is unconfirmed or user account is locked"
+  with_options scope: :user, score: 0
+  condition(:inactive) do
+    Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&
+      @user &&
+      !@user&.active_for_authentication?
+  end
+
  with_options scope: :user, score: 0
  condition(:external_user) { @user.nil? || @user.external? }
  

--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -36,6 +36,13 @@ class GlobalPolicy < BasePolicy
    enable :use_slash_commands
  end
  
+  rule { inactive }.policy do
+    prevent :log_in
+    prevent :access_api
+    prevent :access_git
+    prevent :use_slash_commands
+  end
+
  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api

--- a/app/presenters/event_presenter.rb
+++ b/app/presenters/event_presenter.rb
@@ -3,6 +3,18 @@
 class EventPresenter < Gitlab::View::Presenter::Delegated
  presents :event
  
+  def initialize(subject, **attributes)
+    super
+
+    @visible_to_user_cache = ActiveSupport::Cache::MemoryStore.new
+  end
+
+  # Caching `visible_to_user?` method in the presenter beause it might be called multiple times.
+  def visible_to_user?(user = nil)
+    @visible_to_user_cache.fetch(user&.id) { super(user) }
+  end
+
+  # implement cache here
  def resource_parent_name
    resource_parent&.full_name || ''
  end

--- a/app/services/compare_service.rb
+++ b/app/services/compare_service.rb
@@ -18,7 +18,7 @@ class CompareService
    return unless raw_compare && raw_compare.base && raw_compare.head
  
    Compare.new(raw_compare,
-                target_project,
+                start_project,
                base_sha: base_sha,
                straight: straight)
  end

--- a/app/services/projects/group_links/destroy_service.rb
+++ b/app/services/projects/group_links/destroy_service.rb
@@ -6,6 +6,12 @@ module Projects
      def execute(group_link)
        return false unless group_link
  
+        if group_link.project.private?
+          TodosDestroyer::ProjectPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, project.id)
+        else
+          TodosDestroyer::ConfidentialIssueWorker.perform_in(Todo::WAIT_FOR_DELETE, nil, project.id)
+        end
+
        group_link.destroy
      end
    end

--- a/app/services/projects/import_export/export_service.rb
+++ b/app/services/projects/import_export/export_service.rb
@@ -4,6 +4,12 @@ module Projects
  module ImportExport
    class ExportService < BaseService
      def execute(after_export_strategy = nil, options = {})
+        unless project.template_source? || can?(current_user, :admin_project, project)
+          raise ::Gitlab::ImportExport::Error.new(
+            "User with ID: %s does not have permission to Project %s with ID: %s." %
+              [current_user.id, project.name, project.id])
+        end
+
        @shared = project.import_export_shared
  
        save_all!

--- a/app/views/projects/settings/operations/_grafana_integration.html.haml
+++ b/app/views/projects/settings/operations/_grafana_integration.html.haml
 .js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
-  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token, enabled: grafana_integration_enabled?.to_s } } }
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_masked_token, enabled: grafana_integration_enabled?.to_s } } }
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -2414,9 +2414,9 @@ type GrafanaIntegration {
  id: ID!
  
  """
-  API token for the Grafana integration
+  API token for the Grafana integration. Field is permanently masked.
  """
-  token: String!
+  token: String! @deprecated(reason: "Plain text token has been masked for security reasons")
  
  """
  Timestamp of the issue's last activity

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -16249,7 +16249,7 @@
            },
            {
              "name": "token",
-              "description": "API token for the Grafana integration",
+              "description": "API token for the Grafana integration. Field is permanently masked.",
              "args": [
  
              ],
@@ -16262,8 +16262,8 @@
                  "ofType": null
                }
              },
-              "isDeprecated": false,
-              "deprecationReason": null
+              "isDeprecated": true,
+              "deprecationReason": "Plain text token has been masked for security reasons"
            },
            {
              "name": "updatedAt",

--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -370,10 +370,10 @@ Autogenerated return type of EpicTreeReorder
 | ---   |  ---- | ----------  |
 | `id` | ID! | Internal ID of the Grafana integration |
 | `grafanaUrl` | String! | Url for the Grafana host for the Grafana integration |
-| `token` | String! | API token for the Grafana integration |
 | `enabled` | Boolean! | Indicates whether Grafana integration is enabled |
 | `createdAt` | Time! | Timestamp of the issue's creation |
 | `updatedAt` | Time! | Timestamp of the issue's last activity |
+| `token` | String! | API token for the Grafana integration. Field is permanently masked. |
  
 ## Group
  

--- a/doc/user/asciidoc.md
+++ b/doc/user/asciidoc.md
@@ -221,6 +221,11 @@ include::basics.adoc[]
 include::https://example.org/installation.adoc[]
 ```
  
+To guarantee good system performance and prevent malicious documents causing
+problems, GitLab enforces a **maximum limit** on the number of include directives
+processed in any one document. Currently a total of 32 documents can be
+included, a number that is inclusive of transitive dependencies.
+
 ### Blocks
  
 ```asciidoc

--- a/lib/api/commit_statuses.rb
+++ b/lib/api/commit_statuses.rb
@@ -85,6 +85,8 @@ module API
            protected: user_project.protected_for?(ref))
        end
  
+        authorize! :update_pipeline, pipeline
+
        status = GenericCommitStatus.running_or_pending.find_or_initialize_by(
          project: user_project,
          pipeline: pipeline,

--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -154,7 +154,7 @@ module API
  
        not_found! 'Commit' unless commit
  
-        present commit, with: Entities::CommitDetail, stats: params[:stats]
+        present commit, with: Entities::CommitDetail, stats: params[:stats], current_user: current_user
      end
  
      desc 'Get the diff for a specific commit of a project' do

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -491,8 +491,18 @@ module API
    class CommitDetail < Commit
      expose :stats, using: Entities::CommitStats, if: :stats
      expose :status
-      expose :last_pipeline, using: 'API::Entities::PipelineBasic'
      expose :project_id
+
+      expose :last_pipeline do |commit, options|
+        pipeline = commit.last_pipeline if can_read_pipeline?
+        ::API::Entities::PipelineBasic.represent(pipeline, options)
+      end
+
+      private
+
+      def can_read_pipeline?
+        Ability.allowed?(options[:current_user], :read_pipeline, object.last_pipeline)
+      end
    end
  
    class CommitSignature < Grape::Entity

--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -127,6 +127,7 @@ module API
      get ":id/repository/files/:file_path/raw", requirements: FILE_ENDPOINT_REQUIREMENTS do
        assign_file_vars!
  
+        no_cache_headers
        set_http_headers(blob_data)
  
        send_git_blob @repo, @blob

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -258,11 +258,21 @@ module API
    end
  
    def require_gitlab_workhorse!
+      verify_workhorse_api!
+
      unless env['HTTP_GITLAB_WORKHORSE'].present?
        forbidden!('Request should be executed via GitLab Workhorse')
      end
    end
  
+    def verify_workhorse_api!
+      Gitlab::Workhorse.verify_api_request!(request.headers)
+    rescue => e
+      Gitlab::ErrorTracking.track_exception(e)
+
+      forbidden!
+    end
+
    def require_pages_enabled!
      not_found! unless user_project.pages_available?
    end

--- a/lib/api/helpers/headers_helpers.rb
+++ b/lib/api/helpers/headers_helpers.rb
@@ -3,6 +3,8 @@
 module API
  module Helpers
    module HeadersHelpers
+      include Gitlab::NoCacheHeaders
+
      def set_http_headers(header_data)
        header_data.each do |key, value|
          if value.is_a?(Enumerable)
@@ -12,6 +14,12 @@ module API
          header "X-Gitlab-#{key.to_s.split('_').collect(&:capitalize).join('-')}", value.to_s
        end
      end
+
+      def no_cache_headers
+        DEFAULT_GITLAB_NO_CACHE_HEADERS.each do |k, v|
+          header k, v
+        end
+      end
    end
  end
 end
--- a/lib/banzai/reference_parser/base_parser.rb
+++ b/lib/banzai/reference_parser/base_parser.rb
@@ -201,12 +201,14 @@ module Banzai
        gather_references(nodes)
      end
  
-      # Gathers the references for the given HTML nodes.
+      # Gathers the references for the given HTML nodes.  Returns visible
+      # references and a list of nodes which are not visible to the user
      def gather_references(nodes)
        nodes = nodes_user_can_reference(current_user, nodes)
-        nodes = nodes_visible_to_user(current_user, nodes)
+        visible = nodes_visible_to_user(current_user, nodes)
+        not_visible = nodes - visible
  
-        referenced_by(nodes)
+        { visible: referenced_by(visible), not_visible: not_visible }
      end
  
      # Returns a Hash containing the projects for a given list of HTML nodes.

--- a/lib/gitlab/asciidoc.rb
+++ b/lib/gitlab/asciidoc.rb
@@ -11,6 +11,7 @@ module Gitlab
  # the resulting HTML through HTML pipeline filters.
  module Asciidoc
    MAX_INCLUDE_DEPTH = 5
+    MAX_INCLUDES = 32
    DEFAULT_ADOC_ATTRS = {
        'showtitle' => true,
        'sectanchors' => true,
@@ -40,6 +41,7 @@ module Gitlab
                        extensions: extensions }
  
      context[:pipeline] = :ascii_doc
+      context[:max_includes] = [MAX_INCLUDES, context[:max_includes]].compact.min
  
      plantuml_setup
  

--- a/lib/gitlab/asciidoc/include_processor.rb
+++ b/lib/gitlab/asciidoc/include_processor.rb
@@ -14,6 +14,8 @@ module Gitlab
  
        @context = context
        @repository = context[:repository] || context[:project].try(:repository)
+        @max_includes = context[:max_includes].to_i
+        @included = []
  
        # Note: Asciidoctor calls #freeze on extensions, so we can't set new
        # instance variables after initialization.
@@ -28,8 +30,11 @@ module Gitlab
      def include_allowed?(target, reader)
        doc = reader.document
  
-        return false if doc.attributes.fetch('max-include-depth').to_i < 1
+        max_include_depth = doc.attributes.fetch('max-include-depth').to_i
+
+        return false if max_include_depth < 1
        return false if target_uri?(target)
+        return false if included.size >= max_includes
  
        true
      end
@@ -62,7 +67,7 @@ module Gitlab
  
      private
  
-      attr_accessor :context, :repository, :cache
+      attr_reader :context, :repository, :cache, :max_includes, :included
  
      # Gets a Blob at a path for a specific revision.
      # This method will check that the Blob exists and contains readable text.
@@ -77,6 +82,8 @@ module Gitlab
        raise 'Blob not found' unless blob
        raise 'File is not readable' unless blob.readable_text?
  
+        included << filename
+
        blob
      end