Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee

c70fc855 · GitLab Bot · c3e911be · c70fc855 · c70fc855 · c70fc855
Commit c70fc855 authored 5 years ago by GitLab Bot
--- a/Gemfile
+++ b/Gemfile
@@ -65,7 +65,7 @@ gem 'u2f', '~> 0.2.1'
  
 # GitLab Pages
 gem 'validates_hostname', '~> 1.0.6'
-gem 'rubyzip', '~> 1.3.0', require: 'zip'
+gem 'rubyzip', '~> 2.0.0', require: 'zip'
 # GitLab Pages letsencrypt support
 gem 'acme-client', '~> 2.0.2'
  
@@ -142,7 +142,7 @@ gem 'gitlab-markup', '~> 1.7.0'
 gem 'github-markup', '~> 1.7.0', require: 'github/markup'
 gem 'commonmarker', '~> 0.20'
 gem 'RedCloth', '~> 4.3.2'
-gem 'rdoc', '~> 6.0'
+gem 'rdoc', '~> 6.1.2'
 gem 'org-ruby', '~> 0.9.12'
 gem 'creole', '~> 0.5.0'
 gem 'wikicloth', '0.8.1'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -260,7 +260,7 @@ GEM
    et-orbi (1.2.1)
      tzinfo
    eventmachine (1.2.7)
-    excon (0.62.0)
+    excon (0.71.1)
    execjs (2.6.0)
    expression_parser (0.9.0)
    extended-markdown-filter (0.6.0)
@@ -763,7 +763,8 @@ GEM
      rack (>= 0.4)
    rack-attack (6.2.0)
      rack (>= 1.0, < 3)
-    rack-cors (1.0.2)
+    rack-cors (1.0.6)
+      rack (>= 1.6.0)
    rack-oauth2 (1.9.3)
      activesupport
      attr_required
@@ -820,7 +821,7 @@ GEM
      ffi (>= 1.0.6)
      msgpack (>= 0.4.3)
      optimist (>= 3.0.0)
-    rdoc (6.0.4)
+    rdoc (6.1.2)
    re2 (1.1.1)
    recaptcha (4.13.1)
      json
@@ -929,7 +930,7 @@ GEM
      sexp_processor (~> 4.9)
    rubyntlm (0.6.2)
    rubypants (0.2.0)
-    rubyzip (1.3.0)
+    rubyzip (2.0.0)
    rugged (0.28.4.1)
    safe_yaml (1.0.4)
    sanitize (4.6.6)
@@ -1299,7 +1300,7 @@ DEPENDENCIES
  raindrops (~> 0.18)
  rblineprof (~> 0.3.6)
  rbtrace (~> 0.4)
-  rdoc (~> 6.0)
+  rdoc (~> 6.1.2)
  re2 (~> 1.1.1)
  recaptcha (~> 4.11)
  redis (~> 4.0)
@@ -1323,7 +1324,7 @@ DEPENDENCIES
  ruby-prof (~> 1.0.0)
  ruby-progressbar
  ruby_parser (~> 3.8)
-  rubyzip (~> 1.3.0)
+  rubyzip (~> 2.0.0)
  rugged (~> 0.28)
  sanitize (~> 4.6)
  sassc-rails (~> 2.1.0)

--- a/app/assets/javascripts/groups_select.js
+++ b/app/assets/javascripts/groups_select.js
 import $ from 'jquery';
 import axios from './lib/utils/axios_utils';
 import Api from './api';
+import { escape } from 'lodash';
 import { normalizeHeaders } from './lib/utils/common_utils';
 import { __ } from '~/locale';
  
@@ -75,10 +76,12 @@ const groupsSelect = () => {
        }
      },
      formatResult(object) {
-        return `<div class='group-result'> <div class='group-name'>${object.full_name}</div> <div class='group-path'>${object.full_path}</div> </div>`;
+        return `<div class='group-result'> <div class='group-name'>${escape(
+          object.full_name,
+        )}</div> <div class='group-path'>${object.full_path}</div> </div>`;
      },
      formatSelection(object) {
-        return object.full_name;
+        return escape(object.full_name);
      },
      dropdownCssClass: 'ajax-groups-dropdown select2-infinite',
      // we do not want to escape markup since we are displaying html in results

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -368,8 +368,8 @@ module ProjectsHelper
    @project.grafana_integration&.grafana_url
  end
  
-  def grafana_integration_token
-    @project.grafana_integration&.token
+  def grafana_integration_masked_token
+    @project.grafana_integration&.masked_token
  end
  
  def grafana_integration_enabled?

--- a/app/models/generic_commit_status.rb
+++ b/app/models/generic_commit_status.rb
 # frozen_string_literal: true
  
 class GenericCommitStatus < CommitStatus
+  EXTERNAL_STAGE_IDX = 1_000_000
+
  before_validation :set_default_values
  
  validates :target_url, addressable_url: true,
                         length: { maximum: 255 },
                         allow_nil: true
+  validate :name_uniqueness_across_types, unless: :importing?
  
  # GitHub compatible API
  alias_attribute :context, :name
@@ -13,7 +16,7 @@ class GenericCommitStatus < CommitStatus
  def set_default_values
    self.context ||= 'default'
    self.stage ||= 'external'
-    self.stage_idx ||= 1000000
+    self.stage_idx ||= EXTERNAL_STAGE_IDX
  end
  
  def tags
@@ -25,4 +28,14 @@ class GenericCommitStatus < CommitStatus
      .new(self, current_user)
      .fabricate!
  end
+
+  private
+
+  def name_uniqueness_across_types
+    return if !pipeline || name.blank?
+
+    if pipeline.statuses.by_name(name).where.not(type: type).exists?
+      errors.add(:name, :taken)
+    end
+  end
 end
--- a/app/models/grafana_integration.rb
+++ b/app/models/grafana_integration.rb
@@ -8,11 +8,13 @@ class GrafanaIntegration < ApplicationRecord
    algorithm: 'aes-256-gcm',
    key:       Settings.attr_encrypted_db_key_base_32
  
+  before_validation :check_token_changes
+
  validates :grafana_url,
            length: { maximum: 1024 },
            addressable_url: { enforce_sanitization: true, ascii_only: true }
  
-  validates :token, :project, presence: true
+  validates :encrypted_token, :project, presence: true
  
  validates :enabled, inclusion: { in: [true, false] }
  
@@ -23,4 +25,28 @@ class GrafanaIntegration < ApplicationRecord
  
    @client ||= ::Grafana::Client.new(api_url: grafana_url.chomp('/'), token: token)
  end
+
+  def masked_token
+    mask(encrypted_token)
+  end
+
+  def masked_token_was
+    mask(encrypted_token_was)
+  end
+
+  private
+
+  def token
+    decrypt(:token, encrypted_token)
+  end
+
+  def check_token_changes
+    return unless [encrypted_token_was, masked_token_was].include?(token)
+
+    clear_attribute_changes [:token, :encrypted_token, :encrypted_token_iv]
+  end
+
+  def mask(token)
+    token&.squish&.gsub(/./, '*')
+  end
 end
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -551,7 +551,8 @@ class Note < ApplicationRecord
      # if they are not equal, then there are private/confidential references as well
      user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count
    else
-      referenced_mentionables(user).any?
+      refs = all_references(user)
+      refs.all.any? && refs.stateful_not_visible_counter == 0
    end
  end
  

--- a/app/services/compare_service.rb
+++ b/app/services/compare_service.rb
@@ -18,7 +18,7 @@ class CompareService
    return unless raw_compare && raw_compare.base && raw_compare.head
  
    Compare.new(raw_compare,
-                target_project,
+                start_project,
                base_sha: base_sha,
                straight: straight)
  end

--- a/app/services/projects/group_links/destroy_service.rb
+++ b/app/services/projects/group_links/destroy_service.rb
@@ -6,6 +6,12 @@ module Projects
      def execute(group_link)
        return false unless group_link
  
+        if group_link.project.private?
+          TodosDestroyer::ProjectPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, project.id)
+        else
+          TodosDestroyer::ConfidentialIssueWorker.perform_in(Todo::WAIT_FOR_DELETE, nil, project.id)
+        end
+
        group_link.destroy
      end
    end

--- a/app/views/projects/settings/operations/_grafana_integration.html.haml
+++ b/app/views/projects/settings/operations/_grafana_integration.html.haml
 .js-grafana-integration{ data: { operations_settings_endpoint: project_settings_operations_path(@project),
-  grafana_integration: { url: grafana_integration_url, token: grafana_integration_token, enabled: grafana_integration_enabled?.to_s } } }
+  grafana_integration: { url: grafana_integration_url, token: grafana_integration_masked_token, enabled: grafana_integration_enabled?.to_s } } }
--- a/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml
+++ b/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml
+---
+title: Update rack-cors to 1.0.6
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml
+++ b/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml
+---
+title: Update rdoc to 6.1.2
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml
+++ b/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml
+---
+title: Bump rubyzip to 2.0.0
+merge_request:
+author: Utkarsh Gupta
+type: security
--- a/changelogs/unreleased/security-35235-todos-cleanup.yml
+++ b/changelogs/unreleased/security-35235-todos-cleanup.yml
+---
+title: Cleanup todos for users from a removed linked group
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
+++ b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml
+---
+title: Limit number of AsciiDoc includes per document
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml
+++ b/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml
+---
+title: Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it.
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+++ b/changelogs/unreleased/security-fix-xss-on-project-templates.yml
+---
+title: Fix XSS vulnerability on custom project templates form
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml
+++ b/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml
+---
+title: Protect internal CI builds from external overrides
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-reference-check.yml
+++ b/changelogs/unreleased/security-reference-check.yml
+---
+title: Make sure that only system notes where all references are visible to user are exposed in GraphQL API.
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml
+++ b/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml
+---
+title: Make cross-repository comparisons happen in the source repository
+merge_request:
+author:
+type: security