From 03d085654717ea2f4a884f9286d56cc9e6381f4e Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 13 Jan 2022 06:14:35 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- app/models/active_session.rb | 15 +++++------ config/initializers/session_store.rb | 10 +------ doc/user/application_security/dast/index.md | 3 +++ doc/user/compliance/license_compliance/index.md | 4 +++ lib/gitlab/anonymous_session.rb | 8 +++--- lib/gitlab/redis/sessions_store_helper.rb | 27 ------------------- lib/tasks/gitlab/cleanup.rake | 4 +-- spec/initializers/session_store_spec.rb | 36 +++---------------------- 8 files changed, 22 insertions(+), 85 deletions(-) delete mode 100644 lib/gitlab/redis/sessions_store_helper.rb diff --git a/app/models/active_session.rb b/app/models/active_session.rb index 0094d98fb73..9f634e70ff4 100644 --- a/app/models/active_session.rb +++ b/app/models/active_session.rb @@ -21,7 +21,6 @@ # class ActiveSession include ActiveModel::Model - include ::Gitlab::Redis::SessionsStoreHelper SESSION_BATCH_SIZE = 200 ALLOWED_NUMBER_OF_ACTIVE_SESSIONS = 100 @@ -66,7 +65,7 @@ class ActiveSession end def self.set(user, request) - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| session_private_id = request.session.id.private_id client = DeviceDetector.new(request.user_agent) timestamp = Time.current @@ -107,7 +106,7 @@ class ActiveSession end def self.list(user) - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| cleaned_up_lookup_entries(redis, user).map do |raw_session| load_raw_session(raw_session) end @@ -115,7 +114,7 @@ class ActiveSession end def self.cleanup(user) - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| clean_up_old_sessions(redis, user) cleaned_up_lookup_entries(redis, user) end @@ -138,7 +137,7 @@ class ActiveSession def self.destroy_session(user, session_id) return unless session_id - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| destroy_sessions(redis, user, [session_id].compact) end end @@ -147,7 +146,7 @@ class ActiveSession sessions = not_impersonated(user) sessions.reject! { |session| session.current?(current_rack_session) } if current_rack_session - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| session_ids = sessions.flat_map(&:ids) destroy_sessions(redis, user, session_ids) if session_ids.any? end @@ -182,7 +181,7 @@ class ActiveSession # # Returns an array of strings def self.session_ids_for_user(user_id) - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| redis.smembers(lookup_key_name(user_id)) end end @@ -195,7 +194,7 @@ class ActiveSession def self.sessions_from_ids(session_ids) return [] if session_ids.empty? - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| session_keys = rack_session_keys(session_ids) session_keys.each_slice(SESSION_BATCH_SIZE).flat_map do |session_keys_batch| diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index bb2e01a30f1..a7754667320 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -19,15 +19,7 @@ cookie_key = if Rails.env.development? "_gitlab_session" end -store = if Gitlab::Utils.to_boolean(ENV['GITLAB_USE_REDIS_SESSIONS_STORE'], default: true) - Gitlab::Redis::Sessions.store( - namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE - ) - else - Gitlab::Redis::SharedState.store( - namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE - ) - end +store = Gitlab::Redis::Sessions.store(namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE) Gitlab::Application.config.session_store( :redis_store, # Using the cookie_store would enable session replay attacks. diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index 9faa1a31b26..150fcf08718 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -1131,6 +1131,9 @@ A site profile contains the following: When an API site type is selected, a [host override](#host-override) is used to ensure the API being scanned is on the same host as the target. This is done to reduce the risk of running an active scan against the wrong API. +When configured, request headers and password fields are encrypted using [`aes-256-gcm`](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) before being stored in the database. +This data can only be read and decrypted with a valid secrets file. + #### Site profile validation > - Site profile validation [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8. diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md index 89b7e76f1a0..56c0963b4a3 100644 --- a/doc/user/compliance/license_compliance/index.md +++ b/doc/user/compliance/license_compliance/index.md @@ -804,6 +804,10 @@ An approval is optional when a license report: - Contains no software license violations. - Contains only new licenses that are `allowed` or unknown. +## Warnings + +We recommend that you use the most recent version of all containers, and the most recent supported version of all package managers and languages. Using previous versions carries an increased security risk because unsupported versions may no longer benefit from active security reporting and backporting of security fixes. + ## Troubleshooting ### ASDF_PYTHON_VERSION does not automatically install the version diff --git a/lib/gitlab/anonymous_session.rb b/lib/gitlab/anonymous_session.rb index e58240e16b4..6904945a755 100644 --- a/lib/gitlab/anonymous_session.rb +++ b/lib/gitlab/anonymous_session.rb @@ -2,14 +2,12 @@ module Gitlab class AnonymousSession - include ::Gitlab::Redis::SessionsStoreHelper - def initialize(remote_ip) @remote_ip = remote_ip end def count_session_ip - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| redis.pipelined do |pipeline| pipeline.incr(session_lookup_name) pipeline.expire(session_lookup_name, 24.hours) @@ -18,13 +16,13 @@ module Gitlab end def session_count - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| redis.get(session_lookup_name).to_i end end def cleanup_session_per_ip_count - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| redis.del(session_lookup_name) end end diff --git a/lib/gitlab/redis/sessions_store_helper.rb b/lib/gitlab/redis/sessions_store_helper.rb deleted file mode 100644 index c80442847f1..00000000000 --- a/lib/gitlab/redis/sessions_store_helper.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module Redis - module SessionsStoreHelper - extend ActiveSupport::Concern - - module StoreMethods - def redis_store_class - use_redis_session_store? ? Gitlab::Redis::Sessions : Gitlab::Redis::SharedState - end - - private - - def use_redis_session_store? - Gitlab::Utils.to_boolean(ENV['GITLAB_USE_REDIS_SESSIONS_STORE'], default: true) - end - end - - include StoreMethods - - included do - extend StoreMethods - end - end - end -end diff --git a/lib/tasks/gitlab/cleanup.rake b/lib/tasks/gitlab/cleanup.rake index 8f033a41e3d..f908a7606fa 100644 --- a/lib/tasks/gitlab/cleanup.rake +++ b/lib/tasks/gitlab/cleanup.rake @@ -100,15 +100,13 @@ namespace :gitlab do namespace :sessions do desc "GitLab | Cleanup | Sessions | Clean ActiveSession lookup keys" task active_sessions_lookup_keys: :gitlab_environment do - use_redis_session_store = Gitlab::Utils.to_boolean(ENV['GITLAB_USE_REDIS_SESSIONS_STORE'], default: true) - redis_store_class = use_redis_session_store ? Gitlab::Redis::Sessions : Gitlab::Redis::SharedState session_key_pattern = "#{Gitlab::Redis::Sessions::USER_SESSIONS_LOOKUP_NAMESPACE}:*" last_save_check = Time.at(0) wait_time = 10.seconds cursor = 0 total_users_scanned = 0 - redis_store_class.with do |redis| + Gitlab::Redis::Sessions.with do |redis| begin cursor, keys = redis.scan(cursor, match: session_key_pattern) total_users_scanned += keys.count diff --git a/spec/initializers/session_store_spec.rb b/spec/initializers/session_store_spec.rb index db90b335dc9..a94ce327a92 100644 --- a/spec/initializers/session_store_spec.rb +++ b/spec/initializers/session_store_spec.rb @@ -10,40 +10,10 @@ RSpec.describe 'Session initializer for GitLab' do end describe 'config#session_store' do - context 'when the GITLAB_USE_REDIS_SESSIONS_STORE env is not set' do - before do - stub_env('GITLAB_USE_REDIS_SESSIONS_STORE', nil) - end + it 'initialized as a redis_store with a proper servers configuration' do + expect(subject).to receive(:session_store).with(:redis_store, a_hash_including(redis_store: kind_of(::Redis::Store))) - it 'initialized with Multistore as ENV var defaults to true' do - expect(subject).to receive(:session_store).with(:redis_store, a_hash_including(redis_store: kind_of(::Redis::Store))) - - load_session_store - end - end - - context 'when the GITLAB_USE_REDIS_SESSIONS_STORE env is disabled' do - before do - stub_env('GITLAB_USE_REDIS_SESSIONS_STORE', false) - end - - it 'initialized as a redis_store with a proper servers configuration' do - expect(subject).to receive(:session_store).with(:redis_store, a_hash_including(redis_store: kind_of(Redis::Store))) - - load_session_store - end - end - - context 'when the GITLAB_USE_REDIS_SESSIONS_STORE env is enabled' do - before do - stub_env('GITLAB_USE_REDIS_SESSIONS_STORE', true) - end - - it 'initialized as a redis_store with a proper servers configuration' do - expect(subject).to receive(:session_store).with(:redis_store, a_hash_including(redis_store: kind_of(::Redis::Store))) - - load_session_store - end + load_session_store end end end -- cgit v1.2.3