From b9b8440df6afd24ba540343c612e522f52bea0db Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 6 Jan 2023 22:30:08 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee

---
 app/controllers/uploads_controller.rb                |  2 ++
 app/policies/group_policy.rb                         |  9 ++++++++-
 app/policies/project_policy.rb                       | 10 ++++++++--
 app/services/error_tracking/list_projects_service.rb | 16 +++++++++++++---
 4 files changed, 31 insertions(+), 6 deletions(-)

(limited to 'app')

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 09419a4589d..66f715f32af 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -52,6 +52,8 @@ class UploadsController < ApplicationController
       # access to itself when a secret is given.
       # For instance, user avatars are readable by anyone,
       # while temporary, user snippet uploads are not.
+      return false if !current_user && public_visibility_restricted?
+
       !secret? || can?(current_user, :update_user, model)
     when Appearance
       true
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 858c145de3f..8eea995529c 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -273,6 +273,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
     enable :read_resource_access_tokens
     enable :destroy_resource_access_tokens
+  end
+
+  rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do
     enable :admin_setting_to_allow_project_access_token_creation
   end
 
@@ -338,12 +341,16 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     true
   end
 
+  def resource_access_token_create_feature_available?
+    true
+  end
+
   def can_read_group_member?
     !(@subject.private? && access_level == GroupMember::NO_ACCESS)
   end
 
   def resource_access_token_creation_allowed?
-    resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
+    resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
   end
 
   def valid_dependency_proxy_deploy_token
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 2a13fafa313..fd3dbb54d57 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -157,7 +157,9 @@ class ProjectPolicy < BasePolicy
   condition(:service_desk_enabled) { @subject.service_desk_enabled? }
 
   with_scope :subject
-  condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+  condition(:resource_access_token_feature_available) do
+    resource_access_token_feature_available?
+  end
   condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
 
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
@@ -922,12 +924,16 @@ class ProjectPolicy < BasePolicy
     true
   end
 
+  def resource_access_token_create_feature_available?
+    true
+  end
+
   def resource_access_token_creation_allowed?
     group = project.group
 
     return true unless group # always enable for projects in personal namespaces
 
-    resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
+    resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
   end
 
   def project
diff --git a/app/services/error_tracking/list_projects_service.rb b/app/services/error_tracking/list_projects_service.rb
index 2f23d47029c..d52306ef805 100644
--- a/app/services/error_tracking/list_projects_service.rb
+++ b/app/services/error_tracking/list_projects_service.rb
@@ -2,6 +2,8 @@
 
 module ErrorTracking
   class ListProjectsService < ErrorTracking::BaseService
+    MASKED_TOKEN_REGEX = /\A\*+\z/.freeze
+
     private
 
     def perform
@@ -20,23 +22,31 @@ module ErrorTracking
 
     def project_error_tracking_setting
       (super || project.build_error_tracking_setting).tap do |setting|
+        url_changed = !setting.api_url&.start_with?(params[:api_host])
+
         setting.api_url = ErrorTracking::ProjectErrorTrackingSetting.build_api_url_from(
           api_host: params[:api_host],
           organization_slug: 'org',
           project_slug: 'proj'
         )
 
-        setting.token = token(setting)
+        setting.token = token(setting, url_changed)
         setting.enabled = true
       end
     end
     strong_memoize_attr :project_error_tracking_setting
 
-    def token(setting)
+    def token(setting, url_changed)
+      return if url_changed && masked_token?
+
       # Use param token if not masked, otherwise use database token
-      return params[:token] unless /\A\*+\z/.match?(params[:token])
+      return params[:token] unless masked_token?
 
       setting.token
     end
+
+    def masked_token?
+      MASKED_TOKEN_REGEX.match?(params[:token])
+    end
   end
 end
-- 
cgit v1.2.3