Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-09-29 00:59:41 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2022-09-29 00:59:41 +0300
commitcc201d1e1be2c8f4de2e2265c2b83bd925f8a260 (patch)
tree7347a079cde32c08900547d96a7c5ddbc2a50259 /app
parent70d9f335be46efecb1328cd2b7da3f3e17516d7d (diff)
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue21
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js9
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js25
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js12
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js2
-rw-r--r--app/policies/issuable_policy.rb6
-rw-r--r--app/policies/note_policy.rb1
-rw-r--r--app/policies/todo_policy.rb17
8 files changed, 63 insertions, 30 deletions
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
index 52c9f047b76..a10e5efa0e7 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/child_content.vue
@@ -1,5 +1,6 @@
<script>
import { GlBadge, GlLink, GlSafeHtmlDirective, GlModalDirective } from '@gitlab/ui';
+import { isArray } from 'lodash';
import Actions from '../action_buttons.vue';
import StatusIcon from './status_icon.vue';
import { generateText } from './utils';
@@ -35,6 +36,20 @@ export default {
required: true,
},
},
+ computed: {
+ subtext() {
+ const { subtext } = this.data;
+ if (subtext) {
+ if (isArray(subtext)) {
+ return subtext.map((t) => generateText(t)).join('<br />');
+ }
+
+ return generateText(subtext);
+ }
+
+ return null;
+ },
+ },
methods: {
isArray(arr) {
return Array.isArray(arr);
@@ -93,11 +108,7 @@ export default {
@clickedAction="onClickedAction"
/>
</div>
- <p
- v-if="data.subtext"
- v-safe-html="generateText(data.subtext)"
- class="gl-m-0 gl-font-sm"
- ></p>
+ <p v-if="subtext" v-safe-html="subtext" class="gl-m-0 gl-font-sm"></p>
</div>
</div>
<template v-if="data.children && level === 2">
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
index cba12507eba..757178ee336 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
+++ b/app/assets/javascripts/vue_merge_request_widget/components/extensions/utils.js
@@ -35,6 +35,9 @@ const textStyleTags = {
[getStartTag('small')]: '<span class="gl-font-sm gl-text-gray-700">',
};
+const escapeText = (text) =>
+ document.createElement('div').appendChild(document.createTextNode(text)).parentNode.innerHTML;
+
const createText = (text) => {
return text
.replace(
@@ -61,7 +64,7 @@ const createText = (text) => {
export const generateText = (text) => {
if (typeof text === 'string') {
- return createText(text);
+ return createText(escapeText(text));
} else if (
typeof text === 'object' &&
typeof text.text === 'string' &&
@@ -69,8 +72,8 @@ export const generateText = (text) => {
) {
return createText(
`${
- text.prependText ? `${text.prependText} ` : ''
- }<a class="gl-text-decoration-underline" href="${text.href}">${text.text}</a>`,
+ text.prependText ? `${escapeText(text.prependText)} ` : ''
+ }<a class="gl-text-decoration-underline" href="${text.href}">${escapeText(text.text)}</a>`,
);
}
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
index 2477429af5b..68347ac269e 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/code_quality/index.js
@@ -19,25 +19,23 @@ export default {
if (errorSummary.errored >= 1 && errorSummary.resolved >= 1) {
const improvements = sprintf(
n__(
- '%{strongOpen}%{errors}%{strongClose} point',
- '%{strongOpen}%{errors}%{strongClose} points',
+ '%{strong_start}%{errors}%{strong_end} point',
+ '%{strong_start}%{errors}%{strong_end} points',
resolvedErrors.length,
),
{
errors: resolvedErrors.length,
- strongOpen: '<strong>',
- strongClose: '</strong>',
},
false,
);
const degradations = sprintf(
n__(
- '%{strongOpen}%{errors}%{strongClose} point',
- '%{strongOpen}%{errors}%{strongClose} points',
+ '%{strong_start}%{errors}%{strong_end} point',
+ '%{strong_start}%{errors}%{strong_end} points',
newErrors.length,
),
- { errors: newErrors.length, strongOpen: '<strong>', strongClose: '</strong>' },
+ { errors: newErrors.length },
false,
);
return sprintf(
@@ -96,14 +94,11 @@ export default {
this.collapsedData.resolvedErrors.map((e) => {
return fullData.push({
text: `${capitalizeFirstCharacter(e.severity)} - ${e.description}`,
- subtext: sprintf(
- s__(`ciReport|in %{open_link}${e.file_path}:${e.line}%{close_link}`),
- {
- open_link: `<a class="gl-text-decoration-underline" href="${e.urlPath}">`,
- close_link: '</a>',
- },
- false,
- ),
+ subtext: {
+ prependText: s__(`ciReport|in`),
+ text: `${e.file_path}:${e.line}`,
+ href: e.urlPath,
+ },
icon: {
name: SEVERITY_ICONS_EXTENSION[e.severity],
},
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
index 6611aedcb07..626a99f7d64 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/terraform/index.js
@@ -63,13 +63,16 @@ export default {
if (valid.length) {
title = validText;
if (invalid.length) {
- subtitle = sprintf(`<br>%{small_start}${invalidText}%{small_end}`);
+ subtitle = invalidText;
}
} else {
title = invalidText;
}
- return `${title}${subtitle}`;
+ return {
+ subject: title,
+ meta: subtitle,
+ };
},
fetchCollapsedData() {
return axios
@@ -152,9 +155,8 @@ export default {
}
return {
- text: `${title}
- <br>
- ${subtitle}`,
+ text: title,
+ supportingText: subtitle,
icon: { name: iconName },
actions,
};
diff --git a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
index 6896f8831e8..37f9964d23a 100644
--- a/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
+++ b/app/assets/javascripts/vue_merge_request_widget/extensions/test_report/utils.js
@@ -60,7 +60,7 @@ export const reportSubTextBuilder = ({ suite_errors: suiteErrors, summary }) =>
if (suiteErrors?.base) {
errors.push(`${i18n.baseReportParsingError} ${suiteErrors.base}`);
}
- return errors.join('<br />');
+ return errors;
}
return recentFailuresTextBuilder(summary);
};
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index e5913bab726..e864ce8752a 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy
enable :reopen_issue
end
+ # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in
+ # TodoPolicy for performance reasons
+ rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
+ enable :read_confidential_notes
+ end
+
rule { can?(:read_merge_request) & assignee_or_author }.policy do
enable :update_merge_request
enable :reopen_merge_request
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index e85f18f2d37..1bffcc5aea2 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -20,6 +20,7 @@ class NotePolicy < BasePolicy
condition(:confidential, scope: :subject) { @subject.confidential? }
+ # If this condition changes IssuablePolicy#read_confidential_notes should be updated too
condition(:can_read_confidential) do
access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
end
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index 6237fbc50fa..5c24964f24a 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
condition(:own_todo) do
@user && @subject.user_id == @user.id
end
+
+ desc "User can read the todo's target"
condition(:can_read_target) do
@user && @subject.target&.readable_by?(@user)
end
+ desc "Todo has confidential note"
+ condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+
+ desc "User can read the todo's confidential note"
+ condition(:can_read_todo_confidential_note) do
+ @user && @user.can?(:read_confidential_notes, @subject.target)
+ end
+
rule { own_todo & can_read_target }.enable :read_todo
- rule { own_todo & can_read_target }.enable :update_todo
+ rule { can?(:read_todo) }.enable :update_todo
+
+ rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+ prevent :read_todo
+ prevent :update_todo
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 11:10:10 +0300