diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-07 17:47:00 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-07 17:47:00 +0300 |
commit | 08086ff522742c28a6b10e9b2ed71f0af6633e5b (patch) | |
tree | 5a4fde8b23140cb4edf04b24854b53f87085dd42 /lib | |
parent | 8f3fbbf0d56091ad87158f61bf2a4e96a7f937e3 (diff) |
Add latest changes from gitlab-org/gitlab@13-12-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities/release.rb | 7 | ||||
-rw-r--r-- | lib/api/releases.rb | 9 | ||||
-rw-r--r-- | lib/gitlab/content_security_policy/config_loader.rb | 12 |
3 files changed, 16 insertions, 12 deletions
diff --git a/lib/api/entities/release.rb b/lib/api/entities/release.rb index 94124352298..056b54674f1 100644 --- a/lib/api/entities/release.rb +++ b/lib/api/entities/release.rb @@ -8,7 +8,7 @@ module API expose :name expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? } expose :description - expose :description_html, unless: ->(_, _) { remove_description_html? } do |entity| + expose :description_html, if: -> (_, options) { options[:include_html_description] } do |entity| MarkupHelper.markdown_field(entity, :description, current_user: options[:current_user]) end expose :created_at @@ -45,11 +45,6 @@ module API def can_read_milestone? Ability.allowed?(options[:current_user], :read_milestone, object.project) end - - def remove_description_html? - ::Feature.enabled?(:remove_description_html_in_release_api, object.project, default_enabled: :yaml) && - ::Feature.disabled?(:remove_description_html_in_release_api_override, object.project) - end end end end diff --git a/lib/api/releases.rb b/lib/api/releases.rb index c65a23e334f..7cd8b442706 100644 --- a/lib/api/releases.rb +++ b/lib/api/releases.rb @@ -29,6 +29,8 @@ module API desc: 'Return releases ordered by `released_at` or `created_at`.' optional :sort, type: String, values: %w[asc desc], default: 'desc', desc: 'Return releases sorted in `asc` or `desc` order.' + optional :include_html_description, type: Boolean, + desc: 'If `true`, a response includes HTML rendered markdown of the release description.' end get ':id/releases' do releases = ::ReleasesFinder.new(user_project, current_user, declared_params.slice(:order_by, :sort)).execute @@ -43,7 +45,8 @@ module API # context is unnecessary here. cache_context: -> (_) { "user:{#{current_user&.id}}" }, expires_in: 5.minutes, - current_user: current_user + current_user: current_user, + include_html_description: params[:include_html_description] end desc 'Get a single project release' do @@ -53,11 +56,13 @@ module API end params do requires :tag_name, type: String, desc: 'The name of the tag', as: :tag + optional :include_html_description, type: Boolean, + desc: 'If `true`, a response includes HTML rendered markdown of the release description.' end get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do authorize_download_code! - present release, with: Entities::Release, current_user: current_user + present release, with: Entities::Release, current_user: current_user, include_html_description: params[:include_html_description] end desc 'Create a new release' do diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 6f6147f0f32..e42b174e085 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -9,21 +9,20 @@ module Gitlab def self.default_settings_hash settings_hash = { - 'enabled' => true, + 'enabled' => Rails.env.development? || Rails.env.test?, 'report_only' => false, 'directives' => { 'default_src' => "'self'", 'base_uri' => "'self'", - 'child_src' => "'none'", 'connect_src' => "'self'", 'font_src' => "'self'", 'form_action' => "'self' https: http:", 'frame_ancestors' => "'self'", - 'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", + 'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", 'img_src' => "'self' data: blob: http: https:", 'manifest_src' => "'self'", 'media_src' => "'self'", - 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com", + 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", 'style_src' => "'self' 'unsafe-inline'", 'worker_src' => "'self'", 'object_src' => "'none'", @@ -31,6 +30,11 @@ module Gitlab } } + # frame-src was deprecated in CSP level 2 in favor of child-src + # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing + # However Safari seems to read child-src first so we'll just keep both equal + settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src'] + allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? |