From e11efedcfcd80b2d55a1bdd17b317cef82ce0a0e Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 30 Oct 2023 13:00:33 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee --- app/mailers/emails/service_desk.rb | 6 +++- lib/gitlab/import_export/command_line_util.rb | 2 +- .../import_export/project/relation_factory.rb | 2 ++ lib/gitlab/search/abuse_detection.rb | 32 ++++++++++++++++++++-- lib/gitlab/search/params.rb | 2 +- .../gitlab/import_export/command_line_util_spec.rb | 16 +++++++++++ spec/lib/gitlab/search/abuse_detection_spec.rb | 28 +++++++++++-------- spec/lib/gitlab/search/params_spec.rb | 18 ++++++++++-- spec/mailers/emails/service_desk_spec.rb | 22 +++++++++++++++ 9 files changed, 107 insertions(+), 21 deletions(-) diff --git a/app/mailers/emails/service_desk.rb b/app/mailers/emails/service_desk.rb index 9f3611df2cc..f6595a91bee 100644 --- a/app/mailers/emails/service_desk.rb +++ b/app/mailers/emails/service_desk.rb @@ -211,7 +211,11 @@ module Emails end def issue_description - @issue.description_html.to_s + return '' if @issue.description_html.blank? + + # Remove references etc. from description HTML because external participants + # are no regular users and don't have permission to access them. + ::Banzai::Renderer.post_process(@issue.description_html, {}) end def subject_base diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb index dfe0815f0a0..ea91b01afdb 100644 --- a/lib/gitlab/import_export/command_line_util.rb +++ b/lib/gitlab/import_export/command_line_util.rb @@ -141,7 +141,7 @@ module Gitlab raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath) - FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) + FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath) end true diff --git a/lib/gitlab/import_export/project/relation_factory.rb b/lib/gitlab/import_export/project/relation_factory.rb index 943c997a056..8e34a6d73ba 100644 --- a/lib/gitlab/import_export/project/relation_factory.rb +++ b/lib/gitlab/import_export/project/relation_factory.rb @@ -81,6 +81,8 @@ module Gitlab private + attr_reader :relation_hash, :user + def invalid_relation? # Do not create relation if it is a legacy trigger legacy_trigger? diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb index 1e4169f3fd7..1fd7c6cfe8d 100644 --- a/lib/gitlab/search/abuse_detection.rb +++ b/lib/gitlab/search/abuse_detection.rb @@ -6,6 +6,7 @@ module Gitlab include ActiveModel::Validations include AbuseValidators + MAX_PIPE_SYNTAX_FILTERS = 5 ABUSIVE_TERM_SIZE = 100 ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z} @@ -57,10 +58,18 @@ module Gitlab validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true - attr_reader(*READABLE_PARAMS) + validate :no_abusive_pipes, if: :detect_abusive_pipes - def initialize(params) - READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) } + attr_reader(*READABLE_PARAMS) + attr_reader :raw_params, :detect_abusive_pipes + + def initialize(params, detect_abusive_pipes: true) + @raw_params = {} + READABLE_PARAMS.each do |p| + instance_variable_set("@#{p}", params[p]) + @raw_params[p] = params[p] + end + @detect_abusive_pipes = detect_abusive_pipes end private @@ -76,6 +85,23 @@ module Gitlab def stop_word_search? STOP_WORDS.include? query_string end + + def no_abusive_pipes + pipes = query_string.to_s.split('|') + errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS + + pipes.each do |q| + self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p| + p.validate + + p.errors.messages_for(:query_string).each do |msg| + next if errors.added?(:query_string, msg) + + errors.add(:query_string, msg) + end + end + end + end end end end diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb index 6eb24a92be6..a7896b7d80d 100644 --- a/lib/gitlab/search/params.rb +++ b/lib/gitlab/search/params.rb @@ -81,7 +81,7 @@ module Gitlab end def search_terms - @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH } + @search_terms ||= query_string.split end def not_too_many_terms diff --git a/spec/lib/gitlab/import_export/command_line_util_spec.rb b/spec/lib/gitlab/import_export/command_line_util_spec.rb index 76a35d07c7f..42c3b170e4d 100644 --- a/spec/lib/gitlab/import_export/command_line_util_spec.rb +++ b/spec/lib/gitlab/import_export/command_line_util_spec.rb @@ -84,6 +84,20 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe end end + shared_examples 'deletes pipes' do |compression, decompression| + it 'deletes the pipes', :aggregate_failures do + FileUtils.touch("#{source_dir}/file.txt") + File.mkfifo("#{source_dir}/pipe") + + archive_file = File.join(archive_dir, 'file_with_pipes.tar.gz') + subject.public_send(compression, archive: archive_file, dir: source_dir) + subject.public_send(decompression, archive: archive_file, dir: target_dir) + + expect(File).to exist("#{target_dir}/file.txt") + expect(File).not_to exist("#{target_dir}/pipe") + end + end + describe '#download_or_copy_upload' do let(:upload) { instance_double(Upload, local?: local) } let(:uploader) { instance_double(ImportExportUploader, path: :path, url: :url, upload: upload) } @@ -302,6 +316,7 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe it_behaves_like 'deletes symlinks', :tar_czf, :untar_zxf it_behaves_like 'handles shared hard links', :tar_czf, :untar_zxf + it_behaves_like 'deletes pipes', :tar_czf, :untar_zxf it 'has the right mask for project.json' do subject.untar_zxf(archive: tar_archive_fixture, dir: target_dir) @@ -321,6 +336,7 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil, feature_category: :importe it_behaves_like 'deletes symlinks', :tar_cf, :untar_xf it_behaves_like 'handles shared hard links', :tar_cf, :untar_xf + it_behaves_like 'deletes pipes', :tar_czf, :untar_zxf it 'extracts archive without decompression' do filename = 'archive.tar.gz' diff --git a/spec/lib/gitlab/search/abuse_detection_spec.rb b/spec/lib/gitlab/search/abuse_detection_spec.rb index f9a1d0211b9..cbf20614ba5 100644 --- a/spec/lib/gitlab/search/abuse_detection_spec.rb +++ b/spec/lib/gitlab/search/abuse_detection_spec.rb @@ -10,12 +10,12 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search describe 'abusive scopes validation' do it 'allows only approved scopes' do described_class::ALLOWED_SCOPES.each do |scope| - expect(described_class.new(scope: scope)).to be_valid + expect(described_class.new({ scope: scope })).to be_valid end end it 'disallows anything not approved' do - expect(described_class.new(scope: 'nope')).not_to be_valid + expect(described_class.new({ scope: 'nope' })).not_to be_valid end end @@ -55,14 +55,14 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search it 'considers non Integers to be invalid' do [:project_id, :group_id].each do |param| [[1, 2, 3], 'xyz', 3.14, { foo: :bar }].each do |dtype| - expect(described_class.new(param => dtype)).not_to be_valid + expect(described_class.new({ param => dtype })).not_to be_valid end end end it 'considers Integers to be valid' do [:project_id, :group_id].each do |param| - expect(described_class.new(param => 123)).to be_valid + expect(described_class.new({ param => 123 })).to be_valid end end end @@ -70,7 +70,7 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search describe 'query_string validation' do using ::RSpec::Parameterized::TableSyntax - subject { described_class.new(query_string: search) } + subject { described_class.new({ query_string: search }) } let(:validation_errors) do subject.validate @@ -82,11 +82,15 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search word | { query_string: ['stopword only abusive search detected'] } end - 'x' | { query_string: ['abusive tiny search detected'] } - ('x' * described_class::ABUSIVE_TERM_SIZE) | { query_string: ['abusive term length detected'] } - '' | {} - '*' | {} - 'ruby' | {} + (['apples'] * (described_class::MAX_PIPE_SYNTAX_FILTERS + 1)).join('|') | { query_string: ['too many pipe syntax filters'] } # rubocop:disable Layout/LineLength + (['apples'] * described_class::MAX_PIPE_SYNTAX_FILTERS).join('|') | {} + 'x' | { query_string: ['abusive tiny search detected'] } + 'apples|x' | { query_string: ['abusive tiny search detected'] } + ('x' * described_class::ABUSIVE_TERM_SIZE) | { query_string: ['abusive term length detected'] } + "apples|#{'x' * described_class::ABUSIVE_TERM_SIZE}" | { query_string: ['abusive term length detected'] } + '' | {} + '*' | {} + 'ruby' | {} end with_them do @@ -100,14 +104,14 @@ RSpec.describe Gitlab::Search::AbuseDetection, feature_category: :global_search it 'considers anything not a String invalid' do [:query_string, :scope, :repository_ref, :project_ref].each do |param| [[1, 2, 3], 123, 3.14, { foo: :bar }].each do |dtype| - expect(described_class.new(param => dtype)).not_to be_valid + expect(described_class.new({ param => dtype })).not_to be_valid end end end it 'considers Strings to be valid' do [:query_string, :repository_ref, :project_ref].each do |param| - expect(described_class.new(param => "foo")).to be_valid + expect(described_class.new({ param => "foo" })).to be_valid end end end diff --git a/spec/lib/gitlab/search/params_spec.rb b/spec/lib/gitlab/search/params_spec.rb index 3235a0b2126..3c64082aeeb 100644 --- a/spec/lib/gitlab/search/params_spec.rb +++ b/spec/lib/gitlab/search/params_spec.rb @@ -17,7 +17,7 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'uses AbuseDetection by default' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original described_class.new(params) end end @@ -73,9 +73,21 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'validates AbuseDetector on validation' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original subject.validate end + + context 'when query has too many terms' do + let(:search) { Array.new((::Gitlab::Search::Params::SEARCH_TERM_LIMIT + 1), 'a').join(' ') } + + it { is_expected.not_to be_valid } + end + + context 'when query is too long' do + let(:search) { 'a' * (::Gitlab::Search::Params::SEARCH_CHAR_LIMIT + 1) } + + it { is_expected.not_to be_valid } + end end describe '#valid?' do @@ -89,7 +101,7 @@ RSpec.describe Gitlab::Search::Params, feature_category: :global_search do end it 'validates AbuseDetector on validation' do - expect(Gitlab::Search::AbuseDetection).to receive(:new).and_call_original + expect(Gitlab::Search::AbuseDetection).to receive(:new).at_least(:once).and_call_original subject.valid? end end diff --git a/spec/mailers/emails/service_desk_spec.rb b/spec/mailers/emails/service_desk_spec.rb index e3fe36237df..b700819ed2c 100644 --- a/spec/mailers/emails/service_desk_spec.rb +++ b/spec/mailers/emails/service_desk_spec.rb @@ -263,6 +263,28 @@ RSpec.describe Emails::ServiceDesk, feature_category: :service_desk do let(:expected_template_html) { "

thank you, your new issue has been created.

#{issue.description_html}" } it_behaves_like 'a service desk notification email with template content', 'thank_you' + + context 'when GitLab-specific-reference is in description' do + let(:full_issue_reference) { "#{issue.project.full_path}#{issue.to_reference}" } + let(:other_issue) { create(:issue, project: project, description: full_issue_reference) } + + let(:template_content) { '%{ISSUE_DESCRIPTION}' } + let(:expected_template_html) { "

#{full_issue_reference}

" } + + subject { ServiceEmailClass.service_desk_thank_you_email(other_issue.id) } + + before do + expect(Gitlab::Template::ServiceDeskTemplate).to receive(:find) + .with('thank_you', other_issue.project) + .and_return(template) + + other_issue.issue_email_participants.create!(email: email) + end + + it 'does not render GitLab-specific-reference links with title attribute' do + is_expected.to have_body_text(expected_template_html) + end + end end context 'when issue url placeholder is used' do -- cgit v1.2.3 From fce23e13968a87a1e2de96a6e945166c372736f4 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 30 Oct 2023 13:00:37 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee --- app/helpers/version_check_helper.rb | 4 +- .../authenticating-with-hashicorp-vault/index.md | 52 +++++++++++----------- doc/ci/secrets/id_token_authentication.md | 52 +++++++++++----------- lib/gitlab/ci/jwt.rb | 3 +- spec/helpers/version_check_helper_spec.rb | 52 ++++++++++++---------- spec/lib/gitlab/ci/jwt_spec.rb | 19 +++++++- 6 files changed, 106 insertions(+), 76 deletions(-) diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb index 45a4b292eb5..895155e00d1 100644 --- a/app/helpers/version_check_helper.rb +++ b/app/helpers/version_check_helper.rb @@ -10,12 +10,14 @@ module VersionCheckHelper end def gitlab_version_check + return unless show_version_check? + VersionCheck.new.response end strong_memoize_attr :gitlab_version_check def show_security_patch_upgrade_alert? - return false unless show_version_check? && gitlab_version_check + return false unless gitlab_version_check Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability']) end diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index 5f969472aad..f494ff6dffb 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -33,31 +33,32 @@ ID tokens are JSON Web Tokens (JWTs) used for OIDC authentication with third-par The following fields are included in the JWT: -| Field | When | Description | -|-------------------------|------------------------------|-------------| -| `jti` | Always | Unique identifier for this token | -| `iss` | Always | Issuer, the domain of your GitLab instance | -| `iat` | Always | Issued at | -| `nbf` | Always | Not valid before | -| `exp` | Always | Expires at | -| `sub` | Always | Subject (job ID) | -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path | -| `project_id` | Always | Use this to scope to project by ID | -| `project_path` | Always | Use this to scope to project by path | -| `user_id` | Always | ID of the user executing the job | -| `user_login` | Always | Username of the user executing the job | -| `user_email` | Always | Email of the user executing the job | -| `pipeline_id` | Always | ID of this pipeline | -| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | -| `job_id` | Always | ID of this job | -| `ref` | Always | Git ref for this job | -| `ref_type` | Always | Git ref type, either `branch` or `tag` | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | -| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | -| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| Field | When | Description | +|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `jti` | Always | Unique identifier for this token | +| `iss` | Always | Issuer, the domain of your GitLab instance | +| `iat` | Always | Issued at | +| `nbf` | Always | Not valid before | +| `exp` | Always | Expires at | +| `sub` | Always | Subject (job ID) | +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path | +| `project_id` | Always | Use this to scope to project by ID | +| `project_path` | Always | Use this to scope to project by path | +| `user_id` | Always | ID of the user executing the job | +| `user_login` | Always | Username of the user executing the job | +| `user_email` | Always | Email of the user executing the job | +| `pipeline_id` | Always | ID of this pipeline | +| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | +| `job_id` | Always | ID of this job | +| `ref` | Always | Git ref for this job | +| `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | +| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) | +| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | Example JWT payload: @@ -84,7 +85,8 @@ Example JWT payload: "ref_path": "refs/heads/auto-deploy-2020-04-01", "ref_protected": "true", "environment": "production", - "environment_protected": "true" + "environment_protected": "true", + "environment_action": "start" } ``` diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 62429a160d4..325972e06c2 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -51,32 +51,33 @@ The following standard claims are included in each ID token: The token also includes custom claims provided by GitLab: -| Field | When | Description | -|-------------------------|------------------------------|-------------| -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | -| `project_id` | Always | Use this to scope to project by ID. | -| `project_path` | Always | Use this to scope to project by path. | -| `user_id` | Always | ID of the user executing the job. | -| `user_login` | Always | Username of the user executing the job. | -| `user_email` | Always | Email of the user executing the job. | -| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | -| `pipeline_id` | Always | ID of the pipeline. | -| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | -| `job_id` | Always | ID of the job. | -| `ref` | Always | Git ref for the job. | -| `ref_type` | Always | Git ref type, either `branch` or `tag`. | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | -| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | -| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| Field | When | Description | +|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | +| `project_id` | Always | Use this to scope to project by ID. | +| `project_path` | Always | Use this to scope to project by path. | +| `user_id` | Always | ID of the user executing the job. | +| `user_login` | Always | Username of the user executing the job. | +| `user_email` | Always | Email of the user executing the job. | +| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | +| `pipeline_id` | Always | ID of the pipeline. | +| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | +| `job_id` | Always | ID of the job. | +| `ref` | Always | Git ref for the job. | +| `ref_type` | Always | Git ref type, either `branch` or `tag`. | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | +| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | +| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | +| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | | `ci_config_ref_uri` | Always | The ref path to the top-level pipeline definition, for example, `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | +| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | +| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | ```json { @@ -101,6 +102,7 @@ The token also includes custom claims provided by GitLab: "environment": "test-environment2", "environment_protected": "false", "deployment_tier": "testing", + "environment_action": "start", "runner_id": 1, "runner_environment": "self-hosted", "sha": "714a629c0b401fdce83e847fc9589983fc6f46bc", diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index 4ba7b4cc6e1..3d63ec6dfb7 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -71,7 +71,8 @@ module Gitlab fields.merge!( environment: environment.name, environment_protected: environment_protected?.to_s, - deployment_tier: build.environment_tier + deployment_tier: build.environment_tier, + environment_action: build.environment_action ) end diff --git a/spec/helpers/version_check_helper_spec.rb b/spec/helpers/version_check_helper_spec.rb index ce5aade2b1c..9c697dbe21e 100644 --- a/spec/helpers/version_check_helper_spec.rb +++ b/spec/helpers/version_check_helper_spec.rb @@ -38,43 +38,49 @@ RSpec.describe VersionCheckHelper do end describe '#gitlab_version_check' do + let(:show_version_check) { false } + before do - allow_next_instance_of(VersionCheck) do |instance| - allow(instance).to receive(:response).and_return({ "severity" => "success" }) - end + allow(helper).to receive(:show_version_check?).and_return(show_version_check) end - it 'returns an instance of the VersionCheck class' do - expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) + it 'when show_version_check? is false it returns nil' do + expect(helper.gitlab_version_check).to be nil + end + + context 'when show_version_check? is true' do + let(:show_version_check) { true } + + before do + allow_next_instance_of(VersionCheck) do |instance| + allow(instance).to receive(:response).and_return({ "severity" => "success" }) + end + end + + it 'returns an instance of the VersionCheck class if the user has access' do + expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) + end end end describe '#show_security_patch_upgrade_alert?' do describe 'return conditions' do - where(:show_version_check, :gitlab_version_check, :result) do + where(:gitlab_version_check, :result) do [ - [false, nil, false], - [false, { "severity" => "success" }, false], - [false, { "severity" => "danger" }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'some text' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => false }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'true' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => true }, false], - [true, nil, false], - [true, { "severity" => "success" }, nil], - [true, { "severity" => "danger" }, nil], - [true, { "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], - [true, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], - [true, { "severity" => "danger", "critical_vulnerability" => false }, false], - [true, { "severity" => "danger", "critical_vulnerability" => 'true' }, true], - [true, { "severity" => "danger", "critical_vulnerability" => true }, true] + [nil, false], + [{}, nil], + [{ "severity" => "success" }, nil], + [{ "severity" => "danger" }, nil], + [{ "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], + [{ "severity" => "danger", "critical_vulnerability" => 'false' }, false], + [{ "severity" => "danger", "critical_vulnerability" => false }, false], + [{ "severity" => "danger", "critical_vulnerability" => 'true' }, true], + [{ "severity" => "danger", "critical_vulnerability" => true }, true] ] end with_them do before do - allow(helper).to receive(:show_version_check?).and_return(show_version_check) allow(helper).to receive(:gitlab_version_check).and_return(gitlab_version_check) end diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index a6de5b9879c..f0b203961b4 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -49,6 +49,7 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to be_nil expect(payload[:environment_protected]).to be_nil expect(payload[:deployment_tier]).to be_nil + expect(payload[:environment_action]).to be_nil end end @@ -109,7 +110,10 @@ RSpec.describe Gitlab::Ci::Jwt do project: project, user: user, pipeline: pipeline, - environment: environment.name + environment: { + name: environment.name, + action: 'start' + } ) end @@ -121,6 +125,7 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to eq('production') expect(payload[:environment_protected]).to eq('false') expect(payload[:deployment_tier]).to eq('production') + expect(payload[:environment_action]).to eq('start') end describe 'deployment_tier' do @@ -134,6 +139,18 @@ RSpec.describe Gitlab::Ci::Jwt do end end end + + describe 'environment_action' do + context 'when build options specifies a different environment_action' do + before do + build.options[:environment] = { name: environment.name, action: 'prepare' } + end + + it 'uses environment_action from build options' do + expect(payload[:environment_action]).to eq('prepare') + end + end + end end end -- cgit v1.2.3 From a114562fb6b3b350fc08225f388234a82a2700a1 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 30 Oct 2023 13:01:04 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee --- lib/gitlab/ci/components/instance_path.rb | 10 +++++++++- spec/lib/gitlab/ci/components/instance_path_spec.rb | 14 ++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/gitlab/ci/components/instance_path.rb b/lib/gitlab/ci/components/instance_path.rb index 551284d9099..df2b2a14fc6 100644 --- a/lib/gitlab/ci/components/instance_path.rb +++ b/lib/gitlab/ci/components/instance_path.rb @@ -5,6 +5,7 @@ module Gitlab module Components class InstancePath include Gitlab::Utils::StrongMemoize + include ::Gitlab::LoopHelpers LATEST_VERSION_KEYWORD = '~latest' @@ -49,11 +50,18 @@ module Gitlab # Given a path like "my-org/sub-group/the-project/path/to/component" # find the project "my-org/sub-group/the-project" by looking at all possible paths. def find_project_by_component_path(path) + return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever. + possible_paths = [path] + index = nil + + loop_until(limit: 20) do + index = path.rindex('/') # find index of last `/` in a path + break unless index - while index = path.rindex('/') # find index of last `/` in a path possible_paths << (path = path[0..index - 1]) end + # remove shortest path as it is group possible_paths.pop diff --git a/spec/lib/gitlab/ci/components/instance_path_spec.rb b/spec/lib/gitlab/ci/components/instance_path_spec.rb index 0bdcfcfd546..4ba963b54b5 100644 --- a/spec/lib/gitlab/ci/components/instance_path_spec.rb +++ b/spec/lib/gitlab/ci/components/instance_path_spec.rb @@ -84,6 +84,20 @@ RSpec.describe Gitlab::Ci::Components::InstancePath, feature_category: :pipeline end end + shared_examples 'prevents infinite loop' do |prefix| + context "when the project path starts with '#{prefix}'" do + let(:project_path) { "#{prefix}#{project.full_path}" } + + it 'returns nil' do + result = path.fetch_content!(current_user: user) + expect(result).to be_nil + end + end + end + + it_behaves_like 'prevents infinite loop', '/' + it_behaves_like 'prevents infinite loop', '//' + context 'when fetching the latest version of a component' do let_it_be(:project) do create( -- cgit v1.2.3 From d6f477ebff09c660f75d555df53ac14627d0e6b5 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Mon, 30 Oct 2023 16:28:57 +0000 Subject: Update VERSION files [ci skip] --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index d9617ea1b40..075be6e2959 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -16.5.0 \ No newline at end of file +16.5.1 \ No newline at end of file -- cgit v1.2.3 From d59d7a49a1fce89fab761783c6aa2d42447296b6 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 30 Oct 2023 16:33:01 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee --- CHANGELOG.md | 20 ++++++++++++++++++++ GITALY_SERVER_VERSION | 2 +- GITLAB_PAGES_VERSION | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 534f9832a03..49a48bc27e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 16.5.1 (2023-10-30) + +### Fixed (1 change) + +- [Revert "Merge branch '419642-better-error-messages-for-pull-mirroring' into 'master'"](gitlab-org/security/gitlab@08ae4b9d3814a05631d9b486fea1d4353a702a7d) by @Taucher2003 + +### Security (7 changes) + +- [Fix infinite loop when finding component project](gitlab-org/security/gitlab@9f9f87376e23c3f7aab74348c47f7401ac2d78ee) ([merge request](gitlab-org/security/gitlab!3665)) +- [Guard gitlab_version_check helper](gitlab-org/security/gitlab@35c8592afc0225653677a00c545043eb7212a6d4) ([merge request](gitlab-org/security/gitlab!3652)) +- [Add the environment action to the CI JWT token fields](gitlab-org/security/gitlab@cdfcea2200b0a18b9972ffd2acd9630089022f8e) ([merge request](gitlab-org/security/gitlab!3648)) +- [Remove FIFO files from tarball extract](gitlab-org/security/gitlab@c284870b8f1ffcc9697ea34c8bd3b7314040e39c) ([merge request](gitlab-org/security/gitlab!3644)) +- [Backport add abuse detection for pipes](gitlab-org/security/gitlab@1720c5ba557946e5805719deaaf0b9834f1a91d6) ([merge request](gitlab-org/security/gitlab!3647)) +- [Prevent unprivileged user assignment in templated projects](gitlab-org/security/gitlab@b74af1395876a4ffb32f692f090b268815e75afd) ([merge request](gitlab-org/security/gitlab!3645)) +- [Fixes Service Desk email template issue description privileges](gitlab-org/security/gitlab@097a300ac6144f0b80dfa3bc4aea73410ef74cb1) ([merge request](gitlab-org/security/gitlab!3641)) + +### Other (1 change) + +- [Update migration to drop column only if it exists](gitlab-org/security/gitlab@36bcb0e41d37aa92457f60ee1016bd32003da2f6) + ## 16.5.0 (2023-10-20) ### Added (140 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index d9617ea1b40..075be6e2959 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -16.5.0 \ No newline at end of file +16.5.1 \ No newline at end of file diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index d9617ea1b40..075be6e2959 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -16.5.0 \ No newline at end of file +16.5.1 \ No newline at end of file -- cgit v1.2.3