Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee

8 files changed, 44 insertions, 0 deletions

diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb
index 9cfa57c53a5..addec71f0bf 100644
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
 
   layout 'profile'
 
+  def index
+    respond_to do |format|
+      format.html { render "errors/not_found", layout: "errors", status: :not_found }
+      format.json { render json: "", status: :not_found }
+    end
+  end
+
   def destroy
     if params[:token_id].present?
       current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke
diff --git a/changelogs/unreleased/security-file-template-project-12-9.yml b/changelogs/unreleased/security-file-template-project-12-9.yml
new file mode 100644
index 00000000000..ca4c88f20a6
--- /dev/null
+++ b/changelogs/unreleased/security-file-template-project-12-9.yml
@@ -0,0 +1,5 @@
+---
+title: Do not return private project ID without permission
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-CVE-2020-10187.yml b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
new file mode 100644
index 00000000000..5510f3dc5fb
--- /dev/null
+++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml
@@ -0,0 +1,5 @@
+---
+title: Fix doorkeeper CVE-2020-10187
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-es-credentials-leak.yml b/changelogs/unreleased/security-fix-es-credentials-leak.yml
new file mode 100644
index 00000000000..1278954104b
--- /dev/null
+++ b/changelogs/unreleased/security-fix-es-credentials-leak.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent ES credentials leak
+merge_request:
+author:
+type: security
diff --git a/config/application.rb b/config/application.rb
index 14e92bf5905..f739832a9f0 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -130,6 +130,7 @@ module Gitlab
       encrypted_key
       hook
       import_url
+      elasticsearch_url
       otp_attempt
       sentry_dsn
       trace
diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb
new file mode 100644
index 00000000000..32be6a3ddb7
--- /dev/null
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Oauth::AuthorizedApplicationsController do
+  let(:user) { create(:user) }
+  let(:guest) { create(:user) }
+  let(:application) { create(:oauth_application, owner: guest) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    it 'responds with 404' do
+      get :index
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100644..100755
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100644..100755
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore