diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:26:40 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:26:58 +0300 |
commit | 5b91f2a1e51c291fb84ea60766791684fa982f22 (patch) | |
tree | 5eea88eb04d1ddd52210bfd08167e6a8d7206362 /lib | |
parent | f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (diff) |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/commits.rb | 2 | ||||
-rw-r--r-- | lib/api/projects.rb | 2 | ||||
-rw-r--r-- | lib/banzai/filter/asset_proxy_filter.rb | 8 |
3 files changed, 6 insertions, 6 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 069d117db17..c0222539c98 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -219,7 +219,7 @@ module API if params[:start_project] start_project = find_project!(params[:start_project]) - unless user_project.forked_from?(start_project) + unless can?(current_user, :read_code, start_project) && user_project.forked_from?(start_project) forbidden!("Project is not included in the fork network for #{start_project.full_name}") end end diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 6d13512aad6..ac28effea43 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -701,7 +701,7 @@ module API requires :forked_from_id, type: String, desc: 'The ID of the project it was forked from', documentation: { example: 'gitlab' } end post ":id/fork/:forked_from_id", feature_category: :source_code_management do - authorize! :admin_project, user_project + authorize! :link_forked_project, user_project fork_from_project = find_project!(params[:forked_from_id]) diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb index 00ffdd3d809..512c55381ec 100644 --- a/lib/banzai/filter/asset_proxy_filter.rb +++ b/lib/banzai/filter/asset_proxy_filter.rb @@ -22,13 +22,13 @@ module Banzai begin uri = URI.parse(original_src) + + next if uri.host.nil? && !original_src.start_with?('///') + next if asset_host_allowed?(uri.host) rescue StandardError - next + # Ignored end - next if uri.host.nil? && !original_src.start_with?('///') - next if asset_host_allowed?(uri.host) - element['src'] = asset_proxy_url(original_src) element['data-canonical-src'] = original_src end |