Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-12-13 01:59:11 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-12-13 01:59:11 +0300
commit: 076c0771c4245b6cb1529a524d46eab77e780b83 (patch)
tree: d991401759abda98879b03069fae8e0be3ffd24e /lib
parent: b3bafbaae0a5ad8d18bf08f2f0c75ea9c945505b (diff)
3 files changed, 34 insertions, 6 deletions
diff --git a/lib/api/ci/pipeline_schedules.rb b/lib/api/ci/pipeline_schedules.rb
index 1087c734f98..48e9f6d879b 100644
--- a/lib/api/ci/pipeline_schedules.rb
+++ b/lib/api/ci/pipeline_schedules.rb
@@ -219,11 +219,16 @@ module API
                                    documentation: { default: 'env_var' }
         end
         post ':id/pipeline_schedules/:pipeline_schedule_id/variables' do
+          authorize! :set_pipeline_variables, user_project
           authorize! :update_pipeline_schedule, pipeline_schedule
 
-          variable_params = declared_params(include_missing: false)
-          variable = pipeline_schedule.variables.create(variable_params)
-          if variable.persisted?
+          response = ::Ci::PipelineSchedules::VariablesCreateService
+            .new(pipeline_schedule, current_user, declared_params(include_missing: false))
+            .execute
+
+          variable = response.payload
+
+          if response.success?
             present variable, with: Entities::Ci::Variable
           else
             render_validation_error!(variable)
@@ -247,9 +252,14 @@ module API
                                    documentation: { default: 'env_var' }
         end
         put ':id/pipeline_schedules/:pipeline_schedule_id/variables/:key' do
+          authorize! :set_pipeline_variables, user_project
           authorize! :update_pipeline_schedule, pipeline_schedule
 
-          if pipeline_schedule_variable.update(declared_params(include_missing: false))
+          response = ::Ci::PipelineSchedules::VariablesUpdateService
+            .new(pipeline_schedule_variable, current_user, declared_params(include_missing: false))
+            .execute
+
+          if response.success?
             present pipeline_schedule_variable, with: Entities::Ci::Variable
           else
             render_validation_error!(pipeline_schedule_variable)
@@ -269,6 +279,7 @@ module API
           requires :key, type: String, desc: 'The key of the variable', documentation: { example: 'NEW_VARIABLE' }
         end
         delete ':id/pipeline_schedules/:pipeline_schedule_id/variables/:key' do
+          authorize! :set_pipeline_variables, user_project
           authorize! :admin_pipeline_schedule, pipeline_schedule
 
           status :accepted
diff --git a/lib/api/resource_access_tokens.rb b/lib/api/resource_access_tokens.rb
index 1ad5bc8d421..abdd1e6c472 100644
--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
@@ -149,7 +149,13 @@ module API
           token = find_token(resource, params[:token_id]) if resource_accessible
 
           if token
-            response = ::PersonalAccessTokens::RotateService.new(current_user, token).execute
+            response = if source_type == "project"
+                         ::ProjectAccessTokens::RotateService.new(current_user, token, resource)
+                                   .execute(declared_params)
+                       else
+                         ::PersonalAccessTokens::RotateService.new(current_user, token)
+                                     .execute(declared_params)
+                       end
 
             if response.success?
               status :ok
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index 4505bcb5411..07e6c50fb56 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -11,7 +11,8 @@ module Gitlab
         delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
         create_protected_tag: 'You are not allowed to create this tag as it is protected.',
         default_branch_collision: 'You cannot use default branch name to create a tag',
-        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.'
+        prohibited_tag_name: 'You cannot create a tag with a prohibited pattern.',
+        prohibited_sha_tag_name: 'You cannot create a tag with a SHA-1 or SHA-256 tag name.'
       }.freeze
 
       LOG_MESSAGES = {
@@ -20,6 +21,8 @@ module Gitlab
         protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
       }.freeze
 
+      STARTS_WITH_SHA_REGEX = %r{\A#{Gitlab::Git::Commit::RAW_FULL_SHA_PATTERN}}o
+
       def validate!
         return unless tag_name
 
@@ -46,6 +49,8 @@ module Gitlab
         if tag_name.start_with?("refs/tags/") # rubocop: disable Style/GuardClause
           raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_tag_name]
         end
+
+        validate_tag_name_not_sha_like!
       end
 
       def protected_tag_checks
@@ -77,6 +82,12 @@ module Gitlab
           end
         end
       end
+
+      def validate_tag_name_not_sha_like!
+        return unless STARTS_WITH_SHA_REGEX.match?(tag_name)
+
+        raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_sha_tag_name]
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-12-13 01:59:11 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-12-13 01:59:11 +0300
commit	076c0771c4245b6cb1529a524d46eab77e780b83 (patch)
tree	d991401759abda98879b03069fae8e0be3ffd24e /lib
parent	b3bafbaae0a5ad8d18bf08f2f0c75ea9c945505b (diff)