diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-19 03:12:30 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-19 03:12:30 +0300 |
commit | 3024d3ac9e2c7242cd3cfce70b6c103f357fa6a9 (patch) | |
tree | edcc7209e241f55d20c195463d1cb7ffdfe66f18 | |
parent | 3c5025227f284c91f95bea8dc095efc880b67812 (diff) |
Add latest changes from gitlab-org/gitlab@master
-rw-r--r-- | app/models/concerns/issue_available_features.rb | 2 | ||||
-rw-r--r-- | app/models/work_item.rb | 2 | ||||
-rw-r--r-- | app/services/system_notes/issuables_service.rb | 4 | ||||
-rw-r--r-- | config/feature_flags/development/keep_merge_commits_for_approvals.yml | 8 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/113.1.md | 27 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.7.md | 4 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.9.md | 2 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/index.md | 3 | ||||
-rw-r--r-- | doc/user/project/merge_requests/approvals/settings.md | 1 | ||||
-rw-r--r-- | doc/user/project/quick_actions.md | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml | 2 | ||||
-rw-r--r-- | spec/models/work_item_spec.rb | 2 | ||||
-rw-r--r-- | spec/services/notes/quick_actions_service_spec.rb | 39 | ||||
-rw-r--r-- | spec/services/quick_actions/interpret_service_spec.rb | 15 | ||||
-rw-r--r-- | spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb | 50 |
16 files changed, 146 insertions, 19 deletions
diff --git a/app/models/concerns/issue_available_features.rb b/app/models/concerns/issue_available_features.rb index 425754e0853..2969f1e1928 100644 --- a/app/models/concerns/issue_available_features.rb +++ b/app/models/concerns/issue_available_features.rb @@ -11,7 +11,7 @@ module IssueAvailableFeatures def available_features_for_issue_types { assignee: %w[issue incident], - confidentiality: %w[issue incident], + confidentiality: %w[issue incident objective key_result], time_tracking: %w[issue incident], move_and_clone: %w[issue incident] }.with_indifferent_access diff --git a/app/models/work_item.rb b/app/models/work_item.rb index e8a85053cc3..62b837eeeb6 100644 --- a/app/models/work_item.rb +++ b/app/models/work_item.rb @@ -5,7 +5,7 @@ class WorkItem < Issue COMMON_QUICK_ACTIONS_COMMANDS = [ :title, :reopen, :close, :cc, :tableflip, :shrug, :type, :promote_to, :checkin_reminder, - :subscribe, :unsubscribe + :subscribe, :unsubscribe, :confidential, :award ].freeze self.table_name = 'issues' diff --git a/app/services/system_notes/issuables_service.rb b/app/services/system_notes/issuables_service.rb index 9d6b43634ec..04ae734a8fe 100644 --- a/app/services/system_notes/issuables_service.rb +++ b/app/services/system_notes/issuables_service.rb @@ -350,12 +350,12 @@ module SystemNotes # Returns the created Note object def change_issue_confidentiality if noteable.confidential - body = 'made the issue confidential' + body = "made the #{noteable_name} confidential" action = 'confidential' track_issue_event(:track_issue_made_confidential_action) else - body = 'made the issue visible to everyone' + body = "made the #{noteable_name} visible to everyone" action = 'visible' track_issue_event(:track_issue_made_visible_action) diff --git a/config/feature_flags/development/keep_merge_commits_for_approvals.yml b/config/feature_flags/development/keep_merge_commits_for_approvals.yml deleted file mode 100644 index a4791219dff..00000000000 --- a/config/feature_flags/development/keep_merge_commits_for_approvals.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: keep_merge_commits_for_approvals -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127744 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/419921 -milestone: '16.3' -type: development -group: group::code review -default_enabled: false diff --git a/doc/user/application_security/dast/checks/113.1.md b/doc/user/application_security/dast/checks/113.1.md new file mode 100644 index 00000000000..44c3be330f2 --- /dev/null +++ b/doc/user/application_security/dast/checks/113.1.md @@ -0,0 +1,27 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# Improper Neutralization of CRLF Sequences in HTTP Headers + +## Description + +By inserting Carriage Return / Line Feed (CRLF) characters, malicious users could potentially inject arbitrary data into HTTP responses. By modifying HTTP responses, attackers could conduct cross-site scripting or cache poisoning attacks against other users of the system. + +## Remediation + +User input should never be used in constructing HTTP header responses without some form +of validation against newlines. This includes URLs supplied by the user for HTTP redirects. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 113.1 | false | 113 | Active | high | + +## Links + +- [OWASP](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) +- [CWE](https://cwe.mitre.org/data/definitions/113.html) diff --git a/doc/user/application_security/dast/checks/16.7.md b/doc/user/application_security/dast/checks/16.7.md index edaace407ae..d407234d2c2 100644 --- a/doc/user/application_security/dast/checks/16.7.md +++ b/doc/user/application_security/dast/checks/16.7.md @@ -22,8 +22,8 @@ Only three directives are applicable for the `Strict-Transport-Security` header. 1. `includeSubDomains`: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host's domain. 1. `preload`: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser's preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser's HSTS preload list. See [hstspreload.org](https://hstspreload.org/) for more information. -Invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the -values are different) is considered invalid. +Note that invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the values are +different) is considered invalid. Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org [Deployment Recommendations](https://hstspreload.org/#deployment-recommendations). diff --git a/doc/user/application_security/dast/checks/16.9.md b/doc/user/application_security/dast/checks/16.9.md index c63a620794e..b0ba502b578 100644 --- a/doc/user/application_security/dast/checks/16.9.md +++ b/doc/user/application_security/dast/checks/16.9.md @@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ## Description A `Content-Security-Policy-Report-Only` (CSPRO) was identified on the target site. CSP-Report-Only headers -aid in determining how to implement a `Content-Security-Policy` that does not disrupt use of the target +aid in determining how to implement a `Content-Security-Policy` that does not disrupt normal use of the target site. ## Remediation diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index 1b3ce45dc43..035f4a4b486 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -4,7 +4,7 @@ group: Dynamic Analysis info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# DAST browser-based crawler vulnerability checks **(ULTIMATE ALL)** +# DAST browser-based crawler vulnerability checks **(ULTIMATE)** The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test. @@ -167,4 +167,5 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | ID | Check | Severity | Type | |:---|:------|:---------|:-----| +| [113.1](113.1.md) | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active | | [22.1](22.1.md) | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active | diff --git a/doc/user/project/merge_requests/approvals/settings.md b/doc/user/project/merge_requests/approvals/settings.md index b520ee41493..ae16eb2a790 100644 --- a/doc/user/project/merge_requests/approvals/settings.md +++ b/doc/user/project/merge_requests/approvals/settings.md @@ -65,6 +65,7 @@ this setting, unless you configure one of these options: > - Moved to GitLab Premium in 13.9. > - [Feature flag `keep_merge_commits_for_approvals`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127744) added in GitLab 16.3 to also include merge commits in this check. +> - [Feature flag `keep_merge_commits_for_approvals`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131778) removed in GitLab 16.5. This check now includes merge commits. By default, users who commit to a merge request can still approve it. At both the project level or [instance level](../../../admin_area/merge_requests_approvals.md), diff --git a/doc/user/project/quick_actions.md b/doc/user/project/quick_actions.md index 38c179871af..097c726d163 100644 --- a/doc/user/project/quick_actions.md +++ b/doc/user/project/quick_actions.md @@ -146,11 +146,13 @@ To auto-format this table, use the VS Code Markdown Table formatter: `https://do |:--------------------------------------------------------------|:-----------------------|:-----------------------|:-----------------------|:-------| | `/assign @user1 @user2` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Assign one or more users. | | `/assign me` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Assign yourself. | +| `/award :emoji:` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Toggle an emoji reaction. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412275) in GitLab 16.5 | | `/cc @user` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mention a user. In GitLab 15.0 and later, this command performs no action. You can instead type `CC @user` or only `@user`. [In GitLab 14.9 and earlier](https://gitlab.com/gitlab-org/gitlab/-/issues/31200), mentioning a user at the start of a line creates a specific type of to-do item notification. | | `/checkin_reminder` | **{dotted-circle}** No| **{check-circle}** Yes | **{dotted-circle}** No | Set checkin reminder cadence. Options are `weekly`, `twice-monthly`, `monthly`, `never`. This action is behind a feature flag. | | `/clear_health_status` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Clear [health status](issues/managing_issues.md#health-status). | | `/clear_weight` | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | Clear weight. | | `/close` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Close. | +| `/confidential` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mark work item as confidential. [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412276) in GitLab 16.4. | | `/done` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mark to-do item as done. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412277) in GitLab 16.2. | | `/due <date>` | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | Set due date. Examples of valid `<date>` include `in 2 days`, `this Friday` and `December 31st`. | | `/health_status <value>` | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Set [health status](issues/managing_issues.md#health-status). Valid options for `<value>` are `on_track`, `needs_attention`, or `at_risk`. | diff --git a/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml index d57e0431d8e..07bc3fbe795 100644 --- a/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - AUTO_BUILD_IMAGE_VERSION: 'v1.40.0' + AUTO_BUILD_IMAGE_VERSION: 'v1.41.0' build: stage: build diff --git a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml index d57e0431d8e..07bc3fbe795 100644 --- a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml @@ -1,5 +1,5 @@ variables: - AUTO_BUILD_IMAGE_VERSION: 'v1.40.0' + AUTO_BUILD_IMAGE_VERSION: 'v1.41.0' build: stage: build diff --git a/spec/models/work_item_spec.rb b/spec/models/work_item_spec.rb index 8be05d35375..4b675faf99e 100644 --- a/spec/models/work_item_spec.rb +++ b/spec/models/work_item_spec.rb @@ -166,7 +166,7 @@ RSpec.describe WorkItem, feature_category: :portfolio_management do it 'returns quick action commands supported for all work items' do is_expected.to include(:title, :reopen, :close, :cc, :tableflip, :shrug, :type, :promote_to, :checkin_reminder, - :subscribe, :unsubscribe) + :subscribe, :unsubscribe, :confidential, :award) end context 'when work item supports the assignee widget' do diff --git a/spec/services/notes/quick_actions_service_spec.rb b/spec/services/notes/quick_actions_service_spec.rb index 0065fd639b8..b6e29299fdd 100644 --- a/spec/services/notes/quick_actions_service_spec.rb +++ b/spec/services/notes/quick_actions_service_spec.rb @@ -188,6 +188,45 @@ RSpec.describe Notes::QuickActionsService, feature_category: :team_planning do end end + describe '/confidential' do + let_it_be_with_reload(:noteable) { create(:work_item, :issue, project: project) } + let_it_be(:note_text) { '/confidential' } + let_it_be(:note) { create(:note, noteable: noteable, project: project, note: note_text) } + + context 'when work item does not have children' do + it 'leaves the note empty' do + expect(execute(note)).to be_empty + end + + it 'marks work item as confidential' do + expect { execute(note) }.to change { noteable.reload.confidential }.from(false).to(true) + end + end + + context 'when work item has children' do + before do + create(:parent_link, work_item: task, work_item_parent: noteable) + end + + context 'when children are not confidential' do + let(:task) { create(:work_item, :task, project: project) } + + it 'does not mark parent work item as confidential' do + expect { execute(note) }.to not_change { noteable.reload.confidential }.from(false) + expect(noteable.errors[:base]).to include('A confidential work item cannot have a parent that already has non-confidential children.') + end + end + + context 'when children are confidential' do + let(:task) { create(:work_item, :confidential, :task, project: project) } + + it 'marks parent work item as confidential' do + expect { execute(note) }.to change { noteable.reload.confidential }.from(false).to(true) + end + end + end + end + describe 'note with command & text' do describe '/close, /label, /assign & /milestone' do let(:note_text) do diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb index bac0be00617..5e7fb8397e3 100644 --- a/spec/services/quick_actions/interpret_service_spec.rb +++ b/spec/services/quick_actions/interpret_service_spec.rb @@ -1872,11 +1872,21 @@ RSpec.describe QuickActions::InterpretService, feature_category: :team_planning let(:issuable) { merge_request } end + it_behaves_like 'award command' do + let(:content) { '/award :100:' } + let(:issuable) { work_item } + end + context 'ignores command with no argument' do it_behaves_like 'failed command' do let(:content) { '/award' } let(:issuable) { issue } end + + it_behaves_like 'failed command' do + let(:content) { '/award' } + let(:issuable) { work_item } + end end context 'ignores non-existing / invalid emojis' do @@ -1889,6 +1899,11 @@ RSpec.describe QuickActions::InterpretService, feature_category: :team_planning let(:content) { '/award :lorem_ipsum:' } let(:issuable) { issue } end + + it_behaves_like 'failed command' do + let(:content) { '/award :lorem_ipsum:' } + let(:issuable) { work_item } + end end context 'if issuable is a Commit' do diff --git a/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb b/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb new file mode 100644 index 00000000000..cc3ee52e73b --- /dev/null +++ b/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'devise/shared/_signup_omniauth_provider_list', feature_category: :system_access do + let_it_be(:provider_label) { :github }.freeze + let_it_be(:tracking_label) { 'free_registration' }.freeze + let_it_be(:tracking_action) { "#{provider_label}_sso" }.freeze + + subject { rendered } + + before do + allow(view).to receive(:providers).and_return([provider_label]) + allow(view).to receive(:tracking_label).and_return(tracking_label) + allow(view).to receive(:glm_tracking_params).and_return({}) + end + + shared_examples 'sso buttons have snowplow tracking' do + it 'contains tracking attributes' do + css = "[data-track-action='#{tracking_action}']" + css += "[data-track-label='#{tracking_label}']" + + expect(rendered).to have_css(css) + end + end + + context 'when feature flag is true' do + before do + stub_feature_flags(restyle_login_page: true) + + render + end + + it { is_expected.to have_content(_("Register with:")) } + + it_behaves_like 'sso buttons have snowplow tracking' + end + + context 'when feature flag is false' do + before do + stub_feature_flags(restyle_login_page: false) + + render + end + + it { is_expected.to have_content(_("Create an account using:")) } + + it_behaves_like 'sso buttons have snowplow tracking' + end +end |