diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:49:36 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:49:49 +0300 |
| commit | 56ff640a2f919e9d0e450964081381a8eccef5e4 (patch) | |
| tree | 5fd092431f067f6e2d21f887efa8dd0194a89f5b /app | |
| parent | 3dd03a1a19e6b788ec1296044e28f7727e5149a6 (diff) | |
Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/finders/notes_finder.rb | 8 | ||||
| -rw-r--r-- | app/models/concerns/taskable.rb | 36 | ||||
| -rw-r--r-- | app/services/merge_requests/push_options_handler_service.rb | 10 |
3 files changed, 41 insertions, 13 deletions
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb index c542ffbce7e..81017290f12 100644 --- a/app/finders/notes_finder.rb +++ b/app/finders/notes_finder.rb @@ -30,6 +30,7 @@ class NotesFinder notes = init_collection notes = since_fetch_at(notes) notes = notes.with_notes_filter(@params[:notes_filter]) if notes_filter? + notes = redact_internal(notes) sort(notes) end @@ -181,6 +182,13 @@ class NotesFinder notes.order_by(sort) end + + def redact_internal(notes) + subject = @project || target + return notes if Ability.allowed?(@current_user, :read_internal_note, subject) + + notes.not_internal + end end NotesFinder.prepend_mod_with('NotesFinder') diff --git a/app/models/concerns/taskable.rb b/app/models/concerns/taskable.rb index f9eba4cc2fe..dee1c820f23 100644 --- a/app/models/concerns/taskable.rb +++ b/app/models/concerns/taskable.rb @@ -24,25 +24,37 @@ module Taskable (\s.+) # followed by whitespace and some text. }x.freeze + ITEM_PATTERN_UNTRUSTED = + '^' \ + '(?:(?:>\s{0,4})*)' \ + '(?P<prefix>(?:\s*(?:[-+*]|(?:\d+\.)))+)' \ + '\s+' \ + '(?P<checkbox>' \ + "#{COMPLETE_PATTERN.source}|#{INCOMPLETE_PATTERN.source}" \ + ')' \ + '(?P<label>\s.+)'.freeze + # ignore tasks in code or html comment blocks. HTML blocks # are ok as we allow tasks inside <detail> blocks - REGEX = %r{ - #{::Gitlab::Regex.markdown_code_or_html_comments} - | - (?<task_item> - #{ITEM_PATTERN} - ) - }mx.freeze + REGEX = + "#{::Gitlab::Regex.markdown_code_or_html_comments_untrusted}" \ + "|" \ + "(?P<task_item>" \ + "#{ITEM_PATTERN_UNTRUSTED}" \ + ")".freeze def self.get_tasks(content) items = [] - content.to_s.scan(REGEX) do - next unless $~[:task_item] + regex = Gitlab::UntrustedRegexp.new(REGEX, multiline: true) + regex.scan(content.to_s).each do |match| + next unless regex.extract_named_group(:task_item, match) + + prefix = regex.extract_named_group(:prefix, match) + checkbox = regex.extract_named_group(:checkbox, match) + label = regex.extract_named_group(:label, match) - $~[:task_item].scan(ITEM_PATTERN) do |prefix, checkbox, label| - items << TaskList::Item.new("#{prefix.strip} #{checkbox}", label.strip) - end + items << TaskList::Item.new("#{prefix.strip} #{checkbox}", label.strip) end items diff --git a/app/services/merge_requests/push_options_handler_service.rb b/app/services/merge_requests/push_options_handler_service.rb index 235dc6678df..e9abafceb13 100644 --- a/app/services/merge_requests/push_options_handler_service.rb +++ b/app/services/merge_requests/push_options_handler_service.rb @@ -54,7 +54,15 @@ module MergeRequests end def validate_service - errors << 'User is required' if current_user.nil? + if current_user.nil? + errors << 'User is required' + return + end + + unless current_user&.can?(:read_code, target_project) + errors << 'User access was denied' + return + end unless target_project.merge_requests_enabled? errors << "Merge requests are not enabled for project #{target_project.full_path}" |