diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 18:22:39 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-27 18:22:39 +0300 |
| commit | 83ef6fa0e1b7f6bca5584abb254dfd23670ea5c6 (patch) | |
| tree | b851e56433f98df301f7b1d04d92a690d6b6327f | |
| parent | a01497b0f1a7f4312c48e1b863881afd6d9bbc4d (diff) | |
Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee
| -rw-r--r-- | app/serializers/remote_mirror_entity.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-mirror-urls.yml | 5 | ||||
| -rw-r--r-- | spec/serializers/remote_mirror_entity_spec.rb | 7 | ||||
| -rwxr-xr-x[-rw-r--r--] | vendor/gitignore/C++.gitignore | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | vendor/gitignore/Java.gitignore | 0 |
5 files changed, 12 insertions, 2 deletions
diff --git a/app/serializers/remote_mirror_entity.rb b/app/serializers/remote_mirror_entity.rb index 8835c6d4647..440e4274668 100644 --- a/app/serializers/remote_mirror_entity.rb +++ b/app/serializers/remote_mirror_entity.rb @@ -2,7 +2,7 @@ class RemoteMirrorEntity < Grape::Entity expose :id - expose :url + expose :safe_url, as: :url expose :enabled expose :auth_method diff --git a/changelogs/unreleased/security-mirror-urls.yml b/changelogs/unreleased/security-mirror-urls.yml new file mode 100644 index 00000000000..774fe7758f7 --- /dev/null +++ b/changelogs/unreleased/security-mirror-urls.yml @@ -0,0 +1,5 @@ +--- +title: Return only safe urls for mirrors +merge_request: +author: +type: security diff --git a/spec/serializers/remote_mirror_entity_spec.rb b/spec/serializers/remote_mirror_entity_spec.rb index 5f4aac213be..27472c46436 100644 --- a/spec/serializers/remote_mirror_entity_spec.rb +++ b/spec/serializers/remote_mirror_entity_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe RemoteMirrorEntity do - let(:project) { create(:project, :repository, :remote_mirror) } + let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") } let(:remote_mirror) { project.remote_mirrors.first } let(:entity) { described_class.new(remote_mirror) } @@ -15,4 +15,9 @@ describe RemoteMirrorEntity do :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints ) end + + it 'does not expose password information' do + expect(subject[:url]).not_to include('password') + expect(subject[:url]).to eq(remote_mirror.safe_url) + end end diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100644..100755 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100644..100755 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore |