diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-30 15:58:09 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-30 15:58:09 +0300 |
| commit | 2e3dadb11d5038aa77313666740db4c25408154d (patch) | |
| tree | a8faf3c291ccbcc280462141a7e8ea3c98bc54b9 | |
| parent | 9a3cabd337d7eb6620071e72f3d7a04905e595a5 (diff) | |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
27 files changed, 123 insertions, 225 deletions
@@ -321,7 +321,7 @@ gem 'fast_blank', '~> 1.0.1' # Parse time & duration gem 'gitlab-chronic', '~> 0.10.5' -gem 'gitlab_chronic_duration', '~> 0.12' +gem 'gitlab_chronic_duration', '~> 0.11' gem 'rack-proxy', '~> 0.7.7' diff --git a/Gemfile.checksum b/Gemfile.checksum index 8d8c3079792..80297361467 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -217,7 +217,7 @@ {"name":"gitlab-markup","version":"1.9.0","platform":"ruby","checksum":"7eda045a08ec2d110084252fa13a8c9eac8bdac0e302035ca7db4b82bcbd7ed4"}, {"name":"gitlab-net-dns","version":"0.9.2","platform":"ruby","checksum":"f726d978479d43810819f12a45c0906d775a07e34df111bbe693fffbbef3059d"}, {"name":"gitlab-styles","version":"10.1.0","platform":"ruby","checksum":"f42745f5397d042fe24cf2d0eb56c995b37f9f43d8fb79b834d197a1cafdc84a"}, -{"name":"gitlab_chronic_duration","version":"0.12.0","platform":"ruby","checksum":"0d766944d415b5c831f176871ee8625783fc0c5bfbef2d79a3a616f207ffc16d"}, +{"name":"gitlab_chronic_duration","version":"0.11.0","platform":"ruby","checksum":"c2fd201724a9031ff0af23d07a30231cebefbf83c3e682daae452cda5f514ba6"}, {"name":"gitlab_omniauth-ldap","version":"2.2.0","platform":"ruby","checksum":"bb4d20acb3b123ed654a8f6a47d3fac673ece7ed0b6992edb92dca14bad2838c"}, {"name":"gitlab_quality-test_tooling","version":"1.0.0","platform":"ruby","checksum":"b030be168a6a0eb3c47202beb6c64a4fbe36f5547d189c3f64cad29cfcc331db"}, {"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"}, diff --git a/Gemfile.lock b/Gemfile.lock index 0b87a23f2f1..d3efc95fb13 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -678,7 +678,7 @@ GEM rubocop-performance (~> 1.15) rubocop-rails (~> 2.17) rubocop-rspec (~> 2.22) - gitlab_chronic_duration (0.12.0) + gitlab_chronic_duration (0.11.0) numerizer (~> 0.2) gitlab_omniauth-ldap (2.2.0) net-ldap (~> 0.16) @@ -1832,7 +1832,7 @@ DEPENDENCIES gitlab-sidekiq-fetcher! gitlab-styles (~> 10.1.0) gitlab-utils! - gitlab_chronic_duration (~> 0.12) + gitlab_chronic_duration (~> 0.11) gitlab_omniauth-ldap (~> 2.2.0) gitlab_quality-test_tooling (~> 1.0.0) gon (~> 6.4.0) diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb index 895155e00d1..45a4b292eb5 100644 --- a/app/helpers/version_check_helper.rb +++ b/app/helpers/version_check_helper.rb @@ -10,14 +10,12 @@ module VersionCheckHelper end def gitlab_version_check - return unless show_version_check? - VersionCheck.new.response end strong_memoize_attr :gitlab_version_check def show_security_patch_upgrade_alert? - return false unless gitlab_version_check + return false unless show_version_check? && gitlab_version_check Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability']) end diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb index 750c318819c..2abb8e4be48 100644 --- a/app/models/ci/build.rb +++ b/app/models/ci/build.rb @@ -414,7 +414,7 @@ module Ci end def options_scheduled_at - ChronicDuration.parse(options[:start_in])&.seconds&.from_now + ChronicDuration.parse(options[:start_in], use_complete_matcher: true)&.seconds&.from_now end def action? @@ -738,7 +738,7 @@ module Ci def artifacts_expire_in=(value) self.artifacts_expire_at = if value - ChronicDuration.parse(value)&.seconds&.from_now + ChronicDuration.parse(value, use_complete_matcher: true)&.seconds&.from_now end end diff --git a/app/models/concerns/chronic_duration_attribute.rb b/app/models/concerns/chronic_duration_attribute.rb index 44b34cf9b2f..7b7b61fdf06 100644 --- a/app/models/concerns/chronic_duration_attribute.rb +++ b/app/models/concerns/chronic_duration_attribute.rb @@ -18,7 +18,7 @@ module ChronicDurationAttribute begin new_value = if value.present? - ChronicDuration.parse(value).to_i + ChronicDuration.parse(value, use_complete_matcher: true).to_i else parameters[:default].presence end diff --git a/app/models/container_expiration_policy.rb b/app/models/container_expiration_policy.rb index a7ed5e28695..f643fa7730b 100644 --- a/app/models/container_expiration_policy.rb +++ b/app/models/container_expiration_policy.rb @@ -80,7 +80,7 @@ class ContainerExpirationPolicy < ApplicationRecord end def set_next_run_at - cadence_seconds = ChronicDuration.parse(cadence).seconds + cadence_seconds = ChronicDuration.parse(cadence, use_complete_matcher: true).seconds self.next_run_at = Time.zone.now + cadence_seconds end diff --git a/app/services/projects/container_repository/cleanup_tags_base_service.rb b/app/services/projects/container_repository/cleanup_tags_base_service.rb index 45557d03502..61b09de1643 100644 --- a/app/services/projects/container_repository/cleanup_tags_base_service.rb +++ b/app/services/projects/container_repository/cleanup_tags_base_service.rb @@ -100,7 +100,7 @@ module Projects def older_than_in_seconds strong_memoize(:older_than_in_seconds) do - ChronicDuration.parse(older_than).seconds + ChronicDuration.parse(older_than, use_complete_matcher: true).seconds end end end diff --git a/app/validators/duration_validator.rb b/app/validators/duration_validator.rb index defd28d7d3b..bcdcf665cba 100644 --- a/app/validators/duration_validator.rb +++ b/app/validators/duration_validator.rb @@ -12,7 +12,7 @@ # class DurationValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) - ChronicDuration.parse(value) + ChronicDuration.parse(value, use_complete_matcher: true) rescue ChronicDuration::DurationParseError if options[:message] record.errors.add(:base, options[:message]) diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index 97bac397f6f..647669385d8 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -33,32 +33,31 @@ ID tokens are JSON Web Tokens (JWTs) used for OIDC authentication with third-par The following fields are included in the JWT: -| Field | When | Description | -|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `jti` | Always | Unique identifier for this token | -| `iss` | Always | Issuer, the domain of your GitLab instance | -| `iat` | Always | Issued at | -| `nbf` | Always | Not valid before | -| `exp` | Always | Expires at | -| `sub` | Always | Subject (job ID) | -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path | -| `project_id` | Always | Use this to scope to project by ID | -| `project_path` | Always | Use this to scope to project by path | -| `user_id` | Always | ID of the user executing the job | -| `user_login` | Always | Username of the user executing the job | -| `user_email` | Always | Email of the user executing the job | -| `pipeline_id` | Always | ID of this pipeline | -| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | -| `job_id` | Always | ID of this job | -| `ref` | Always | Git ref for this job | -| `ref_type` | Always | Git ref type, either `branch` or `tag` | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | -| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | -| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| Field | When | Description | +|-------------------------|------------------------------|-------------| +| `jti` | Always | Unique identifier for this token | +| `iss` | Always | Issuer, the domain of your GitLab instance | +| `iat` | Always | Issued at | +| `nbf` | Always | Not valid before | +| `exp` | Always | Expires at | +| `sub` | Always | Subject (job ID) | +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path | +| `project_id` | Always | Use this to scope to project by ID | +| `project_path` | Always | Use this to scope to project by path | +| `user_id` | Always | ID of the user executing the job | +| `user_login` | Always | Username of the user executing the job | +| `user_email` | Always | Email of the user executing the job | +| `pipeline_id` | Always | ID of this pipeline | +| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | +| `job_id` | Always | ID of this job | +| `ref` | Always | Git ref for this job | +| `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | +| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) | -| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | Example JWT payload: @@ -85,8 +84,7 @@ Example JWT payload: "ref_path": "refs/heads/auto-deploy-2020-04-01", "ref_protected": "true", "environment": "production", - "environment_protected": "true", - "environment_action": "start" + "environment_protected": "true" } ``` diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 9cf4b35b00d..697346474f8 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -51,33 +51,32 @@ The following standard claims are included in each ID token: The token also includes custom claims provided by GitLab: -| Field | When | Description | -|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | -| `project_id` | Always | Use this to scope to project by ID. | -| `project_path` | Always | Use this to scope to project by path. | -| `user_id` | Always | ID of the user executing the job. | -| `user_login` | Always | Username of the user executing the job. | -| `user_email` | Always | Email of the user executing the job. | -| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | -| `pipeline_id` | Always | ID of the pipeline. | -| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | -| `job_id` | Always | ID of the job. | -| `ref` | Always | Git ref for the job. | -| `ref_type` | Always | Git ref type, either `branch` or `tag`. | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | -| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | -| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | -| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| Field | When | Description | +|-------------------------|------------------------------|-------------| +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | +| `project_id` | Always | Use this to scope to project by ID. | +| `project_path` | Always | Use this to scope to project by path. | +| `user_id` | Always | ID of the user executing the job. | +| `user_login` | Always | Username of the user executing the job. | +| `user_email` | Always | Email of the user executing the job. | +| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | +| `pipeline_id` | Always | ID of the pipeline. | +| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | +| `job_id` | Always | ID of the job. | +| `ref` | Always | Git ref for the job. | +| `ref_type` | Always | Git ref type, either `branch` or `tag`. | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | +| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | +| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | | `ci_config_ref_uri` | Always | The ref path to the top-level pipeline definition, for example, `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | +| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | +| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | ```json { @@ -102,7 +101,6 @@ The token also includes custom claims provided by GitLab: "environment": "test-environment2", "environment_protected": "false", "deployment_tier": "testing", - "environment_action": "start", "runner_id": 1, "runner_environment": "self-hosted", "sha": "714a629c0b401fdce83e847fc9589983fc6f46bc", diff --git a/lib/gitlab/ci/build/duration_parser.rb b/lib/gitlab/ci/build/duration_parser.rb index 9385dccd5f3..97049a4f876 100644 --- a/lib/gitlab/ci/build/duration_parser.rb +++ b/lib/gitlab/ci/build/duration_parser.rb @@ -41,7 +41,7 @@ module Gitlab def parse return if never? - ChronicDuration.parse(value) + ChronicDuration.parse(value, use_complete_matcher: true) end def validation_cache diff --git a/lib/gitlab/ci/components/instance_path.rb b/lib/gitlab/ci/components/instance_path.rb index 648a4e06475..17c784c4d54 100644 --- a/lib/gitlab/ci/components/instance_path.rb +++ b/lib/gitlab/ci/components/instance_path.rb @@ -5,7 +5,6 @@ module Gitlab module Components class InstancePath include Gitlab::Utils::StrongMemoize - include ::Gitlab::LoopHelpers LATEST_VERSION_KEYWORD = '~latest' TEMPLATES_DIR = 'templates' @@ -61,15 +60,9 @@ module Gitlab # Given a path like "my-org/sub-group/the-project/path/to/component" # find the project "my-org/sub-group/the-project" by looking at all possible paths. def find_project_by_component_path(path) - return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever. - possible_paths = [path] - index = nil - - loop_until(limit: 20) do - index = path.rindex('/') # find index of last `/` in a path - break unless index + while index = path.rindex('/') # find index of last `/` in a path possible_paths << (path = path[0..index - 1]) end diff --git a/lib/gitlab/ci/config/entry/job.rb b/lib/gitlab/ci/config/entry/job.rb index bf8a99ef45e..c40d665f320 100644 --- a/lib/gitlab/ci/config/entry/job.rb +++ b/lib/gitlab/ci/config/entry/job.rb @@ -177,7 +177,7 @@ module Gitlab def parsed_timeout return unless has_timeout? - ChronicDuration.parse(timeout.to_s) + ChronicDuration.parse(timeout.to_s, use_complete_matcher: true) end def ignored? diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index 3d63ec6dfb7..4ba7b4cc6e1 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -71,8 +71,7 @@ module Gitlab fields.merge!( environment: environment.name, environment_protected: environment_protected?.to_s, - deployment_tier: build.environment_tier, - environment_action: build.environment_action + deployment_tier: build.environment_tier ) end diff --git a/lib/gitlab/config/entry/legacy_validation_helpers.rb b/lib/gitlab/config/entry/legacy_validation_helpers.rb index 1f70afbfb75..ec67d65c526 100644 --- a/lib/gitlab/config/entry/legacy_validation_helpers.rb +++ b/lib/gitlab/config/entry/legacy_validation_helpers.rb @@ -12,7 +12,7 @@ module Gitlab if parser && parser.respond_to?(:validate_duration) parser.validate_duration(value) else - ChronicDuration.parse(value) + ChronicDuration.parse(value, use_complete_matcher: true) end rescue ChronicDuration::DurationParseError false @@ -24,7 +24,12 @@ module Gitlab if parser && parser.respond_to?(:validate_duration_limit) parser.validate_duration_limit(value, limit) else - ChronicDuration.parse(value).second.from_now < ChronicDuration.parse(limit).second.from_now + ChronicDuration.parse( + value, use_complete_matcher: true + ).second.from_now < + ChronicDuration.parse( + limit, use_complete_matcher: true + ).second.from_now end rescue ChronicDuration::DurationParseError false diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb index ea91b01afdb..dfe0815f0a0 100644 --- a/lib/gitlab/import_export/command_line_util.rb +++ b/lib/gitlab/import_export/command_line_util.rb @@ -141,7 +141,7 @@ module Gitlab raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath) - FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath) + FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) end true diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb index 1fd7c6cfe8d..1e4169f3fd7 100644 --- a/lib/gitlab/search/abuse_detection.rb +++ b/lib/gitlab/search/abuse_detection.rb @@ -6,7 +6,6 @@ module Gitlab include ActiveModel::Validations include AbuseValidators - MAX_PIPE_SYNTAX_FILTERS = 5 ABUSIVE_TERM_SIZE = 100 ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z} @@ -58,18 +57,10 @@ module Gitlab validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true - validate :no_abusive_pipes, if: :detect_abusive_pipes - attr_reader(*READABLE_PARAMS) - attr_reader :raw_params, :detect_abusive_pipes - - def initialize(params, detect_abusive_pipes: true) - @raw_params = {} - READABLE_PARAMS.each do |p| - instance_variable_set("@#{p}", params[p]) - @raw_params[p] = params[p] - end - @detect_abusive_pipes = detect_abusive_pipes + + def initialize(params) + READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) } end private @@ -85,23 +76,6 @@ module Gitlab def stop_word_search? STOP_WORDS.include? query_string end - - def no_abusive_pipes - pipes = query_string.to_s.split('|') - errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS - - pipes.each do |q| - self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p| - p.validate - - p.errors.messages_for(:query_string).each do |msg| - next if errors.added?(:query_string, msg) - - errors.add(:query_string, msg) - end - end - end - end end end end diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb index a7896b7d80d..6eb24a92be6 100644 --- a/lib/gitlab/search/params.rb +++ b/lib/gitlab/search/params.rb @@ -81,7 +81,7 @@ module Gitlab end def search_terms - @search_terms ||= query_string.split + @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH } end def not_too_many_terms diff --git a/lib/gitlab/time_tracking_formatter.rb b/lib/gitlab/time_tracking_formatter.rb index 647d7860ba3..26efb3b918d 100644 --- a/lib/gitlab/time_tracking_formatter.rb +++ b/lib/gitlab/time_tracking_formatter.rb @@ -17,8 +17,10 @@ module Gitlab begin ChronicDuration.parse( string, - CUSTOM_DAY_AND_MONTH_LENGTH.merge(default_unit: 'hours', keep_zero: keep_zero) - ) + CUSTOM_DAY_AND_MONTH_LENGTH.merge( + default_unit: 'hours', keep_zero: keep_zero, + use_complete_matcher: true + )) rescue StandardError nil end diff --git a/spec/helpers/version_check_helper_spec.rb b/spec/helpers/version_check_helper_spec.rb index 9c697dbe21e..ce5aade2b1c 100644 --- a/spec/helpers/version_check_helper_spec.rb +++ b/spec/helpers/version_check_helper_spec.rb @@ -38,49 +38,43 @@ RSpec.describe VersionCheckHelper do end describe '#gitlab_version_check' do - let(:show_version_check) { false } - before do - allow(helper).to receive(:show_version_check?).and_return(show_version_check) - end - - it 'when show_version_check? is false it returns nil' do - expect(helper.gitlab_version_check).to be nil - end - - context 'when show_version_check? is true' do - let(:show_version_check) { true } - - before do - allow_next_instance_of(VersionCheck) do |instance| - allow(instance).to receive(:response).and_return({ "severity" => "success" }) - end + allow_next_instance_of(VersionCheck) do |instance| + allow(instance).to receive(:response).and_return({ "severity" => "success" }) end + end - it 'returns an instance of the VersionCheck class if the user has access' do - expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) - end + it 'returns an instance of the VersionCheck class' do + expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) end end describe '#show_security_patch_upgrade_alert?' do describe 'return conditions' do - where(:gitlab_version_check, :result) do + where(:show_version_check, :gitlab_version_check, :result) do [ - [nil, false], - [{}, nil], - [{ "severity" => "success" }, nil], - [{ "severity" => "danger" }, nil], - [{ "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], - [{ "severity" => "danger", "critical_vulnerability" => 'false' }, false], - [{ "severity" => "danger", "critical_vulnerability" => false }, false], - [{ "severity" => "danger", "critical_vulnerability" => 'true' }, true], - [{ "severity" => "danger", "critical_vulnerability" => true }, true] + [false, nil, false], + [false, { "severity" => "success" }, false], + [false, { "severity" => "danger" }, false], + [false, { "severity" => "danger", "critical_vulnerability" => 'some text' }, false], + [false, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], + [false, { "severity" => "danger", "critical_vulnerability" => false }, false], + [false, { "severity" => "danger", "critical_vulnerability" => 'true' }, false], + [false, { "severity" => "danger", "critical_vulnerability" => true }, false], + [true, nil, false], + [true, { "severity" => "success" }, nil], + [true, { "severity" => "danger" }, nil], + [true, { "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], + [true, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], + [true, { "severity" => "danger", "critical_vulnerability" => false }, false], + [true, { "severity" => "danger", "critical_vulnerability" => 'true' }, true], + [true, { "severity" => "danger", "critical_vulnerability" => true }, true] ] end with_them do before do + allow(helper).to receive(:show_version_check?).and_return(show_version_check) allow(helper).to receive(:gitlab_version_check).and_return(gitlab_version_check) end diff --git a/spec/lib/gitlab/ci/build/duration_parser_spec.rb b/spec/lib/gitlab/ci/build/duration_parser_spec.rb index 7f5ff1eb0ee..bc905aa0a35 100644 --- a/spec/lib/gitlab/ci/build/duration_parser_spec.rb +++ b/spec/lib/gitlab/ci/build/duration_parser_spec.rb @@ -25,8 +25,8 @@ RSpec.describe Gitlab::Ci::Build::DurationParser do it { is_expected.to be_truthy } it 'caches data' do - expect(ChronicDuration).to receive(:parse).with(value).once.and_call_original - expect(ChronicDuration).to receive(:parse).with(other_value).once.and_call_original + expect(ChronicDuration).to receive(:parse).with(value, use_complete_matcher: true).once.and_call_original + expect(ChronicDuration).to receive(:parse).with(other_value, use_complete_matcher: true).once.and_call_original 2.times do expect(described_class.validate_duration(value)).to eq(86400) @@ -41,7 +41,7 @@ RSpec.describe Gitlab::Ci::Build::DurationParser do it { is_expected.to be_falsy } it 'caches data' do - expect(ChronicDuration).to receive(:parse).with(value).once.and_call_original + expect(ChronicDuration).to receive(:parse).with(value, use_complete_matcher: true).once.and_call_original 2.times do expect(described_class.validate_duration(value)).to be_falsey diff --git a/spec/lib/gitlab/ci/components/instance_path_spec.rb b/spec/lib/gitlab/ci/components/instance_path_spec.rb index c6938761c6e..97843781891 100644 --- a/spec/lib/gitlab/ci/components/instance_path_spec.rb +++ b/spec/lib/gitlab/ci/components/instance_path_spec.rb @@ -80,20 +80,6 @@ RSpec.describe Gitlab::Ci::Components::InstancePath, feature_category: :pipeline end end - shared_examples 'prevents infinite loop' do |prefix| - context "when the project path starts with '#{prefix}'" do - let(:project_path) { "#{prefix}#{project.full_path}" } - - it 'returns nil' do - result = path.fetch_content!(current_user: user) - expect(result).to be_nil - end - end - end - - it_behaves_like 'prevents infinite loop', '/' - it_behaves_like 'prevents infinite loop', '//' - context 'when fetching the latest version of a component' do let_it_be(:project) do create( diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index f0b203961b4..a6de5b9879c 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -49,7 +49,6 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to be_nil expect(payload[:environment_protected]).to be_nil expect(payload[:deployment_tier]).to be_nil - expect(payload[:environment_action]).to be_nil end end @@ -110,10 +109,7 @@ RSpec.describe Gitlab::Ci::Jwt do project: project, user: user, pipeline: pipeline, - environment: { - name: environment.name, - action: 'start' - } + environment: environment.name ) end @@ -125,7 +121,6 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to eq('production') expect(payload[:environment_protected]).to eq('false') expect(payload[:deployment_tier]).to eq('production') - expect(payload[:environment_action]).to eq('start') end describe 'deployment_tier' do @@ -139,18 +134,6 @@ RSpec.describe Gitlab::Ci::Jwt do end end end - - describe 'environment_action' do - context 'when build options specifies a different environment_action' do - before do - build.options[:environment] = { name: environment.name, action: 'prepare' } - end - - it 'uses environment_action from build options' do - expect(payload[:environment_action]).to eq('prepare') - end - end - end end end diff --git a/spec/lib/gitlab/import_export/command_line_util_spec.rb b/spec/lib/gitlab/import_export/command_line_util_spec.rb index 42c3b170e4d..76a35d07c7f 100644 --- a/spec/lib/gitlab/import_export/command_line_util_spec.rb +++ b/spec/lib/gitlab/import_export/command_line_util_spec.rb @@ -84,20 +84,6 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe end end - shared_examples 'deletes pipes' do |compression, decompression| - it 'deletes the pipes', :aggregate_failures do - FileUtils.touch("#{source_dir}/file.txt") - File.mkfifo("#{source_dir}/pipe") - - archive_file = File.join(archive_dir, 'file_with_pipes.tar.gz') - subject.public_send(compression, archive: archive_file, dir: source_dir) - subject.public_send(decompression, archive: archive_file, dir: target_dir) - - expect(File).to exist("#{target_dir}/file.txt") - expect(File).not_to exist("#{target_dir}/pipe") - end - end - describe '#download_or_copy_upload' do let(:upload) { instance_double(Upload, local?: local) } let(:uploader) { instance_double(ImportExportUploader, path: :path, url: :url, upload: upload) } @@ -316,7 +302,6 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe it_behaves_like 'deletes symlinks', :tar_czf, :untar_zxf it_behaves_like 'handles shared hard links', :tar_czf, :untar_zxf - it_behaves_like 'deletes pipes', :tar_czf, :untar_zxf it 'has the right mask for project.json' do subject.untar_zxf(archive: tar_archive_fixture, dir: target_dir) @@ -336,7 +321,6 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe it_behaves_like 'deletes symlinks', :tar_cf, :untar_xf it_behaves_like 'handles shared hard links', :tar_cf, :untar_xf - it_behaves_like 'deletes pipes', :tar_czf, :untar_zxf it 'extracts archive without decompression' do filename = 'archive.tar.gz' diff --git a/spec/lib/gitlab/search/abuse_detection_spec.rb b/spec/lib/gitlab/search/abuse_detection_spec.rb index cbf20614ba5..f9a1d0211b9 100644 --- a/spec/lib/gitlab/search/abuse_detection_spec.rb +++ b/spec/lib/gitlab/search/abuse_detection_spec.rb @@ -10,12 +10,12 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search describe 'abusive scopes validation' do it 'allows only approved scopes' do described_class::ALLOWED_SCOPES.each do |scope| - expect(described_class.new({ scope: scope })).to be_valid + expect(described_class.new(scope: scope)).to be_valid end end it 'disallows anything not approved' do - expect(described_class.new({ scope: 'nope' })).not_to be_valid + expect(described_class.new(scope: 'nope')).not_to be_valid end end @@ -55,14 +55,14 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search it 'considers non Integers to be invalid' do [:project_id, :group_id].each do |param| [[1, 2, 3], 'xyz', 3.14, { foo: :bar }].each do |dtype| - expect(described_class.new({ param => dtype })).not_to be_valid + expect(described_class.new(param => dtype)).not_to be_valid end end end it 'considers Integers to be valid' do [:project_id, :group_id].each do |param| - expect(described_class.new({ param => 123 })).to be_valid + expect(described_class.new(param => 123)).to be_valid end end end @@ -70,7 +70,7 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search describe 'query_string validation' do using ::RSpec::Parameterized::TableSyntax - subject { described_class.new({ query_string: search }) } + subject { described_class.new(query_string: search) } let(:validation_errors) do subject.validate @@ -82,15 +82,11 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search word | { query_string: ['stopword only abusive search detected'] } end - (['apples'] * (described_class::MAX_PIPE_SYNTAX_FILTERS + 1)).join('|') | { query_string: ['too many pipe syntax filters'] } # rubocop:disable Layout/LineLength - (['apples'] * described_class::MAX_PIPE_SYNTAX_FILTERS).join('|') | {} - 'x' | { query_string: ['abusive tiny search detected'] } - 'apples|x' | { query_string: ['abusive tiny search detected'] } - ('x' * described_class::ABUSIVE_TERM_SIZE) | { query_string: ['abusive term length detected'] } - "apples|#{'x' * described_class::ABUSIVE_TERM_SIZE}" | { query_string: ['abusive term length detected'] } - '' | {} - '*' | {} - 'ruby' | {} + 'x' | { query_string: ['abusive tiny search detected'] } + ('x' * described_class::ABUSIVE_TERM_SIZE) | { query_string: ['abusive term length detected'] } + '' | {} + '*' | {} + 'ruby' | {} end with_them do @@ -104,14 +100,14 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search it 'considers anything not a String invalid' do [:query_string, :scope, :repository_ref, :project_ref].each do |param| [[1, 2, 3], 123, 3.14, { foo: :bar }].each do |dtype| - expect(described_class.new({ param => dtype })).not_to be_valid + expect(described_class.new(param => dtype)).not_to be_valid end end end it 'considers Strings to be valid' do [:query_string, :repository_ref, :project_ref].each do |param| - expect(described_class.new({ param => "foo" })).to be_valid + expect(described_class.new(param => "foo")).to be_valid end end end diff --git a/spec/lib/gitlab/search/params_spec.rb b/spec/lib/gitlab/search/params_spec.rb index 3c64082aeeb..3235a0b2126 100644 --- a/spec/lib/gitlab/search/params_spec.rb +++ b/spec/lib/gitlab/search/params_spec.rb @@ -17,7 +17,7 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'uses AbuseDetection by default' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original described_class.new(params) end end @@ -73,21 +73,9 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'validates AbuseDetector on validation' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original subject.validate end - - context 'when query has too many terms' do - let(:search) { Array.new((::Gitlab::Search::Params::SEARCH_TERM_LIMIT + 1), 'a').join(' ') } - - it { is_expected.not_to be_valid } - end - - context 'when query is too long' do - let(:search) { 'a' * (::Gitlab::Search::Params::SEARCH_CHAR_LIMIT + 1) } - - it { is_expected.not_to be_valid } - end end describe '#valid?' do @@ -101,7 +89,7 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'validates AbuseDetector on validation' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original subject.valid? end end |