diff options
author | John Jarvis <jarv@gitlab.com> | 2018-12-27 14:38:20 +0300 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2018-12-27 14:38:20 +0300 |
commit | 6154ac9a841cff70ab9cf66adbf7543466b9e6cb (patch) | |
tree | 93003ec90e1b66c15940f47497b2a3cd8dbe7024 /lib | |
parent | 9fc6f8312f2002b5ae97e30da084ce905983855c (diff) | |
parent | b0e6341ad176abe903c5117c1c0a10ffd25de55b (diff) |
Merge branch 'security-11-6' of dev.gitlab.org:gitlab/gitlabhq into 11-6-stable
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities.rb | 17 | ||||
-rw-r--r-- | lib/api/helpers/runner.rb | 30 | ||||
-rw-r--r-- | lib/api/jobs.rb | 5 | ||||
-rw-r--r-- | lib/api/runner.rb | 8 | ||||
-rw-r--r-- | lib/banzai/filter/external_link_filter.rb | 12 | ||||
-rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/auth.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/command.rb | 8 | ||||
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/validate/repository.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/git.rb | 4 |
10 files changed, 65 insertions, 31 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index b83a5c14190..cedbc0a9154 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1356,7 +1356,17 @@ module API end class Dependency < Grape::Entity - expose :id, :name, :token + expose :id, :name + expose :token do |dependency, options| + # overrides the job's dependency authorization token + # with the token of the job that is being run + # this way we use the parent job auth token + # + # ideally we would change the runner implementation to + # use different token, but this would require upgrade of + # all runners which is impossible + options[:auth_token] + end expose :artifacts_file, using: JobArtifactFile, if: ->(job, _) { job.artifacts? } end @@ -1384,7 +1394,10 @@ module API expose :artifacts, using: Artifacts expose :cache, using: Cache expose :credentials, using: Credentials - expose :dependencies, using: Dependency + expose :dependencies do |model| + Dependency.represent(model.dependencies, + options.merge(auth_token: model.token)) + end expose :features end end diff --git a/lib/api/helpers/runner.rb b/lib/api/helpers/runner.rb index 45d0343bc89..1a296c8ddb2 100644 --- a/lib/api/helpers/runner.rb +++ b/lib/api/helpers/runner.rb @@ -36,26 +36,32 @@ module API def validate_job!(job) not_found! unless job - yield if block_given? - project = job.project - forbidden!('Project has been deleted!') if project.nil? || project.pending_delete? - forbidden!('Job has been erased!') if job.erased? + job_forbidden!(job, 'Project has been deleted!') if project.nil? || project.pending_delete? + job_forbidden!(job, 'Job has been erased!') if job.erased? + job_forbidden!(job, 'Not running!') unless job.running? end - def authenticate_job! - job = Ci::Build.find_by_id(params[:id]) + def authenticate_job_by_token! + token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s - validate_job!(job) do - forbidden! unless job_token_valid?(job) + Ci::Build.find_by_token(token).tap do |job| + validate_job!(job) end + end - job + # we look for a job that has ID and token matching + def authenticate_job! + authenticate_job_by_token!.tap do |job| + job_forbidden!(job, 'Invalid Job ID!') unless job.id == params[:id] + end end - def job_token_valid?(job) - token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s - token && job.valid_token?(token) + # we look for a job that has been shared via pipeline using the ID + def authenticate_pipeline_job! + job = authenticate_job_by_token! + + job.pipeline.builds.find(params[:id]) end def max_artifacts_size diff --git a/lib/api/jobs.rb b/lib/api/jobs.rb index 80a5cbd6b19..45c694b6448 100644 --- a/lib/api/jobs.rb +++ b/lib/api/jobs.rb @@ -38,6 +38,8 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/jobs' do + authorize_read_builds! + builds = user_project.builds.order('id DESC') builds = filter_builds(builds, params[:scope]) @@ -56,7 +58,10 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ':id/pipelines/:pipeline_id/jobs' do + authorize!(:read_pipeline, user_project) pipeline = user_project.ci_pipelines.find(params[:pipeline_id]) + authorize!(:read_build, pipeline) + builds = pipeline.builds builds = filter_builds(builds, params[:scope]) builds = builds.preload(:job_artifacts_archive, :job_artifacts, project: [:namespace]) diff --git a/lib/api/runner.rb b/lib/api/runner.rb index c60d25b88cb..8e842b13f8c 100644 --- a/lib/api/runner.rb +++ b/lib/api/runner.rb @@ -144,7 +144,6 @@ module API end put '/:id' do job = authenticate_job! - job_forbidden!(job, 'Job is not running') unless job.running? job.trace.set(params[:trace]) if params[:trace] @@ -172,7 +171,6 @@ module API end patch '/:id/trace' do job = authenticate_job! - job_forbidden!(job, 'Job is not running') unless job.running? error!('400 Missing header Content-Range', 400) unless request.headers.key?('Content-Range') content_range = request.headers['Content-Range'] @@ -215,8 +213,7 @@ module API require_gitlab_workhorse! Gitlab::Workhorse.verify_api_request!(headers) - job = authenticate_job! - forbidden!('Job is not running') unless job.running? + authenticate_job! if params[:filesize] file_size = params[:filesize].to_i @@ -259,7 +256,6 @@ module API require_gitlab_workhorse! job = authenticate_job! - forbidden!('Job is not running!') unless job.running? artifacts = UploadedFile.from_params(params, :file, JobArtifactUploader.workhorse_local_upload_path) metadata = UploadedFile.from_params(params, :metadata, JobArtifactUploader.workhorse_local_upload_path) @@ -306,7 +302,7 @@ module API optional :direct_download, default: false, type: Boolean, desc: %q(Perform direct download from remote storage instead of proxying artifacts) end get '/:id/artifacts' do - job = authenticate_job! + job = authenticate_pipeline_job! present_carrierwave_file!(job.artifacts_file, supports_direct_download: params[:direct_download]) end diff --git a/lib/banzai/filter/external_link_filter.rb b/lib/banzai/filter/external_link_filter.rb index 2e6d742de27..4f60b6f84c6 100644 --- a/lib/banzai/filter/external_link_filter.rb +++ b/lib/banzai/filter/external_link_filter.rb @@ -9,11 +9,10 @@ module Banzai def call links.each do |node| uri = uri(node['href'].to_s) - next unless uri - node.set_attribute('href', uri.to_s) + node.set_attribute('href', uri.to_s) if uri - if SCHEMES.include?(uri.scheme) && external_url?(uri) + if SCHEMES.include?(uri&.scheme) && !internal_url?(uri) node.set_attribute('rel', 'nofollow noreferrer noopener') node.set_attribute('target', '_blank') end @@ -35,11 +34,12 @@ module Banzai doc.xpath(query) end - def external_url?(uri) + def internal_url?(uri) + return false if uri.nil? # Relative URLs miss a hostname - return false unless uri.hostname + return true unless uri.hostname - uri.hostname != internal_url.hostname + uri.hostname == internal_url.hostname end def internal_url diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index 04ec38209c7..f90a35952e5 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -29,7 +29,7 @@ module Banzai if label yield match, label.id, project, namespace, $~ else - match + escape_html_entities(match) end end end @@ -102,6 +102,10 @@ module Banzai CGI.unescapeHTML(text.to_s) end + def escape_html_entities(text) + CGI.escapeHTML(text.to_s) + end + def object_link_title(object, matches) # use title of wrapped element instead nil diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb index 7aa02009aa0..11fb3bdf303 100644 --- a/lib/gitlab/auth.rb +++ b/lib/gitlab/auth.rb @@ -296,7 +296,7 @@ module Gitlab private def find_build_by_token(token) - ::Ci::Build.running.find_by_token(token) + ::Ci::Build.find_running_by_token(token) end end end diff --git a/lib/gitlab/ci/pipeline/chain/command.rb b/lib/gitlab/ci/pipeline/chain/command.rb index 100b9521412..90208352c55 100644 --- a/lib/gitlab/ci/pipeline/chain/command.rb +++ b/lib/gitlab/ci/pipeline/chain/command.rb @@ -54,7 +54,13 @@ module Gitlab def protected_ref? strong_memoize(:protected_ref) do - project.protected_for?(ref) + project.protected_for?(origin_ref) + end + end + + def ambiguous_ref? + strong_memoize(:ambiguous_ref) do + project.repository.ambiguous_ref?(origin_ref) end end end diff --git a/lib/gitlab/ci/pipeline/chain/validate/repository.rb b/lib/gitlab/ci/pipeline/chain/validate/repository.rb index d88851d8245..9c6c2bc8e25 100644 --- a/lib/gitlab/ci/pipeline/chain/validate/repository.rb +++ b/lib/gitlab/ci/pipeline/chain/validate/repository.rb @@ -16,6 +16,10 @@ module Gitlab unless @command.sha return error('Commit not found') end + + if @command.ambiguous_ref? + return error('Ref is ambiguous') + end end def break? diff --git a/lib/gitlab/git.rb b/lib/gitlab/git.rb index c4aac228b2f..44a62586a23 100644 --- a/lib/gitlab/git.rb +++ b/lib/gitlab/git.rb @@ -54,11 +54,11 @@ module Gitlab end def tag_ref?(ref) - ref.start_with?(TAG_REF_PREFIX) + ref =~ /^#{TAG_REF_PREFIX}.+/ end def branch_ref?(ref) - ref.start_with?(BRANCH_REF_PREFIX) + ref =~ /^#{BRANCH_REF_PREFIX}.+/ end def blank_ref?(ref) |