diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-10 18:40:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-01-10 18:40:29 +0300 |
commit | 73e4dfe3f05127a40e0c49bad4f953ede9f941f4 (patch) | |
tree | cb66854a34a70e98c1676015de0c9b2a536a5899 | |
parent | ec377c38b808660eaf7de13e8adec3d00a547bce (diff) |
Add latest changes from gitlab-org/security/gitlab@12-4-stable-ee
-rw-r--r-- | CHANGELOG-EE.md | 8 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-project-import-vn-master.yml | 5 | ||||
-rw-r--r-- | danger/changelog/Dangerfile | 2 | ||||
-rw-r--r-- | danger/metadata/Dangerfile | 2 | ||||
-rw-r--r-- | lib/gitlab/danger/helper.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/import_export/attribute_cleaner.rb | 4 | ||||
-rwxr-xr-x | scripts/static-analysis | 53 | ||||
-rw-r--r-- | spec/lib/gitlab/danger/helper_spec.rb | 22 | ||||
-rw-r--r-- | spec/lib/gitlab/import_export/attribute_cleaner_spec.rb | 15 |
10 files changed, 101 insertions, 18 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md index 48e1ff75407..a4137eae69b 100644 --- a/CHANGELOG-EE.md +++ b/CHANGELOG-EE.md @@ -1,5 +1,13 @@ Please view this file on the master branch, on stable branches it's out of date. +## 12.4.7 + +### Security (2 changes) + +- Don't publish drafts if user can't create notes. +- Remove protected tag access when group is removed. + + ## 12.4.6 ### Security (1 change) @@ -1 +1 @@ -12.4.7 +12.4.7-ee diff --git a/changelogs/unreleased/security-project-import-vn-master.yml b/changelogs/unreleased/security-project-import-vn-master.yml new file mode 100644 index 00000000000..930358626fd --- /dev/null +++ b/changelogs/unreleased/security-project-import-vn-master.yml @@ -0,0 +1,5 @@ +--- +title: Fix private objects exposure when using Project Import functionality +merge_request: +author: +type: security diff --git a/danger/changelog/Dangerfile b/danger/changelog/Dangerfile index f83dc556964..7cd722c1141 100644 --- a/danger/changelog/Dangerfile +++ b/danger/changelog/Dangerfile @@ -35,7 +35,7 @@ def check_changelog(path) fail "`title` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["title"].nil? fail "`type` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["type"].nil? - if yaml["merge_request"].nil? + if yaml["merge_request"].nil? && !helper.security_mr? message "Consider setting `merge_request` to #{gitlab.mr_json["iid"]} in #{gitlab.html_link(path)}. #{SEE_DOC}" elsif yaml["merge_request"] != gitlab.mr_json["iid"] && !ce_port_changelog?(path) fail "Merge request ID was not set to #{gitlab.mr_json["iid"]}! #{SEE_DOC}" diff --git a/danger/metadata/Dangerfile b/danger/metadata/Dangerfile index f2d68e64eb6..5edd134cbab 100644 --- a/danger/metadata/Dangerfile +++ b/danger/metadata/Dangerfile @@ -32,7 +32,7 @@ end has_pick_into_stable_label = gitlab.mr_labels.find { |label| label.start_with?('Pick into') } -if gitlab.branch_for_base != "master" && !has_pick_into_stable_label +if gitlab.branch_for_base != "master" && !has_pick_into_stable_label && !helper.security_mr? warn "Most of the time, merge requests should target `master`. Otherwise, please set the relevant `Pick into X.Y` label." end diff --git a/lib/gitlab/danger/helper.rb b/lib/gitlab/danger/helper.rb index f22fc41a6d8..352303863c4 100644 --- a/lib/gitlab/danger/helper.rb +++ b/lib/gitlab/danger/helper.rb @@ -167,6 +167,12 @@ module Gitlab labels - current_mr_labels end + def security_mr? + return false unless gitlab_helper + + gitlab_helper.mr_json['web_url'].include?('/gitlab-org/security/') + end + private def has_database_scoped_labels?(current_mr_labels) diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb index 50fec9f3eb9..00c4c41e6be 100644 --- a/lib/gitlab/import_export/attribute_cleaner.rb +++ b/lib/gitlab/import_export/attribute_cleaner.rb @@ -3,8 +3,8 @@ module Gitlab module ImportExport class AttributeCleaner - ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id] - PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze + ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes] + PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze def self.clean(*args) new(*args).clean diff --git a/scripts/static-analysis b/scripts/static-analysis index 602cd847a71..72b4c629f7a 100755 --- a/scripts/static-analysis +++ b/scripts/static-analysis @@ -26,17 +26,48 @@ def emit_errors(static_analysis) end end -tasks = [ - %w[bin/rake lint:all], - %w[bundle exec license_finder], - %w[yarn run eslint], - %w[yarn run stylelint], - %w[yarn run prettier-all], - %w[bundle exec rubocop --parallel], - %w[scripts/lint-conflicts.sh], - %w[scripts/lint-rugged] -] +ALLOWED_WARNINGS = [ + # https://github.com/browserslist/browserslist/blob/d0ec62eb48c41c218478cd3ac28684df051cc865/node.js#L329 + # warns if caniuse-lite package is older than 6 months. Ignore this + # warning message so that GitLab backports don't fail. + "Browserslist: caniuse-lite is outdated. Please run next command `yarn upgrade`" +].freeze +def warning_count(static_analysis) + static_analysis.warned_results + .reject { |result| ALLOWED_WARNINGS.include?(result.stderr.strip) } + .count +end + +def jobs_to_run(node_index, node_total) + all_tasks = [ + %w[bin/rake lint:all], + %w[bundle exec license_finder], + %w[yarn run eslint], + %w[yarn run stylelint], + %w[yarn run prettier-all], + %w[bundle exec rubocop --parallel], + %w[scripts/lint-conflicts.sh], + %w[scripts/lint-rugged] + ] + + case node_total + when 1 + all_tasks + when 2 + rake_lint_all, *rest_jobs = all_tasks + case node_index + when 1 + [rake_lint_all] + else + rest_jobs + end + else + raise "Parallelization > 2 (currently set to #{node_total}) isn't supported yet!" + end +end + +tasks = jobs_to_run((ENV['CI_NODE_INDEX'] || 1).to_i, (ENV['CI_NODE_TOTAL'] || 1).to_i) static_analysis = Gitlab::Popen::Runner.new static_analysis.run(tasks) do |cmd, &run| @@ -62,7 +93,7 @@ elsif static_analysis.all_success? emit_warnings(static_analysis) - exit 2 + exit 2 if warning_count(static_analysis).nonzero? else puts 'Some static analyses failed:' diff --git a/spec/lib/gitlab/danger/helper_spec.rb b/spec/lib/gitlab/danger/helper_spec.rb index 1696d3566ad..3ffb6c29a96 100644 --- a/spec/lib/gitlab/danger/helper_spec.rb +++ b/spec/lib/gitlab/danger/helper_spec.rb @@ -312,4 +312,26 @@ describe Gitlab::Danger::Helper do it { is_expected.to match_array(['database', 'database::review pending']) } end end + + describe '#security_mr?' do + it 'returns false when `gitlab_helper` is unavailable' do + expect(helper).to receive(:gitlab_helper).and_return(nil) + + expect(helper).not_to be_security_mr + end + + it 'returns false when on a normal merge request' do + expect(fake_gitlab).to receive(:mr_json) + .and_return('web_url' => 'https://gitlab.com/gitlab-org/gitlab/merge_requests/1') + + expect(helper).not_to be_security_mr + end + + it 'returns true when on a security merge request' do + expect(fake_gitlab).to receive(:mr_json) + .and_return('web_url' => 'https://gitlab.com/gitlab-org/security/gitlab/merge_requests/1') + + expect(helper).to be_security_mr + end + end end diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 1b28e26a7e8..c6a7912d384 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -23,11 +23,21 @@ describe Gitlab::ImportExport::AttributeCleaner do 'legit_html' => '<p>legit html</p>', '_html' => '<p>perfectly ordinary html</p>', 'cached_markdown_version' => 12345, + 'custom_attributes' => 'whatever', + 'some_attributes_metadata' => 'whatever', 'group_id' => 99, 'commit_id' => 99, 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], - 'note_ids' => [1, 2, 3] + 'note_ids' => [1, 2, 3], + 'attributes' => { + 'issue_ids' => [1, 2, 3], + 'merge_request_ids' => [1, 2, 3], + 'note_ids' => [1, 2, 3] + }, + 'variables_attributes' => { + 'id' => 1 + } } end @@ -38,7 +48,8 @@ describe Gitlab::ImportExport::AttributeCleaner do 'random_id_in_the_middle' => 99, 'notid' => 99, 'group_id' => 99, - 'commit_id' => 99 + 'commit_id' => 99, + 'custom_attributes' => 'whatever' } end |