diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:28:52 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:29:21 +0300 |
commit | 7876ab520632ed36f678ccd8a9c16dc569638904 (patch) | |
tree | 8f7b9f60ad93880cf0bcbe4f611cb7c34eb80282 | |
parent | 0cd445b1da235ab1807f7018ac8292d3bf6fec9f (diff) |
Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee
-rw-r--r-- | app/assets/javascripts/behaviors/markdown/render_math.js | 21 | ||||
-rw-r--r-- | app/assets/stylesheets/framework/markdown_area.scss | 10 | ||||
-rw-r--r-- | app/models/project_team.rb | 6 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
-rw-r--r-- | lib/api/projects.rb | 2 | ||||
-rw-r--r-- | lib/banzai/filter/asset_proxy_filter.rb | 8 | ||||
-rw-r--r-- | locale/gitlab.pot | 3 | ||||
-rw-r--r-- | spec/features/markdown/math_spec.rb | 104 | ||||
-rw-r--r-- | spec/lib/banzai/filter/asset_proxy_filter_spec.rb | 27 | ||||
-rw-r--r-- | spec/requests/api/projects_spec.rb | 20 |
10 files changed, 153 insertions, 49 deletions
diff --git a/app/assets/javascripts/behaviors/markdown/render_math.js b/app/assets/javascripts/behaviors/markdown/render_math.js index b2348cf0bad..7525fc76d16 100644 --- a/app/assets/javascripts/behaviors/markdown/render_math.js +++ b/app/assets/javascripts/behaviors/markdown/render_math.js @@ -66,16 +66,12 @@ class SafeMathRenderer { el.removeAttribute('style'); if (!forceRender && (this.totalMS >= MAX_RENDER_TIME_MS || text.length > MAX_MATH_CHARS)) { // Show unrendered math code - const wrapperElement = document.createElement('div'); const codeElement = document.createElement('pre'); codeElement.className = 'code'; codeElement.textContent = el.textContent; codeElement.dataset.mathStyle = el.dataset.mathStyle; - const { parentNode } = el; - parentNode.replaceChild(wrapperElement, el); - let message; if (text.length > MAX_MATH_CHARS) { message = sprintf( @@ -103,11 +99,11 @@ class SafeMathRenderer { </div> `; - if (!wrapperElement.classList.contains('lazy-alert-shown')) { + if (!el.classList.contains('lazy-alert-shown')) { // eslint-disable-next-line no-unsanitized/property - wrapperElement.innerHTML = html; - wrapperElement.append(codeElement); - wrapperElement.classList.add('lazy-alert-shown'); + el.innerHTML = html; + el.append(codeElement); + el.classList.add('lazy-alert-shown'); } // Render the next math @@ -125,6 +121,12 @@ class SafeMathRenderer { } try { + if (displayContainer.dataset.mathStyle === 'inline') { + displayContainer.classList.add('math-content-inline'); + } else { + displayContainer.classList.add('math-content-display'); + } + // eslint-disable-next-line no-unsanitized/property displayContainer.innerHTML = this.katex.renderToString(text, { displayMode: el.dataset.mathStyle === 'display', @@ -169,8 +171,7 @@ class SafeMathRenderer { render() { // Replace math blocks with a placeholder so they aren't rendered twice this.elements.forEach((el) => { - const placeholder = document.createElement('span'); - placeholder.style.display = 'none'; + const placeholder = document.createElement('div'); placeholder.dataset.mathStyle = el.dataset.mathStyle; placeholder.textContent = el.textContent; el.parentNode.replaceChild(placeholder, el); diff --git a/app/assets/stylesheets/framework/markdown_area.scss b/app/assets/stylesheets/framework/markdown_area.scss index f8f54567ef2..f0050b3d3f6 100644 --- a/app/assets/stylesheets/framework/markdown_area.scss +++ b/app/assets/stylesheets/framework/markdown_area.scss @@ -137,6 +137,16 @@ border-radius: $border-radius-default $border-radius-default 0 0; } +.math-content-inline { + overflow: auto; + display: inline-flex; +} + +.math-content-display { + overflow: auto; + display: block; +} + @include media-breakpoint-down(xs) { .referenced-users { margin-right: 0; diff --git a/app/models/project_team.rb b/app/models/project_team.rb index fbdc88e7b76..3bc1ad8a85c 100644 --- a/app/models/project_team.rb +++ b/app/models/project_team.rb @@ -120,7 +120,7 @@ class ProjectTeam def import(source_project, current_user) target_project = project - source_members = source_project.project_members.to_a + source_members = source_members_for_import(source_project) target_user_ids = target_project.project_members.pluck_user_ids importer_access_level = max_member_access(current_user.id) @@ -243,6 +243,10 @@ class ProjectTeam def member_user_ids Member.on_project_and_ancestors(project).select(:user_id) end + + def source_members_for_import(source_project) + source_project.project_members.to_a + end end ProjectTeam.prepend_mod_with('ProjectTeam') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index e0b75163604..549b5b2e156 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -283,6 +283,7 @@ class ProjectPolicy < BasePolicy enable :change_visibility_level enable :remove_project enable :archive_project + enable :link_forked_project enable :remove_fork_project enable :destroy_merge_request enable :destroy_issue diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 7198917a097..7336149cb15 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -699,7 +699,7 @@ module API requires :forked_from_id, type: String, desc: 'The ID of the project it was forked from', documentation: { example: 'gitlab' } end post ":id/fork/:forked_from_id", feature_category: :source_code_management do - authorize! :admin_project, user_project + authorize! :link_forked_project, user_project fork_from_project = find_project!(params[:forked_from_id]) diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb index 00ffdd3d809..512c55381ec 100644 --- a/lib/banzai/filter/asset_proxy_filter.rb +++ b/lib/banzai/filter/asset_proxy_filter.rb @@ -22,13 +22,13 @@ module Banzai begin uri = URI.parse(original_src) + + next if uri.host.nil? && !original_src.start_with?('///') + next if asset_host_allowed?(uri.host) rescue StandardError - next + # Ignored end - next if uri.host.nil? && !original_src.start_with?('///') - next if asset_host_allowed?(uri.host) - element['src'] = asset_proxy_url(original_src) element['data-canonical-src'] = original_src end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index f8c45c4dc3f..3760472fbd5 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -55628,6 +55628,9 @@ msgstr[1] "" msgid "security Reports|There was an error creating the merge request" msgstr "" +msgid "security policy bot users cannot be added to other projects" +msgstr "" + msgid "selective_code_owner_removals can only be enabled when retain_approvals_on_push is enabled" msgstr "" diff --git a/spec/features/markdown/math_spec.rb b/spec/features/markdown/math_spec.rb index 25459494a0c..0bc8f2146e9 100644 --- a/spec/features/markdown/math_spec.rb +++ b/spec/features/markdown/math_spec.rb @@ -24,9 +24,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) expect(page).to have_selector('.katex .mord.mathnormal', text: 'b') expect(page).to have_selector('.katex-display .mord.mathnormal', text: 'b') @@ -40,9 +38,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do This link is valid $`\\href{https://gitlab.com}{Gitlab}`$. MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) page.within '.description > .md' do # unfortunately there is no class selector for KaTeX's "unsupported command" @@ -59,9 +55,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.js-lazy-render-math-container', text: /math block exceeds 1000 characters/) @@ -75,11 +69,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).not_to have_selector('.katex-error') @@ -93,11 +83,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do click_button 'Display anyway' @@ -113,11 +99,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.katex-error', @@ -132,11 +114,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.katex-error', text: /&lt;script&gt;/) @@ -162,4 +140,72 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do expect(page).not_to have_selector('.js-lazy-render-math') end end + + it 'uses math-content-display for display math', :js do + description = <<~MATH + ```math + 1 + 2 + ``` + MATH + + create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + expect(page).to have_selector('.math-content-display') + end + end + + it 'uses math-content-inline for inline math', :js do + description = 'one $`1 + 2`$ two' + + create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + expect(page).to have_selector('.math-content-inline') + end + end + + context 'when math tries to cover other elements on the page' do + it 'prevents hijacking for display math', :js do + description = <<~MATH + [test link](#) + + ```math + \\hskip{-200pt}\\href{https://example.com}{\\smash{\\raisebox{20em}{$\\smash{\\raisebox{20em}{$\\phantom{\\underset{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}}{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{}}}$}}$}}} + ``` + MATH + + issue = create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + click_link 'test link' + + expect(page).to have_current_path(project_issue_path(project, issue)) + end + end + + it 'prevents hijacking for inline math', :js do + description = <<~MATH + [test link](#) $`\\hskip{-200pt}\\href{https://example.com}{\\smash{\\raisebox{20em}{$\\smash{\\raisebox{20em}{$\\phantom{\\underset{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}}{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{}}}$}}$}}}`$ + MATH + + issue = create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + click_link 'test link' + + expect(page).to have_current_path(project_issue_path(project, issue)) + end + end + end + + def create_and_visit_issue_with_description(description) + issue = create(:issue, project: project, description: description) + + visit project_issue_path(project, issue) + + wait_for_requests + + issue + end end diff --git a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb index dc6ac52a8c2..7a34bf13c8f 100644 --- a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb +++ b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb @@ -89,6 +89,33 @@ RSpec.describe Banzai::Filter::AssetProxyFilter, feature_category: :team_plannin expect(doc.at_css('img')['data-canonical-src']).to eq src end + it 'replaces by default, even strings that do not look like URLs' do + src = 'oigjsie8787%$**(#(%0' + new_src = 'https://assets.example.com/1b893f9a71d66c99437f27e19b9a061a6f5d9391/6f69676a7369653837383725242a2a2823282530' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + + it 'replaces URL with non-ASCII characters' do + src = 'https://example.com/x?¬' + new_src = 'https://assets.example.com/2f29a8c7f13f3ae14dc18c154dbbd657d703e75f/68747470733a2f2f6578616d706c652e636f6d2f783fc2ac' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + + it 'replaces out-of-spec URL that would still be rendered in the browser' do + src = 'https://example.com/##' + new_src = 'https://assets.example.com/d7d0c845cc553d9430804c07e9456545ef3e6fe6/68747470733a2f2f6578616d706c652e636f6d2f2323' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + it 'skips internal images' do src = "#{Gitlab.config.gitlab.url}/test.png" doc = filter(image(src), @context) diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index ef0959689e3..98d01573590 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -3249,6 +3249,10 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and let(:failed_status_code) { :not_found } end + it 'refreshes the forks count cache' do + expect(project_fork_source.forks_count).to be_zero + end + context 'user is a developer' do before do project_fork_target.add_developer(user) @@ -3261,15 +3265,23 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and end end - it 'refreshes the forks count cache' do - expect(project_fork_source.forks_count).to be_zero - end - context 'user is maintainer' do before do project_fork_target.add_maintainer(user) end + it 'denies project to be forked from an existing project' do + post api(path, user) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'user is owner' do + before do + project_fork_target.add_owner(user) + end + context 'and user is a reporter of target group' do let_it_be_with_reload(:target_group) { create(:group, project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) } let_it_be_with_reload(:project_fork_target) { create(:project, namespace: target_group) } |