Merge remote-tracking branch 'dev/14-10-stable-ee' into 14-10-stable-ee

cb823083 · GitLab Release Tools Bot · ad109bc6 · d849687d · cb823083 · cb823083
Commit cb823083 authored 2 years ago by GitLab Release Tools Bot
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,25 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
  
+## 14.10.1 (2022-04-29)
+
+### Security (14 changes)
+
+- [Add suffix to cache name to add isolation](gitlab-org/security/gitlab@9ff0233c191339f4dd042b7f55d1ffd66b3f9a2b) ([merge request](gitlab-org/security/gitlab!2426))
+- [Update Import/Export merge/push access levels & exclude ci config path](gitlab-org/security/gitlab@40f32316dad5bb0779907261215b3526ed8871fc) ([merge request](gitlab-org/security/gitlab!2404))
+- [Prevent maintainers from editing PipelineSchedule](gitlab-org/security/gitlab@2ce3805447b4b3b7336d46d1d21dcd9e173c40be) ([merge request](gitlab-org/security/gitlab!2421))
+- [Add validation to pypi file sha256 values](gitlab-org/security/gitlab@afc796f43df09a2e43f40beaffec942a80ad973d) ([merge request](gitlab-org/security/gitlab!2415))
+- [Conan Token uses PAT rather than ID in payload](gitlab-org/security/gitlab@2679b802ac4cd9bd36190bcca691177c5568a981) ([merge request](gitlab-org/security/gitlab!2412))
+- [[security] Fix markdown API disclosing issue titles of limited projects](gitlab-org/security/gitlab@66088697787bcd55a727602da4f7fdd51b997eb0) ([merge request](gitlab-org/security/gitlab!2407))
+- [Verify that mentioned user can read TODO's note](gitlab-org/security/gitlab@fd166c1b4cc01e2bbbecabbab706deb423fa17f6) ([merge request](gitlab-org/security/gitlab!2397))
+- [Invalidate markdown cache to clear up stored XSS](gitlab-org/security/gitlab@0a0aee802c8b7760ffb0213e67129863d1769313) ([merge request](gitlab-org/security/gitlab!2418))
+- [Allow rate limiting of deploy tokens](gitlab-org/security/gitlab@8de550917a4b86a3ca3e132465d7d2c8394c4493) ([merge request](gitlab-org/security/gitlab!2395))
+- [Disable wiki access with CI_JOB_TOKEN when improper access level](gitlab-org/security/gitlab@516dbcd83cb2bbda6b15e22f4fafdaed661f4eb1) ([merge request](gitlab-org/security/gitlab!2408))
+- [Sanitize error input to prevent HTML/CSS injection in messages](gitlab-org/security/gitlab@c3f62e0f2965fe871463ed7a8b6e438cd2e1f515) ([merge request](gitlab-org/security/gitlab!2379))
+- [Secure debug trace artifact download](gitlab-org/security/gitlab@d889fb31417a8b8c38f73341da7576e856a96c5b) ([merge request](gitlab-org/security/gitlab!2376))
+- [Use password type for all secret integration properties](gitlab-org/security/gitlab@c4e2f9c3e86d832c143086f05fad382f6a218c50) ([merge request](gitlab-org/security/gitlab!2409))
+- [Limit CI job group_name regexp](gitlab-org/security/gitlab@9e3fbfce686aac48402a097c16616ffffe27c32f) ([merge request](gitlab-org/security/gitlab!2382))
+
 ## 14.10.0 (2022-04-21)
  
 ### Added (141 changes)
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-14.10.0
\ No newline at end of file
+14.10.1
\ No newline at end of file
--- a/VERSION
+++ b/VERSION
-14.10.0-ee
\ No newline at end of file
+14.10.1-ee
\ No newline at end of file
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -32,6 +32,21 @@ class Projects::ApplicationController < ApplicationController
    ->(project) { !project.pending_delete? }
  end
  
+  def authorize_read_build_trace!
+    return if can?(current_user, :read_build_trace, build)
+
+    if build.debug_mode?
+      access_denied!(
+        _('You must have developer or higher permissions in the associated project to view job logs when debug trace ' \
+          "is enabled. To disable debug trace, set the 'CI_DEBUG_TRACE' variable to 'false' in your pipeline " \
+          'configuration or CI/CD settings. If you need to view this job log, a project maintainer must add you to ' \
+          'the project with developer permissions or higher.')
+      )
+    else
+      access_denied!(_('The current user is not authorized to access the job log.'))
+    end
+  end
+
  def build_canonical_path(project)
    params[:namespace_id] = project.namespace.to_param
    params[:project_id] = project.to_param

--- a/app/controllers/projects/artifacts_controller.rb
+++ b/app/controllers/projects/artifacts_controller.rb
@@ -9,6 +9,7 @@ class Projects::ArtifactsController < Projects::ApplicationController
  
  layout 'project'
  before_action :authorize_read_build!
+  before_action :authorize_read_build_trace!, only: [:download]
  before_action :authorize_update_build!, only: [:keep]
  before_action :authorize_destroy_artifacts!, only: [:destroy]
  before_action :extract_ref_name_and_path
@@ -164,4 +165,10 @@ class Projects::ArtifactsController < Projects::ApplicationController
  
    render_404 unless @entry.exists?
  end
+
+  def authorize_read_build_trace!
+    return unless params[:file_type] == 'trace'
+
+    super
+  end
 end
--- a/app/controllers/projects/jobs_controller.rb
+++ b/app/controllers/projects/jobs_controller.rb
@@ -177,17 +177,7 @@ class Projects::JobsController < Projects::ApplicationController
  
  private
  
-  def authorize_read_build_trace!
-    return if can?(current_user, :read_build_trace, @build)
-
-    msg = _(
-      "You must have developer or higher permissions in the associated project to view job logs when debug trace is enabled. To disable debug trace, set the 'CI_DEBUG_TRACE' variable to 'false' in your pipeline configuration or CI/CD settings. " \
-      "If you need to view this job log, a project maintainer must add you to the project with developer permissions or higher."
-    )
-    return access_denied!(msg) if @build.debug_mode?
-
-    access_denied!(_('The current user is not authorized to access the job log.'))
-  end
+  attr_reader :build
  
  def authorize_update_build!
    return access_denied! unless can?(current_user, :update_build, @build)

--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -7,7 +7,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
  before_action :authorize_play_pipeline_schedule!, only: [:play]
  before_action :authorize_read_pipeline_schedule!
  before_action :authorize_create_pipeline_schedule!, only: [:new, :create]
-  before_action :authorize_update_pipeline_schedule!, except: [:index, :new, :create, :play]
+  before_action :authorize_update_pipeline_schedule!, only: [:edit, :update]
+  before_action :authorize_take_ownership_pipeline_schedule!, only: [:take_ownership]
  before_action :authorize_admin_pipeline_schedule!, only: [:destroy]
  
  feature_category :continuous_integration
@@ -108,6 +109,10 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
    return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
  end
  
+  def authorize_take_ownership_pipeline_schedule!
+    return access_denied! unless can?(current_user, :take_ownership_pipeline_schedule, schedule)
+  end
+
  def authorize_admin_pipeline_schedule!
    return access_denied! unless can?(current_user, :admin_pipeline_schedule, schedule)
  end

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -911,7 +911,10 @@ module Ci
        end
      end
  
-      cache
+      type_suffix = pipeline.protected_ref? ? 'protected' : 'non_protected'
+      cache.map do |entry|
+        entry.merge(key: "#{entry[:key]}-#{type_suffix}")
+      end
    end
  
    def credentials

--- a/app/models/commit_status.rb
+++ b/app/models/commit_status.rb
@@ -229,7 +229,13 @@ class CommitStatus < Ci::ApplicationRecord
  end
  
  def group_name
-    name.to_s.sub(%r{([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+)))+\s*\z}, '').strip
+    # [\b\s:] -> whitespace or column
+    # (\[.*\])|(\d+[\s:\/\\]+\d+) -> variables/matrix or parallel-jobs numbers
+    # {1,3} -> number of times that matches the variables/matrix or parallel-jobs numbers
+    #          we limit this to 3 because of possible abuse
+    regex = %r{([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+))){1,3}\s*\z}
+
+    name.to_s.sub(regex, '').strip
  end
  
  def failed_but_allowed?

--- a/app/models/integrations/asana.rb
+++ b/app/models/integrations/asana.rb
@@ -27,10 +27,12 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'api_key',
          title: 'API key',
          help: s_('AsanaService|User Personal Access Token. User must have access to the task. All comments are attributed to this user.'),
+          non_empty_password_title: s_('ProjectService|Enter new API key'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current API key.'),
          # Example Personal Access Token from Asana docs
          placeholder: '0/68a9e79b868c6789e79a124c30b0',
          required: true

--- a/app/models/integrations/assembla.rb
+++ b/app/models/integrations/assembla.rb
@@ -19,8 +19,19 @@ module Integrations
  
    def fields
      [
-        { type: 'text', name: 'token', placeholder: '', required: true },
-        { type: 'text', name: 'subdomain', placeholder: '' }
+        {
+          type: 'password',
+          name: 'token',
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '',
+          required: true
+        },
+        {
+          type: 'text',
+          name: 'subdomain',
+          placeholder: ''
+        }
      ]
    end
  

--- a/app/models/integrations/bamboo.rb
+++ b/app/models/integrations/bamboo.rb
@@ -54,10 +54,12 @@ module Integrations
            required: true
          },
          {
-            type: 'text',
+            type: 'password',
            name: 'build_key',
-            placeholder: s_('KEY'),
            help: s_('BambooService|Bamboo build plan key.'),
+            non_empty_password_title: s_('BambooService|Enter new build key'),
+            non_empty_password_help: s_('BambooService|Leave blank to use your current build key.'),
+            placeholder: s_('KEY'),
            required: true
          },
          {

--- a/app/models/integrations/base_slash_commands.rb
+++ b/app/models/integrations/base_slash_commands.rb
@@ -26,7 +26,13 @@ module Integrations
  
    def fields
      [
-        { type: 'text', name: 'token', placeholder: 'XXxxXXxxXXxxXXxxXXxxXXxx' }
+        {
+          type: 'password',
+          name: 'token',
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: 'XXxxXXxxXXxxXXxxXXxxXXxx'
+        }
      ]
    end
  

--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -76,10 +76,12 @@ module Integrations
  
    def fields
      [
-        { type: 'text',
+        { type: 'password',
          name: 'token',
          title: _('Token'),
          help: s_('ProjectService|The token you get after you create a Buildkite pipeline with a GitLab repository.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          required: true },
  
        { type: 'text',

--- a/app/models/integrations/campfire.rb
+++ b/app/models/integrations/campfire.rb
@@ -25,11 +25,13 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          title: _('Campfire token'),
-          placeholder: '',
          help: s_('CampfireService|API authentication token from Campfire.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '',
          required: true
        },
        {

--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -96,8 +96,21 @@ module Integrations
  
    def fields
      [
-        { type: 'text', name: 'token', help: s_('ProjectService|Token for the Drone project.'), required: true },
-        { type: 'text', name: 'drone_url', title: s_('ProjectService|Drone server URL'), placeholder: 'http://drone.example.com', required: true }
+        {
+          type: 'password',
+          name: 'token',
+          help: s_('ProjectService|Token for the Drone project.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          required: true
+        },
+        {
+          type: 'text',
+          name: 'drone_url',
+          title: s_('ProjectService|Drone server URL'),
+          placeholder: 'http://drone.example.com',
+          required: true
+        }
      ]
    end
  

--- a/app/models/integrations/flowdock.rb
+++ b/app/models/integrations/flowdock.rb
@@ -24,7 +24,15 @@ module Integrations
  
    def fields
      [
-        { type: 'text', name: 'token', placeholder: s_('FlowdockService|1b609b52537...'), required: true, help: 'Enter your Flowdock token.' }
+        {
+          type: 'password',
+          name: 'token',
+          help: s_('FlowdockService|Enter your Flowdock token.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '1b609b52537...',
+          required: true
+        }
      ]
    end
  

--- a/app/models/integrations/harbor.rb
+++ b/app/models/integrations/harbor.rb
@@ -64,11 +64,12 @@ module Integrations
          required: true
        },
        {
-          type: 'text',
+          type: 'password',
          name: 'password',
          title: s_('HarborIntegration|Harbor password'),
-          non_empty_password_title: s_('HarborIntegration|Enter Harbor password'),
-          non_empty_password_help: s_('HarborIntegration|Password for your Harbor username.'),
+          help: s_('HarborIntegration|Password for your Harbor username.'),
+          non_empty_password_title: s_('HarborIntegration|Enter new Harbor password'),
+          non_empty_password_help: s_('HarborIntegration|Leave blank to use your current password.'),
          required: true
        }
      ]

--- a/app/models/integrations/packagist.rb
+++ b/app/models/integrations/packagist.rb
@@ -36,10 +36,12 @@ module Integrations
          required: true
        },
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          title: _('Token'),
          help: s_('Enter your Packagist token.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          placeholder: '',
          required: true
        },

--- a/app/models/integrations/pivotaltracker.rb
+++ b/app/models/integrations/pivotaltracker.rb
@@ -27,9 +27,11 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          help: s_('PivotalTrackerService|Pivotal Tracker API token. User must have access to the story. All comments are attributed to this user.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          required: true
        },
        {