diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 01:59:11 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 01:59:11 +0300 |
commit | 076c0771c4245b6cb1529a524d46eab77e780b83 (patch) | |
tree | d991401759abda98879b03069fae8e0be3ffd24e /lib | |
parent | b3bafbaae0a5ad8d18bf08f2f0c75ea9c945505b (diff) |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/ci/pipeline_schedules.rb | 19 | ||||
-rw-r--r-- | lib/api/resource_access_tokens.rb | 8 | ||||
-rw-r--r-- | lib/gitlab/checks/tag_check.rb | 13 |
3 files changed, 34 insertions, 6 deletions
diff --git a/lib/api/ci/pipeline_schedules.rb b/lib/api/ci/pipeline_schedules.rb index 1087c734f98..48e9f6d879b 100644 --- a/lib/api/ci/pipeline_schedules.rb +++ b/lib/api/ci/pipeline_schedules.rb @@ -219,11 +219,16 @@ module API documentation: { default: 'env_var' } end post ':id/pipeline_schedules/:pipeline_schedule_id/variables' do + authorize! :set_pipeline_variables, user_project authorize! :update_pipeline_schedule, pipeline_schedule - variable_params = declared_params(include_missing: false) - variable = pipeline_schedule.variables.create(variable_params) - if variable.persisted? + response = ::Ci::PipelineSchedules::VariablesCreateService + .new(pipeline_schedule, current_user, declared_params(include_missing: false)) + .execute + + variable = response.payload + + if response.success? present variable, with: Entities::Ci::Variable else render_validation_error!(variable) @@ -247,9 +252,14 @@ module API documentation: { default: 'env_var' } end put ':id/pipeline_schedules/:pipeline_schedule_id/variables/:key' do + authorize! :set_pipeline_variables, user_project authorize! :update_pipeline_schedule, pipeline_schedule - if pipeline_schedule_variable.update(declared_params(include_missing: false)) + response = ::Ci::PipelineSchedules::VariablesUpdateService + .new(pipeline_schedule_variable, current_user, declared_params(include_missing: false)) + .execute + + if response.success? present pipeline_schedule_variable, with: Entities::Ci::Variable else render_validation_error!(pipeline_schedule_variable) @@ -269,6 +279,7 @@ module API requires :key, type: String, desc: 'The key of the variable', documentation: { example: 'NEW_VARIABLE' } end delete ':id/pipeline_schedules/:pipeline_schedule_id/variables/:key' do + authorize! :set_pipeline_variables, user_project authorize! :admin_pipeline_schedule, pipeline_schedule status :accepted diff --git a/lib/api/resource_access_tokens.rb b/lib/api/resource_access_tokens.rb index 1ad5bc8d421..abdd1e6c472 100644 --- a/lib/api/resource_access_tokens.rb +++ b/lib/api/resource_access_tokens.rb @@ -149,7 +149,13 @@ module API token = find_token(resource, params[:token_id]) if resource_accessible if token - response = ::PersonalAccessTokens::RotateService.new(current_user, token).execute + response = if source_type == "project" + ::ProjectAccessTokens::RotateService.new(current_user, token, resource) + .execute(declared_params) + else + ::PersonalAccessTokens::RotateService.new(current_user, token) + .execute(declared_params) + end if response.success? status :ok diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb index 4505bcb5411..07e6c50fb56 100644 --- a/lib/gitlab/checks/tag_check.rb +++ b/lib/gitlab/checks/tag_check.rb @@ -11,7 +11,8 @@ module Gitlab delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.', create_protected_tag: 'You are not allowed to create this tag as it is protected.', default_branch_collision: 'You cannot use default branch name to create a tag', - prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.' + prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.', + prohibited_sha_tag_name: 'You cannot create a tag with a SHA-1 or SHA-256 tag name.' }.freeze LOG_MESSAGES = { @@ -20,6 +21,8 @@ module Gitlab protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..." }.freeze + STARTS_WITH_SHA_REGEX = %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o + def validate! return unless tag_name @@ -46,6 +49,8 @@ module Gitlab if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name] end + + validate_tag_name_not_sha_like! end def protected_tag_checks @@ -77,6 +82,12 @@ module Gitlab end end end + + def validate_tag_name_not_sha_like! + return unless STARTS_WITH_SHA_REGEX.match?(tag_name) + + raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_sha_tag_name] + end end end end |