From 4040bf18047afc899eb59e93f229f342ab7a11cf Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 27 Apr 2020 15:28:44 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee --- .../oauth/authorized_applications_controller.rb | 7 +++++++ .../security-file-template-project-12-9.yml | 5 +++++ .../unreleased/security-fix-CVE-2020-10187.yml | 5 +++++ .../unreleased/security-fix-es-credentials-leak.yml | 5 +++++ config/application.rb | 1 + .../authorized_applications_controller_spec.rb | 21 +++++++++++++++++++++ vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 8 files changed, 44 insertions(+) create mode 100644 changelogs/unreleased/security-file-template-project-12-9.yml create mode 100644 changelogs/unreleased/security-fix-CVE-2020-10187.yml create mode 100644 changelogs/unreleased/security-fix-es-credentials-leak.yml create mode 100644 spec/controllers/oauth/authorized_applications_controller_spec.rb mode change 100644 => 100755 vendor/gitignore/C++.gitignore mode change 100644 => 100755 vendor/gitignore/Java.gitignore diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb index 9cfa57c53a5..addec71f0bf 100644 --- a/app/controllers/oauth/authorized_applications_controller.rb +++ b/app/controllers/oauth/authorized_applications_controller.rb @@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio layout 'profile' + def index + respond_to do |format| + format.html { render "errors/not_found", layout: "errors", status: :not_found } + format.json { render json: "", status: :not_found } + end + end + def destroy if params[:token_id].present? current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke diff --git a/changelogs/unreleased/security-file-template-project-12-9.yml b/changelogs/unreleased/security-file-template-project-12-9.yml new file mode 100644 index 00000000000..ca4c88f20a6 --- /dev/null +++ b/changelogs/unreleased/security-file-template-project-12-9.yml @@ -0,0 +1,5 @@ +--- +title: Do not return private project ID without permission +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-CVE-2020-10187.yml b/changelogs/unreleased/security-fix-CVE-2020-10187.yml new file mode 100644 index 00000000000..5510f3dc5fb --- /dev/null +++ b/changelogs/unreleased/security-fix-CVE-2020-10187.yml @@ -0,0 +1,5 @@ +--- +title: Fix doorkeeper CVE-2020-10187 +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-es-credentials-leak.yml b/changelogs/unreleased/security-fix-es-credentials-leak.yml new file mode 100644 index 00000000000..1278954104b --- /dev/null +++ b/changelogs/unreleased/security-fix-es-credentials-leak.yml @@ -0,0 +1,5 @@ +--- +title: Prevent ES credentials leak +merge_request: +author: +type: security diff --git a/config/application.rb b/config/application.rb index 14e92bf5905..f739832a9f0 100644 --- a/config/application.rb +++ b/config/application.rb @@ -130,6 +130,7 @@ module Gitlab encrypted_key hook import_url + elasticsearch_url otp_attempt sentry_dsn trace diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb new file mode 100644 index 00000000000..32be6a3ddb7 --- /dev/null +++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Oauth::AuthorizedApplicationsController do + let(:user) { create(:user) } + let(:guest) { create(:user) } + let(:application) { create(:oauth_application, owner: guest) } + + before do + sign_in(user) + end + + describe 'GET #index' do + it 'responds with 404' do + get :index + + expect(response).to have_gitlab_http_status(:not_found) + end + end +end diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100644 new mode 100755 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100644 new mode 100755 -- cgit v1.2.3