Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-03 14:35:56 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-03 14:35:56 +0300
commit: 33bbb6aa7b6369fea0037f3d8a9243824e48f64f (patch)
tree: 18ae1428e70ddcfe1115f355ebdad6ad6f0a6e56 /app/models/integrations
parent: 41fd6d4d38aaef723e501ff3ab38ae63e31d4efb (diff)
7 files changed, 58 insertions, 25 deletions
diff --git a/app/models/integrations/bamboo.rb b/app/models/integrations/bamboo.rb
index 0774b84b69f..57767c63cf4 100644
--- a/app/models/integrations/bamboo.rb
+++ b/app/models/integrations/bamboo.rb
@@ -4,6 +4,7 @@ module Integrations
   class Bamboo < BaseCi
     include ActionView::Helpers::UrlHelper
     include ReactivelyCached
+    prepend EnableSslVerification
 
     prop_accessor :bamboo_url, :build_key, :username, :password
 
@@ -162,7 +163,7 @@ module Integrations
     end
 
     def build_get_params(query_params)
-      params = { verify: false, query: query_params }
+      params = { verify: enable_ssl_verification, query: query_params }
       return params if username.blank? && password.blank?
 
       query_params[:os_authType] = 'basic'
diff --git a/app/models/integrations/buildkite.rb b/app/models/integrations/buildkite.rb
index 9fad3a42647..90593d78a5d 100644
--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -137,7 +137,7 @@ module Integrations
     end
 
     def request_options
-      { verify: false, extra_log_info: { project_id: project_id } }
+      { extra_log_info: { project_id: project_id } }
     end
   end
 end
diff --git a/app/models/integrations/drone_ci.rb b/app/models/integrations/drone_ci.rb
index 856d14c022d..3c18e5d8732 100644
--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -5,10 +5,12 @@ module Integrations
     include HasWebHook
     include PushDataValidations
     include ReactivelyCached
+    prepend EnableSslVerification
     extend Gitlab::Utils::Override
 
+    DRONE_SAAS_HOSTNAME = 'cloud.drone.io'
+
     prop_accessor :drone_url, :token
-    boolean_accessor :enable_ssl_verification
 
     validates :drone_url, presence: true, public_url: true, if: :activated?
     validates :token, presence: true, if: :activated?
@@ -95,8 +97,7 @@ module Integrations
     def fields
       [
         { type: 'text', name: 'token', help: s_('ProjectService|Token for the Drone project.'), required: true },
-        { type: 'text', name: 'drone_url', title: s_('ProjectService|Drone server URL'), placeholder: 'http://drone.example.com', required: true },
-        { type: 'checkbox', name: 'enable_ssl_verification', title: "Enable SSL verification" }
+        { type: 'text', name: 'drone_url', title: s_('ProjectService|Drone server URL'), placeholder: 'http://drone.example.com', required: true }
       ]
     end
 
@@ -105,15 +106,24 @@ module Integrations
       [drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token=#{token}"].join
     end
 
-    override :hook_ssl_verification
-    def hook_ssl_verification
-      !!enable_ssl_verification
-    end
-
     override :update_web_hook!
     def update_web_hook!
       # If using a service template, project may not be available
       super if project
     end
+
+    def enable_ssl_verification
+      original_value = Gitlab::Utils.to_boolean(properties['enable_ssl_verification'])
+      original_value.nil? ? (new_record? || url_is_saas?) : original_value
+    end
+
+    private
+
+    def url_is_saas?
+      parsed_url = Addressable::URI.parse(drone_url)
+      parsed_url&.scheme == 'https' && parsed_url.hostname == DRONE_SAAS_HOSTNAME
+    rescue Addressable::URI::InvalidURIError
+      false
+    end
   end
 end
diff --git a/app/models/integrations/jenkins.rb b/app/models/integrations/jenkins.rb
index e5c1d5ad0d7..5ea92170c26 100644
--- a/app/models/integrations/jenkins.rb
+++ b/app/models/integrations/jenkins.rb
@@ -4,6 +4,7 @@ module Integrations
   class Jenkins < BaseCi
     include HasWebHook
     include ActionView::Helpers::UrlHelper
+    prepend EnableSslVerification
     extend Gitlab::Utils::Override
 
     prop_accessor :jenkins_url, :project_name, :username, :password
diff --git a/app/models/integrations/jira.rb b/app/models/integrations/jira.rb
index 816f5cbe177..966ad07afad 100644
--- a/app/models/integrations/jira.rb
+++ b/app/models/integrations/jira.rb
@@ -56,6 +56,12 @@ module Integrations
       @reference_pattern ||= /(?<issue>\b#{Gitlab::Regex.jira_issue_key_regex})/
     end
 
+    def self.valid_jira_cloud_url?(url)
+      return false unless url.present?
+
+      !!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)
+    end
+
     def initialize_properties
       {}
     end
@@ -565,7 +571,7 @@ module Integrations
     end
 
     def jira_cloud?
-      server_info['deploymentType'] == 'Cloud' || URI(client_url).hostname.end_with?(JIRA_CLOUD_HOST)
+      server_info['deploymentType'] == 'Cloud' || self.class.valid_jira_cloud_url?(client_url)
     end
 
     def set_deployment_type_from_url
@@ -578,7 +584,7 @@ module Integrations
       # we can only assume it's either Cloud or Server
       # based on the URL being *.atlassian.net
 
-      if URI(client_url).hostname.end_with?(JIRA_CLOUD_HOST)
+      if self.class.valid_jira_cloud_url?(client_url)
         data_fields.deployment_cloud!
       else
         data_fields.deployment_server!
diff --git a/app/models/integrations/mock_ci.rb b/app/models/integrations/mock_ci.rb
index 7359be83d4f..568fb609a44 100644
--- a/app/models/integrations/mock_ci.rb
+++ b/app/models/integrations/mock_ci.rb
@@ -3,6 +3,8 @@
 # For an example companion mocking service, see https://gitlab.com/gitlab-org/gitlab-mock-ci-service
 module Integrations
   class MockCi < BaseCi
+    prepend EnableSslVerification
+
     ALLOWED_STATES = %w[failed canceled running pending success success-with-warnings skipped not_found].freeze
 
     prop_accessor :mock_service_url
@@ -55,7 +57,7 @@ module Integrations
     #   # => 'running'
     #
     def commit_status(sha, ref)
-      response = Gitlab::HTTP.get(commit_status_path(sha), verify: false, use_read_total_timeout: true)
+      response = Gitlab::HTTP.get(commit_status_path(sha), verify: enable_ssl_verification, use_read_total_timeout: true)
       read_commit_status(response)
     rescue Errno::ECONNREFUSED
       :error
@@ -68,19 +70,16 @@ module Integrations
     end
 
     def read_commit_status(response)
-      return :error unless response.code == 200 || response.code == 404
-
-      status = if response.code == 404
-                 'pending'
-               else
-                 response['status']
-               end
+      return :pending if response.code == 404
+      return :error unless response.code == 200
 
-      if status.present? && ALLOWED_STATES.include?(status)
-        status
-      else
-        :error
+      begin
+        status = Gitlab::Json.parse(response.body).try(:fetch, 'status', nil)
+        return status if ALLOWED_STATES.include?(status)
+      rescue JSON::ParserError
       end
+
+      :error
     end
 
     def testable?
diff --git a/app/models/integrations/teamcity.rb b/app/models/integrations/teamcity.rb
index 008b591c304..f0f83f118d7 100644
--- a/app/models/integrations/teamcity.rb
+++ b/app/models/integrations/teamcity.rb
@@ -4,6 +4,9 @@ module Integrations
   class Teamcity < BaseCi
     include PushDataValidations
     include ReactivelyCached
+    prepend EnableSslVerification
+
+    TEAMCITY_SAAS_HOSTNAME = /\A[^\.]+\.teamcity\.com\z/i.freeze
 
     prop_accessor :teamcity_url, :build_type, :username, :password
 
@@ -104,8 +107,20 @@ module Integrations
       end
     end
 
+    def enable_ssl_verification
+      original_value = Gitlab::Utils.to_boolean(properties['enable_ssl_verification'])
+      original_value.nil? ? (new_record? || url_is_saas?) : original_value
+    end
+
     private
 
+    def url_is_saas?
+      parsed_url = Addressable::URI.parse(teamcity_url)
+      parsed_url&.scheme == 'https' && parsed_url.hostname.match?(TEAMCITY_SAAS_HOSTNAME)
+    rescue Addressable::URI::InvalidURIError
+      false
+    end
+
     def execute_push(data)
       branch = Gitlab::Git.ref_name(data[:ref])
       post_to_build_queue(data, branch) if push_valid?(data)
@@ -155,7 +170,7 @@ module Integrations
     end
 
     def get_path(path)
-      Gitlab::HTTP.try_get(build_url(path), verify: false, basic_auth: basic_auth, extra_log_info: { project_id: project_id }, use_read_total_timeout: true)
+      Gitlab::HTTP.try_get(build_url(path), verify: enable_ssl_verification, basic_auth: basic_auth, extra_log_info: { project_id: project_id }, use_read_total_timeout: true)
     end
 
     def post_to_build_queue(data, branch)
@@ -165,6 +180,7 @@ module Integrations
               "<buildType id=#{build_type.encode(xml: :attr)}/>"\
               '</build>',
         headers: { 'Content-type' => 'application/xml' },
+        verify: enable_ssl_verification,
         basic_auth: basic_auth,
         use_read_total_timeout: true
       )
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-03 14:35:56 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-03 14:35:56 +0300
commit	33bbb6aa7b6369fea0037f3d8a9243824e48f64f (patch)
tree	18ae1428e70ddcfe1115f355ebdad6ad6f0a6e56 /app/models/integrations
parent	41fd6d4d38aaef723e501ff3ab38ae63e31d4efb (diff)