From 41b1c0469dba622a1c2c67c17f1f5e491573accf Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 08:59:34 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- app/controllers/projects/releases_controller.rb | 3 +++ app/presenters/release_presenter.rb | 2 ++ .../unreleased/security-guest-can-read-tag-from-releases.yml | 5 +++++ spec/controllers/projects/releases_controller_spec.rb | 9 +++++++++ spec/presenters/release_presenter_spec.rb | 6 ++++++ vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 7 files changed, 25 insertions(+) create mode 100644 changelogs/unreleased/security-guest-can-read-tag-from-releases.yml mode change 100755 => 100644 vendor/gitignore/C++.gitignore mode change 100755 => 100644 vendor/gitignore/Java.gitignore diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb index a6e795a2b91..614bada09ed 100644 --- a/app/controllers/projects/releases_controller.rb +++ b/app/controllers/projects/releases_controller.rb @@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController before_action :require_non_empty_project, except: [:index] before_action :release, only: %i[edit show update downloads] before_action :authorize_read_release! + # We have to check `download_code` permission because detail URL path + # contains git-tag name. + before_action :authorize_download_code!, except: [:index] before_action do push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true) push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true) diff --git a/app/presenters/release_presenter.rb b/app/presenters/release_presenter.rb index b11585d0d1c..aa6429ab012 100644 --- a/app/presenters/release_presenter.rb +++ b/app/presenters/release_presenter.rb @@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated end def self_url + return unless can_download_code? + project_release_url(project, release) end diff --git a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml new file mode 100644 index 00000000000..a3b9b21d90a --- /dev/null +++ b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml @@ -0,0 +1,5 @@ +--- +title: Avoid exposing release links when the user cannot read git-tag/repository +merge_request: +author: +type: security diff --git a/spec/controllers/projects/releases_controller_spec.rb b/spec/controllers/projects/releases_controller_spec.rb index c1f1373ddc2..fc7ab88bbe0 100644 --- a/spec/controllers/projects/releases_controller_spec.rb +++ b/spec/controllers/projects/releases_controller_spec.rb @@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do let_it_be(:private_project) { create(:project, :repository, :private) } let_it_be(:developer) { create(:user) } let_it_be(:reporter) { create(:user) } + let_it_be(:guest) { create(:user) } let_it_be(:user) { developer } let!(:release_1) { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) } let!(:release_2) { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) } @@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do before do project.add_developer(developer) project.add_reporter(reporter) + project.add_guest(guest) end shared_examples_for 'successful request' do @@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do it_behaves_like 'not found' end + + context 'when user is a guest' do + let(:project) { private_project } + let(:user) { guest } + + it_behaves_like 'not found' + end end # `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb diff --git a/spec/presenters/release_presenter_spec.rb b/spec/presenters/release_presenter_spec.rb index b518584569b..4bf12183eff 100644 --- a/spec/presenters/release_presenter_spec.rb +++ b/spec/presenters/release_presenter_spec.rb @@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do it 'returns its own url' do is_expected.to eq(project_release_url(project, release)) end + + context 'when user is guest' do + let(:user) { guest } + + it { is_expected.to be_nil } + end end describe '#opened_merge_requests_url' do diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100755 new mode 100644 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100755 new mode 100644 -- cgit v1.2.3 From 33844e18d2b83dec384549802e4efb20ae964223 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 09:00:48 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- changelogs/unreleased/security-filter-graphql-logs.yml | 5 +++++ lib/gitlab/graphql/query_analyzers/logger_analyzer.rb | 14 +++++++++++--- .../graphql/query_analyzers/logger_analyzer_spec.rb | 18 ++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 changelogs/unreleased/security-filter-graphql-logs.yml diff --git a/changelogs/unreleased/security-filter-graphql-logs.yml b/changelogs/unreleased/security-filter-graphql-logs.yml new file mode 100644 index 00000000000..2c70c480289 --- /dev/null +++ b/changelogs/unreleased/security-filter-graphql-logs.yml @@ -0,0 +1,5 @@ +--- +title: Filter sensitive GraphQL variables from logs +merge_request: +author: +type: security diff --git a/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb b/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb index 1285365376f..0665ea8b6c9 100644 --- a/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb +++ b/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb @@ -49,13 +49,21 @@ module Gitlab private def process_variables(variables) - if variables.respond_to?(:to_s) - variables.to_s + filtered_variables = filter_sensitive_variables(variables) + + if filtered_variables.respond_to?(:to_s) + filtered_variables.to_s else - variables + filtered_variables end end + def filter_sensitive_variables(variables) + ActiveSupport::ParameterFilter + .new(::Rails.application.config.filter_parameters) + .filter(variables) + end + def duration(time_started) Gitlab::Metrics::System.monotonic_time - time_started end diff --git a/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb b/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb index c8432513185..138765afd8a 100644 --- a/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb +++ b/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb @@ -40,4 +40,22 @@ RSpec.describe Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer do end end end + + describe '#initial_value' do + it 'filters out sensitive variables' do + doc = GraphQL.parse <<-GRAPHQL + mutation createNote($body: String!) { + createNote(input: {noteableId: "1", body: $body}) { + note { + id + } + } + } + GRAPHQL + + query = GraphQL::Query.new(GitlabSchema, document: doc, context: {}, variables: { body: "some note" }) + + expect(subject.initial_value(query)[:variables]).to eq('{:body=>"[FILTERED]"}') + end + end end -- cgit v1.2.3 From 8d628223c41aabc9d42af95cce1193becffa1b0f Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 09:01:19 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- changelogs/unreleased/security-ssrf-outbound-request.yml | 5 +++++ lib/gitlab/url_blocker.rb | 4 +++- spec/lib/gitlab/url_blocker_spec.rb | 15 +++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/security-ssrf-outbound-request.yml diff --git a/changelogs/unreleased/security-ssrf-outbound-request.yml b/changelogs/unreleased/security-ssrf-outbound-request.yml new file mode 100644 index 00000000000..e67360fdbbf --- /dev/null +++ b/changelogs/unreleased/security-ssrf-outbound-request.yml @@ -0,0 +1,5 @@ +--- +title: Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting +merge_request: +author: +type: security diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index eece2c343d2..10822f943b6 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -49,10 +49,12 @@ module Gitlab return [uri, nil] unless address_info ip_address = ip_address(address_info) - return [uri, nil] if domain_allowed?(uri) || ip_allowed?(ip_address, port: get_port(uri)) + return [uri, nil] if domain_allowed?(uri) protected_uri_with_hostname = enforce_uri_hostname(ip_address, uri, dns_rebind_protection) + return protected_uri_with_hostname if ip_allowed?(ip_address, port: get_port(uri)) + # Allow url from the GitLab instance itself but only for the configured hostname and ports return protected_uri_with_hostname if internal?(uri) diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index f466d117851..686382dc262 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -91,6 +91,21 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do end end + context 'DNS rebinding protection with IP allowed' do + let(:import_url) { 'http://a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*' } + + before do + stub_dns(import_url, ip_address: '192.168.0.120') + + allow(Gitlab::UrlBlockers::UrlAllowlist).to receive(:ip_allowed?).and_return(true) + end + + it_behaves_like 'validates URI and hostname' do + let(:expected_uri) { 'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&check-keys=*' } + let(:expected_hostname) { 'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network' } + end + end + context 'disabled DNS rebinding protection' do subject { described_class.validate!(import_url, dns_rebind_protection: false) } -- cgit v1.2.3 From 23330db102f66781cc9a22cd006433cfcbd13863 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 09:02:36 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- changelogs/unreleased/secutity-404-difference.yml | 5 ++ config/routes.rb | 1 + config/routes/unmatched_project.rb | 18 ++++++ spec/requests/git_http_spec.rb | 8 ++- spec/routing/git_http_routing_spec.rb | 21 +++++++ spec/routing/project_routing_spec.rb | 69 ++++++++++++++++++++++ .../matchers/route_to_route_not_found_matcher.rb | 15 +++++ .../routing/git_http_routing_shared_examples.rb | 54 +++++++++++++++-- 8 files changed, 185 insertions(+), 6 deletions(-) create mode 100644 changelogs/unreleased/secutity-404-difference.yml create mode 100644 config/routes/unmatched_project.rb create mode 100644 spec/support/matchers/route_to_route_not_found_matcher.rb diff --git a/changelogs/unreleased/secutity-404-difference.yml b/changelogs/unreleased/secutity-404-difference.yml new file mode 100644 index 00000000000..0c09f2da9df --- /dev/null +++ b/changelogs/unreleased/secutity-404-difference.yml @@ -0,0 +1,5 @@ +--- +title: Add routes for unmatched url for not-get requests +merge_request: +author: +type: security diff --git a/config/routes.rb b/config/routes.rb index 91d1a817175..31e483df326 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -275,6 +275,7 @@ Rails.application.routes.draw do draw :dashboard draw :user draw :project + draw :unmatched_project # Issue https://gitlab.com/gitlab-org/gitlab/-/issues/210024 scope as: 'deprecated' do diff --git a/config/routes/unmatched_project.rb b/config/routes/unmatched_project.rb new file mode 100644 index 00000000000..b4fe243c7b0 --- /dev/null +++ b/config/routes/unmatched_project.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +scope(path: '*namespace_id', + as: :namespace, + namespace_id: Gitlab::PathRegex.full_namespace_route_regex) do + scope(path: ':project_id', + constraints: { project_id: Gitlab::PathRegex.project_route_regex }, + as: :project) do + post '*all', to: 'application#route_not_found' + put '*all', to: 'application#route_not_found' + patch '*all', to: 'application#route_not_found' + delete '*all', to: 'application#route_not_found' + post '/', to: 'application#route_not_found' + put '/', to: 'application#route_not_found' + patch '/', to: 'application#route_not_found' + delete '/', to: 'application#route_not_found' + end +end diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index bc89dc2fa77..1ee3e36be8b 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -159,13 +159,17 @@ RSpec.describe 'Git HTTP requests' do context "POST git-upload-pack" do it "fails to find a route" do - expect { clone_post(repository_path) }.to raise_error(ActionController::RoutingError) + clone_post(repository_path) do |response| + expect(response).to have_gitlab_http_status(:not_found) + end end end context "POST git-receive-pack" do it "fails to find a route" do - expect { push_post(repository_path) }.to raise_error(ActionController::RoutingError) + push_post(repository_path) do |response| + expect(response).to have_gitlab_http_status(:not_found) + end end end end diff --git a/spec/routing/git_http_routing_spec.rb b/spec/routing/git_http_routing_spec.rb index e3cc1440a9e..79d392e4132 100644 --- a/spec/routing/git_http_routing_spec.rb +++ b/spec/routing/git_http_routing_spec.rb @@ -7,6 +7,10 @@ RSpec.describe 'git_http routing' do it_behaves_like 'git repository routes' do let(:path) { '/gitlab-org/gitlab-test.git' } end + + it_behaves_like 'git repository routes with fallback for git-upload-pack' do + let(:path) { '/gitlab-org/gitlab-test.git' } + end end describe 'wiki repositories' do @@ -14,6 +18,7 @@ RSpec.describe 'git_http routing' do let(:path) { '/gitlab-org/gitlab-test.wiki.git' } it_behaves_like 'git repository routes' + it_behaves_like 'git repository routes with fallback for git-upload-pack' describe 'redirects', type: :request do let(:web_path) { '/gitlab-org/gitlab-test/-/wikis' } @@ -37,12 +42,20 @@ RSpec.describe 'git_http routing' do it_behaves_like 'git repository routes' do let(:path) { '/gitlab-org.wiki.git' } end + + it_behaves_like 'git repository routes with fallback for git-upload-pack' do + let(:path) { '/gitlab-org.wiki.git' } + end end context 'in child group' do it_behaves_like 'git repository routes' do let(:path) { '/gitlab-org/child.wiki.git' } end + + it_behaves_like 'git repository routes with fallback for git-upload-pack' do + let(:path) { '/gitlab-org/child.wiki.git' } + end end end @@ -51,12 +64,20 @@ RSpec.describe 'git_http routing' do it_behaves_like 'git repository routes' do let(:path) { '/snippets/123.git' } end + + it_behaves_like 'git repository routes without fallback' do + let(:path) { '/snippets/123.git' } + end end context 'project snippet' do it_behaves_like 'git repository routes' do let(:path) { '/gitlab-org/gitlab-test/snippets/123.git' } end + + it_behaves_like 'git repository routes with fallback' do + let(:path) { '/gitlab-org/gitlab-test/snippets/123.git' } + end end end end diff --git a/spec/routing/project_routing_spec.rb b/spec/routing/project_routing_spec.rb index 29e5c1b4bae..f7ed8d7d5dc 100644 --- a/spec/routing/project_routing_spec.rb +++ b/spec/routing/project_routing_spec.rb @@ -876,4 +876,73 @@ RSpec.describe 'project routing' do ) end end + + context 'with a non-existent project' do + it 'routes to 404 with get request' do + expect(get: "/gitlab/not_exist").to route_to( + 'application#route_not_found', + unmatched_route: 'gitlab/not_exist' + ) + end + + it 'routes to 404 with delete request' do + expect(delete: "/gitlab/not_exist").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist' + ) + end + + it 'routes to 404 with post request' do + expect(post: "/gitlab/not_exist").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist' + ) + end + + it 'routes to 404 with put request' do + expect(put: "/gitlab/not_exist").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist' + ) + end + + context 'with route to some action' do + it 'routes to 404 with get request to' do + expect(get: "/gitlab/not_exist/some_action").to route_to( + 'application#route_not_found', + unmatched_route: 'gitlab/not_exist/some_action' + ) + end + + it 'routes to 404 with delete request' do + expect(delete: "/gitlab/not_exist/some_action").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist', + all: 'some_action' + ) + end + + it 'routes to 404 with post request' do + expect(post: "/gitlab/not_exist/some_action").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist', + all: 'some_action' + ) + end + + it 'routes to 404 with put request' do + expect(put: "/gitlab/not_exist/some_action").to route_to( + 'application#route_not_found', + namespace_id: 'gitlab', + project_id: 'not_exist', + all: 'some_action' + ) + end + end + end end diff --git a/spec/support/matchers/route_to_route_not_found_matcher.rb b/spec/support/matchers/route_to_route_not_found_matcher.rb new file mode 100644 index 00000000000..4105f0f9191 --- /dev/null +++ b/spec/support/matchers/route_to_route_not_found_matcher.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +RSpec::Matchers.define :route_to_route_not_found do + match do |actual| + expect(actual).to route_to(controller: 'application', action: 'route_not_found') + rescue RSpec::Expectations::ExpectationNotMetError => e + # `route_to` matcher requires providing all params for exact match. As we use it in shared examples and we provide different paths, + # this matcher checks if provided route matches controller and action, without checking params. + expect(e.message).to include("-{\"controller\"=>\"application\", \"action\"=>\"route_not_found\"}\n+{\"controller\"=>\"application\", \"action\"=>\"route_not_found\",") + end + + failure_message do |_| + "expected #{actual} to route to route_not_found" + end +end diff --git a/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb b/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb index b0e1e942d81..f924da37f4f 100644 --- a/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb +++ b/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb @@ -16,10 +16,6 @@ RSpec.shared_examples 'git repository routes' do expect(get("#{container_path}/info/refs?service=git-upload-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-upload-pack") expect(get("#{container_path}/info/refs?service=git-receive-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-receive-pack") end - - it 'does not redirect other requests' do - expect(post("#{container_path}/git-upload-pack")).not_to be_routable - end end it 'routes LFS endpoints' do @@ -35,6 +31,56 @@ RSpec.shared_examples 'git repository routes' do expect(get("#{path}/gitlab-lfs/objects/#{oid}")).to route_to('repositories/lfs_storage#download', oid: oid, **params) expect(put("#{path}/gitlab-lfs/objects/#{oid}/456/authorize")).to route_to('repositories/lfs_storage#upload_authorize', oid: oid, size: '456', **params) expect(put("#{path}/gitlab-lfs/objects/#{oid}/456")).to route_to('repositories/lfs_storage#upload_finalize', oid: oid, size: '456', **params) + end +end + +RSpec.shared_examples 'git repository routes without fallback' do + let(:container_path) { path.delete_suffix('.git') } + + context 'requests without .git format' do + it 'does not redirect other requests' do + expect(post("#{container_path}/git-upload-pack")).not_to be_routable + end + end + + it 'routes LFS endpoints for unmatched routes' do + oid = generate(:oid) + + expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable + expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable + expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).not_to be_routable + end +end + +RSpec.shared_examples 'git repository routes with fallback' do + let(:container_path) { path.delete_suffix('.git') } + + context 'requests without .git format' do + it 'does not redirect other requests' do + expect(post("#{container_path}/git-upload-pack")).to route_to_route_not_found + end + end + + it 'routes LFS endpoints' do + oid = generate(:oid) + + expect(put("#{path}/gitlab-lfs/objects/foo")).to route_to_route_not_found + expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).to route_to_route_not_found + expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).to route_to_route_not_found + end +end + +RSpec.shared_examples 'git repository routes with fallback for git-upload-pack' do + let(:container_path) { path.delete_suffix('.git') } + + context 'requests without .git format' do + it 'does not redirect other requests' do + expect(post("#{container_path}/git-upload-pack")).to route_to_route_not_found + end + end + + it 'routes LFS endpoints for unmatched routes' do + oid = generate(:oid) expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable -- cgit v1.2.3 From b2e1abee084bfd9f96da4bcb3fa26865d7fe6b6d Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 09:04:30 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- .../components/mr_widget_pipeline_container.vue | 3 ++- changelogs/unreleased/security-sanitize-target-branch.yml | 5 +++++ .../components/mr_widget_pipeline_container_spec.js | 12 ++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/security-sanitize-target-branch.yml diff --git a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue index dffe3cab904..99b55c0f9ee 100644 --- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue +++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue @@ -1,5 +1,6 @@ ', + }, + }); + + expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo'); + }); + it('renders deployments', () => { const expectedProps = mockStore.postMergeDeployments.map((dep) => expect.objectContaining({ -- cgit v1.2.3 From 85b355c3e92a58d9ba7ae0ff3f67f8a6348da7c7 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Mon, 1 Feb 2021 15:06:50 +0000 Subject: Update VERSION files [ci skip] --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c90a2e8b7db..f65295bad83 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -13.8.1 \ No newline at end of file +13.8.2 \ No newline at end of file -- cgit v1.2.3 From 643958d42f2c8a43c6f479e13c7dea267de8f638 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 1 Feb 2021 15:10:25 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee --- CHANGELOG.md | 11 +++++++++++ GITALY_SERVER_VERSION | 2 +- changelogs/unreleased/security-filter-graphql-logs.yml | 5 ----- .../unreleased/security-guest-can-read-tag-from-releases.yml | 5 ----- changelogs/unreleased/security-sanitize-target-branch.yml | 5 ----- changelogs/unreleased/security-ssrf-outbound-request.yml | 5 ----- changelogs/unreleased/secutity-404-difference.yml | 5 ----- vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 9 files changed, 12 insertions(+), 26 deletions(-) delete mode 100644 changelogs/unreleased/security-filter-graphql-logs.yml delete mode 100644 changelogs/unreleased/security-guest-can-read-tag-from-releases.yml delete mode 100644 changelogs/unreleased/security-sanitize-target-branch.yml delete mode 100644 changelogs/unreleased/security-ssrf-outbound-request.yml delete mode 100644 changelogs/unreleased/secutity-404-difference.yml mode change 100644 => 100755 vendor/gitignore/C++.gitignore mode change 100644 => 100755 vendor/gitignore/Java.gitignore diff --git a/CHANGELOG.md b/CHANGELOG.md index b1ca8236840..72177fdb5d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.8.2 (2021-02-01) + +### Security (5 changes) + +- Filter sensitive GraphQL variables from logs. +- Avoid exposing release links when the user cannot read git-tag/repository. +- Sanitize target branch on MR page. +- Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting. +- Add routes for unmatched url for not-get requests. + + ## 13.8.1 (2021-01-26) ### Fixed (3 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index c90a2e8b7db..f65295bad83 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.8.1 \ No newline at end of file +13.8.2 \ No newline at end of file diff --git a/changelogs/unreleased/security-filter-graphql-logs.yml b/changelogs/unreleased/security-filter-graphql-logs.yml deleted file mode 100644 index 2c70c480289..00000000000 --- a/changelogs/unreleased/security-filter-graphql-logs.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter sensitive GraphQL variables from logs -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml b/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml deleted file mode 100644 index a3b9b21d90a..00000000000 --- a/changelogs/unreleased/security-guest-can-read-tag-from-releases.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Avoid exposing release links when the user cannot read git-tag/repository -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-sanitize-target-branch.yml b/changelogs/unreleased/security-sanitize-target-branch.yml deleted file mode 100644 index 9cf07fbfca4..00000000000 --- a/changelogs/unreleased/security-sanitize-target-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sanitize target branch on MR page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-outbound-request.yml b/changelogs/unreleased/security-ssrf-outbound-request.yml deleted file mode 100644 index e67360fdbbf..00000000000 --- a/changelogs/unreleased/security-ssrf-outbound-request.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting -merge_request: -author: -type: security diff --git a/changelogs/unreleased/secutity-404-difference.yml b/changelogs/unreleased/secutity-404-difference.yml deleted file mode 100644 index 0c09f2da9df..00000000000 --- a/changelogs/unreleased/secutity-404-difference.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add routes for unmatched url for not-get requests -merge_request: -author: -type: security diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100644 new mode 100755 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100644 new mode 100755 -- cgit v1.2.3