diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-29 19:24:13 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-29 19:24:13 +0300 |
| commit | 925780caf1f669002af72d5a6be6a3a6551308cc (patch) | |
| tree | be5cc8aa2e44cac0710d8a839a172fd3d0f70685 | |
| parent | 693d15dcb2f33c01a442784c13933da3d1b8d52e (diff) | |
Add latest changes from gitlab-org/security/gitlab@16-6-stable-ee
| -rw-r--r-- | app/finders/packages/composer/packages_finder.rb | 8 | ||||
| -rw-r--r-- | app/finders/packages/group_packages_finder.rb | 19 | ||||
| -rw-r--r-- | app/models/concerns/protected_branch_access.rb | 2 | ||||
| -rw-r--r-- | app/models/integrations/jira.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/checks/branch_check.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/regex.rb | 4 | ||||
| -rw-r--r-- | spec/finders/packages/composer/packages_finder_spec.rb | 15 | ||||
| -rw-r--r-- | spec/finders/packages/group_packages_finder_spec.rb | 24 | ||||
| -rw-r--r-- | spec/lib/gitlab/checks/branch_check_spec.rb | 34 | ||||
| -rw-r--r-- | spec/models/integrations/jira_spec.rb | 2 |
10 files changed, 75 insertions, 41 deletions
diff --git a/app/finders/packages/composer/packages_finder.rb b/app/finders/packages/composer/packages_finder.rb index b5a1b19216f..1581c48dd74 100644 --- a/app/finders/packages/composer/packages_finder.rb +++ b/app/finders/packages/composer/packages_finder.rb @@ -2,14 +2,12 @@ module Packages module Composer class PackagesFinder < Packages::GroupPackagesFinder - def initialize(current_user, group, params = {}) - @current_user = current_user - @group = group - @params = params + def initialize(current_user, group, params = { package_type: :composer, with_package_registry_enabled: true }) + super(current_user, group, params) end def execute - packages_for_group_projects(installable_only: true).composer.preload_composer + packages_for_group_projects(installable_only: true).preload_composer end end end diff --git a/app/finders/packages/group_packages_finder.rb b/app/finders/packages/group_packages_finder.rb index 3a068252d5c..3b211882fa0 100644 --- a/app/finders/packages/group_packages_finder.rb +++ b/app/finders/packages/group_packages_finder.rb @@ -40,14 +40,17 @@ module Packages # access to packages is ruled by: # - project is public or the current user has access to it with at least the reporter level # - the repository feature is available to the current_user - if current_user.is_a?(DeployToken) - current_user.accessible_projects - else - ::Project - .in_namespace(groups) - .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) - .with_feature_available_for_user(:repository, current_user) - end + projects = if current_user.is_a?(DeployToken) + current_user.accessible_projects + else + ::Project + .in_namespace(groups) + .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER) + .with_feature_available_for_user(:repository, current_user) + end + + projects = projects.with_package_registry_enabled if params[:with_package_registry_enabled] + projects end def groups diff --git a/app/models/concerns/protected_branch_access.rb b/app/models/concerns/protected_branch_access.rb index 8156090fd9c..6a7fdce62fb 100644 --- a/app/models/concerns/protected_branch_access.rb +++ b/app/models/concerns/protected_branch_access.rb @@ -10,3 +10,5 @@ module ProtectedBranchAccess delegate :project, to: :protected_branch end end + +ProtectedBranchAccess.prepend_mod_with('ProtectedBranchAccess') diff --git a/app/models/integrations/jira.rb b/app/models/integrations/jira.rb index 22367ee336d..bf49dbca294 100644 --- a/app/models/integrations/jira.rb +++ b/app/models/integrations/jira.rb @@ -401,9 +401,9 @@ module Integrations private def jira_issue_match_regex - return /\b#{jira_issue_prefix}(?<issue>#{Gitlab::Regex.jira_issue_key_regex})/ if jira_issue_regex.blank? + jira_regex = jira_issue_regex.presence || Gitlab::Regex.jira_issue_key_regex.source - Gitlab::UntrustedRegexp.new("\\b#{jira_issue_prefix}(?P<issue>#{jira_issue_regex})") + Gitlab::UntrustedRegexp.new("\\b#{jira_issue_prefix}(?P<issue>#{jira_regex})") end def parse_project_from_issue_key(issue_key) diff --git a/lib/gitlab/checks/branch_check.rb b/lib/gitlab/checks/branch_check.rb index b675eca826a..3bedc483e75 100644 --- a/lib/gitlab/checks/branch_check.rb +++ b/lib/gitlab/checks/branch_check.rb @@ -13,7 +13,7 @@ module Gitlab create_protected_branch: 'You are not allowed to create protected branches on this project.', invalid_commit_create_protected_branch: 'You can only use an existing protected branch ref as the basis of a new protected branch.', non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.', - prohibited_hex_branch_name: 'You cannot create a branch with a 40-character hexadecimal branch name.', + prohibited_hex_branch_name: 'You cannot create a branch with a SHA-1 or SHA-256 branch name.', invalid_branch_name: 'You cannot create a branch with an invalid name.' }.freeze @@ -43,7 +43,7 @@ module Gitlab def prohibited_branch_checks return if deletion? - if %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}(-/|/|\z)}o.match?(branch_name) + if %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o.match?(branch_name) raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name] end diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index 6ac37986d5c..2de0a8d7b41 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -241,10 +241,8 @@ module Gitlab # Based on Jira's project key format # https://confluence.atlassian.com/adminjiraserver073/changing-the-project-key-format-861253229.html - # Avoids linking CVE IDs (https://cve.mitre.org/cve/identifiers/syntaxchange.html#new) as Jira issues. - # CVE IDs use the format of CVE-YYYY-NNNNNNN def jira_issue_key_regex(expression_escape: '\b') - /#{expression_escape}(?!CVE-\d+-\d+)[A-Z][A-Z_0-9]+-\d+/ + /#{expression_escape}([A-Z][A-Z_0-9]+-\d+)/ end def jira_issue_key_project_key_extraction_regex diff --git a/spec/finders/packages/composer/packages_finder_spec.rb b/spec/finders/packages/composer/packages_finder_spec.rb index d4328827de3..1701243063b 100644 --- a/spec/finders/packages/composer/packages_finder_spec.rb +++ b/spec/finders/packages/composer/packages_finder_spec.rb @@ -1,18 +1,19 @@ # frozen_string_literal: true require 'spec_helper' -RSpec.describe ::Packages::Composer::PackagesFinder do +RSpec.describe ::Packages::Composer::PackagesFinder, feature_category: :package_registry do let_it_be(:user) { create(:user) } let_it_be(:group) { create(:group) } let_it_be(:project) { create(:project, group: group) } - let(:params) { {} } + let(:params) { { package_type: :composer } } describe '#execute' do let_it_be(:composer_package) { create(:composer_package, project: project) } let_it_be(:composer_package2) { create(:composer_package, project: project) } let_it_be(:error_package) { create(:composer_package, :error, project: project) } let_it_be(:composer_package3) { create(:composer_package) } + let_it_be(:nuget_package) { create(:nuget_package, project: project) } subject { described_class.new(user, group, params).execute } @@ -21,5 +22,15 @@ RSpec.describe ::Packages::Composer::PackagesFinder do end it { is_expected.to match_array([composer_package, composer_package2]) } + + context 'when disabling the package registry for the project' do + let(:params) { super().merge(with_package_registry_enabled: true) } + + before do + project.update!(package_registry_access_level: 'disabled', packages_enabled: false) + end + + it { is_expected.to be_empty } + end end end diff --git a/spec/finders/packages/group_packages_finder_spec.rb b/spec/finders/packages/group_packages_finder_spec.rb index a2698bc0153..d270d026da6 100644 --- a/spec/finders/packages/group_packages_finder_spec.rb +++ b/spec/finders/packages/group_packages_finder_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'spec_helper' -RSpec.describe Packages::GroupPackagesFinder do +RSpec.describe Packages::GroupPackagesFinder, feature_category: :package_registry do using RSpec::Parameterized::TableSyntax let_it_be(:user) { create(:user) } @@ -25,6 +25,16 @@ RSpec.describe Packages::GroupPackagesFinder do it { is_expected.to match_array([send("package_#{package_type}")]) } end + shared_examples 'disabling package registry for project' do + let(:params) { super().merge(with_package_registry_enabled: true) } + + before do + project.update!(package_registry_access_level: 'disabled', packages_enabled: false) + end + + it { is_expected.to match_array(packages_returned) } + end + def self.package_types @package_types ||= Packages::Package.package_types.keys end @@ -117,6 +127,10 @@ RSpec.describe Packages::GroupPackagesFinder do let(:user) { deploy_token_for_group } it { is_expected.to match_array([package1, package2, package4]) } + + it_behaves_like 'disabling package registry for project' do + let(:packages_returned) { [package4] } + end end context 'project deploy token' do @@ -126,6 +140,11 @@ RSpec.describe Packages::GroupPackagesFinder do let(:user) { deploy_token_for_project } it { is_expected.to match_array([package4]) } + + it_behaves_like 'disabling package registry for project' do + let(:project) { subproject } + let(:packages_returned) { [] } + end end end @@ -200,6 +219,9 @@ RSpec.describe Packages::GroupPackagesFinder do it_behaves_like 'concerning versionless param' it_behaves_like 'concerning package statuses' + it_behaves_like 'disabling package registry for project' do + let(:packages_returned) { [] } + end end context 'group has package of all types' do diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb index c3d6b9510e5..8772e8dd904 100644 --- a/spec/lib/gitlab/checks/branch_check_spec.rb +++ b/spec/lib/gitlab/checks/branch_check_spec.rb @@ -19,39 +19,39 @@ RSpec.describe Gitlab::Checks::BranchCheck, feature_category: :source_code_manag end end - context "prohibited branches check" do - it "prohibits 40-character hexadecimal branch names" do + describe "prohibited branches check" do + it "forbids SHA-1 values" do allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.") + expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.") end - it "prohibits 40-character hexadecimal branch names as the start of a path" do - allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e/test") + it "forbids SHA-256 values" do + allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.") + expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.") end - it "prohibits 40-character hexadecimal branch names followed by a dash as the start of a path" do - allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-/test") + it "forbids '{SHA-1}{+anything}' values" do + allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.") + expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.") end - it "prohibits 64-character hexadecimal branch names" do - allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175") + it "forbids '{SHA-256}{+anything} values" do + allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175-") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.") + expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.") end - it "prohibits 64-character hexadecimal branch names as the start of a path" do - allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175/test") + it "allows SHA-1 values to be appended to the branch name" do + allow(subject).to receive(:branch_name).and_return("fix-267208abfe40e546f5e847444276f7d43a39503e") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.") + expect { subject.validate! }.not_to raise_error end - it "doesn't prohibit a nested hexadecimal in a branch name" do - allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-fix") + it "allows SHA-256 values to be appended to the branch name" do + allow(subject).to receive(:branch_name).and_return("fix-09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175") expect { subject.validate! }.not_to raise_error end diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb index af021c51035..2a3a3ec7f09 100644 --- a/spec/models/integrations/jira_spec.rb +++ b/spec/models/integrations/jira_spec.rb @@ -251,7 +251,7 @@ RSpec.describe Integrations::Jira, feature_category: :integrations do 'EXT_EXT-1234' | 'EXT_EXT-1234' 'EXT3_EXT-1234' | 'EXT3_EXT-1234' '3EXT_EXT-1234' | '' - 'CVE-2022-123' | '' + 'CVE-2022-123' | 'CVE-2022' 'CVE-123' | 'CVE-123' 'abc-JIRA-1234' | 'JIRA-1234' end |