Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

10 files changed, 72 insertions, 28 deletions

diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb
index 05e50c17988..946cdda2e75 100644
--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -39,6 +39,8 @@ class WebHook < ApplicationRecord
 
   validates :token, format: { without: /\n/ }
   after_initialize :initialize_url_variables
+
+  before_validation :reset_token
   before_validation :set_branch_filter_nil, \
     if: -> { branch_filter_strategy_all_branches? && enhanced_webhook_support_regex? }
   validates :push_events_branch_filter, \
@@ -218,6 +220,10 @@ class WebHook < ApplicationRecord
 
   private
 
+  def reset_token
+    self.token = nil if url_changed? && !encrypted_token_changed?
+  end
+
   def next_failure_count
     recent_failures.succ.clamp(1, MAX_FAILURES)
   end
diff --git a/app/models/hooks/web_hook_log.rb b/app/models/hooks/web_hook_log.rb
index 2b26147b494..9de6f2a1b57 100644
--- a/app/models/hooks/web_hook_log.rb
+++ b/app/models/hooks/web_hook_log.rb
@@ -48,6 +48,13 @@ class WebHookLog < ApplicationRecord
     request_data == OVERSIZE_REQUEST_DATA
   end
 
+  def request_headers
+    super unless web_hook.token?
+    super if self[:request_headers]['X-Gitlab-Token'] == _('[REDACTED]')
+
+    self[:request_headers].merge('X-Gitlab-Token' => _('[REDACTED]'))
+  end
+
   private
 
   def obfuscate_basic_auth
diff --git a/app/models/integrations/jira.rb b/app/models/integrations/jira.rb
index 30497c0110e..65492bfd9c2 100644
--- a/app/models/integrations/jira.rb
+++ b/app/models/integrations/jira.rb
@@ -97,7 +97,10 @@ module Integrations
     def self.valid_jira_cloud_url?(url)
       return false unless url.present?
 
-      !!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)
+      uri = URI.parse(url)
+      uri.is_a?(URI::HTTPS) && !!uri.hostname&.end_with?(JIRA_CLOUD_HOST)
+    rescue URI::InvalidURIError
+      false
     end
 
     def data_fields
diff --git a/app/models/repository.rb b/app/models/repository.rb
index 95d1b815e74..90e87de4a5b 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -984,12 +984,12 @@ class Repository
     end
   end
 
-  def clone_as_mirror(url, http_authorization_header: "")
-    import_repository(url, http_authorization_header: http_authorization_header, mirror: true)
+  def clone_as_mirror(url, http_authorization_header: "", resolved_address: "")
+    import_repository(url, http_authorization_header: http_authorization_header, mirror: true, resolved_address: resolved_address)
   end
 
-  def fetch_as_mirror(url, forced: false, refmap: :all_refs, prune: true, http_authorization_header: "")
-    fetch_remote(url, refmap: refmap, forced: forced, prune: prune, http_authorization_header: http_authorization_header)
+  def fetch_as_mirror(url, forced: false, refmap: :all_refs, prune: true, http_authorization_header: "", resolved_address: "")
+    fetch_remote(url, refmap: refmap, forced: forced, prune: prune, http_authorization_header: http_authorization_header, resolved_address: resolved_address)
   end
 
   def fetch_source_branch!(source_repository, source_branch, local_ref)
diff --git a/app/services/markup/rendering_service.rb b/app/services/markup/rendering_service.rb
index 0142d600522..c4abbb6b5b0 100644
--- a/app/services/markup/rendering_service.rb
+++ b/app/services/markup/rendering_service.rb
@@ -2,8 +2,6 @@
 
 module Markup
   class RenderingService
-    include ActionView::Helpers::TextHelper
-
     # Let's increase the render timeout
     # For a smaller one, a test that renders the blob content statically fails
     # We can consider removing this custom timeout when markup_rendering_timeout FF is removed:
@@ -51,7 +49,7 @@ module Markup
     rescue StandardError => e
       Gitlab::ErrorTracking.track_exception(e, project_id: context[:project]&.id, file_name: file_name)
 
-      simple_format(text)
+      ActionController::Base.helpers.simple_format(text)
     end
 
     def markdown_unsafe
@@ -63,7 +61,9 @@ module Markup
     end
 
     def plain_unsafe
-      "<pre class=\"plain-readme\">#{text}</pre>"
+      ActionController::Base.helpers.content_tag :pre, class: 'plain-readme' do
+        text
+      end
     end
 
     def other_markup_unsafe
diff --git a/app/services/packages/nuget/metadata_extraction_service.rb b/app/services/packages/nuget/metadata_extraction_service.rb
index 66abd189153..02086b2a282 100644
--- a/app/services/packages/nuget/metadata_extraction_service.rb
+++ b/app/services/packages/nuget/metadata_extraction_service.rb
@@ -104,9 +104,15 @@ module Packages
           entry = zip_file.glob('*.nuspec').first
 
           raise ExtractionError, 'nuspec file not found' unless entry
-          raise ExtractionError, 'nuspec file too big' if entry.size > MAX_FILE_SIZE
+          raise ExtractionError, 'nuspec file too big' if MAX_FILE_SIZE < entry.size
 
-          entry.get_input_stream.read
+          Tempfile.open("nuget_extraction_package_file_#{@package_file_id}") do |file|
+            entry.extract(file.path) { true } # allow #extract to overwrite the file
+            file.unlink
+            file.read
+          end
+        rescue Zip::EntrySizeError => e
+          raise ExtractionError, "nuspec file has the wrong entry size: #{e.message}"
         end
       end
 
diff --git a/app/services/projects/import_service.rb b/app/services/projects/import_service.rb
index de7ede4eabf..6a13b8e38c1 100644
--- a/app/services/projects/import_service.rb
+++ b/app/services/projects/import_service.rb
@@ -53,6 +53,8 @@ module Projects
 
     private
 
+    attr_reader :resolved_address
+
     def after_execute_hook
       # Defined in EE::Projects::ImportService
     end
@@ -64,11 +66,7 @@ module Projects
     def add_repository_to_project
       if project.external_import? && !unknown_url?
         begin
-          Gitlab::UrlBlocker.validate!(
-            project.import_url,
-            schemes: Project::VALID_IMPORT_PROTOCOLS,
-            ports: Project::VALID_IMPORT_PORTS
-          )
+          @resolved_address = get_resolved_address
         rescue Gitlab::UrlBlocker::BlockedUrlError => e
           raise e, s_("ImportProjects|Blocked import URL: %{message}") % { message: e.message }
         end
@@ -97,9 +95,9 @@ module Projects
 
       if refmap
         project.ensure_repository
-        project.repository.fetch_as_mirror(project.import_url, refmap: refmap)
+        project.repository.fetch_as_mirror(project.import_url, refmap: refmap, resolved_address: resolved_address)
       else
-        project.repository.import_repository(project.import_url)
+        project.repository.import_repository(project.import_url, resolved_address: resolved_address)
       end
     rescue ::Gitlab::Git::CommandError => e
       # Expire cache to prevent scenarios such as:
@@ -157,6 +155,26 @@ module Projects
     def importer_imports_repository?
       has_importer? && importer_class.try(:imports_repository?)
     end
+
+    def get_resolved_address
+      Gitlab::UrlBlocker
+        .validate!(
+          project.import_url,
+          schemes: Project::VALID_IMPORT_PROTOCOLS,
+          ports: Project::VALID_IMPORT_PORTS,
+          dns_rebind_protection: dns_rebind_protection?)
+        .then do |(import_url, resolved_host)|
+          next '' if resolved_host.nil? || !import_url.scheme.in?(%w[http https])
+
+          import_url.host.to_s
+        end
+    end
+
+    def dns_rebind_protection?
+      return false if Gitlab.http_proxy_env?
+
+      Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
+    end
   end
 end
 
diff --git a/app/services/web_hooks/log_execution_service.rb b/app/services/web_hooks/log_execution_service.rb
index 1a40c877bda..448bb7d4097 100644
--- a/app/services/web_hooks/log_execution_service.rb
+++ b/app/services/web_hooks/log_execution_service.rb
@@ -24,6 +24,8 @@ module WebHooks
     private
 
     def log_execution
+      log_data[:request_headers]['X-Gitlab-Token'] = _('[REDACTED]') if hook.token?
+
       WebHookLog.create!(web_hook: hook, **log_data)
     end
 
diff --git a/app/views/projects/tags/_release_link.html.haml b/app/views/projects/tags/_release_link.html.haml
index c942d122a58..6c79b13f438 100644
--- a/app/views/projects/tags/_release_link.html.haml
+++ b/app/views/projects/tags/_release_link.html.haml
@@ -1,4 +1,5 @@
-.gl-text-secondary
-  = sprite_icon("rocket", size: 12)
-  = _("Release")
-  = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"
+- if can?(current_user, :read_release, release)
+  .gl-text-secondary
+    = sprite_icon("rocket", size: 12)
+    = _("Release")
+    = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"
diff --git a/app/views/projects/tags/show.html.haml b/app/views/projects/tags/show.html.haml
index cb7751ecf2e..a9c3309e38c 100644
--- a/app/views/projects/tags/show.html.haml
+++ b/app/views/projects/tags/show.html.haml
@@ -57,12 +57,13 @@
     %pre.wrap{ data: { qa_selector: 'tag_message_content' } }
       = strip_signature(@tag.message)
 
-.gl-mb-3.gl-mt-3
-  - if @release&.description.present?
-    .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
-      = markdown_field(@release, :description)
-  - else
-    = s_('TagsPage|This tag has no release notes.')
+- if can?(current_user, :read_release, @release)
+  .gl-mb-3.gl-mt-3
+    - if @release&.description.present?
+      .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
+        = markdown_field(@release, :description)
+    - else
+      = s_('TagsPage|This tag has no release notes.')
 
 - if can?(current_user, :admin_tag, @project)
   .js-delete-tag-modal