From b58dd075d32e852e6c7ab306c84945cb5d73c06a Mon Sep 17 00:00:00 2001 From: Eugenia Grieff Date: Tue, 22 Oct 2019 16:57:55 +0100 Subject: Fix labels finder to filter issuables Use project scopes to filter project labels that are visible for user --- lib/gitlab/search_results.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb index 782ac534a7b..d74e64116ca 100644 --- a/lib/gitlab/search_results.rb +++ b/lib/gitlab/search_results.rb @@ -163,7 +163,7 @@ module Gitlab return Milestone.none if project_ids.nil? authorized_project_ids_relation = - Project.where(id: project_ids).ids_with_milestone_available_for(current_user) + Project.where(id: project_ids).ids_with_issuables_available_for(current_user) milestones.where(project_id: authorized_project_ids_relation) end -- cgit v1.2.3 From bc534868ec856410ca2664cd7fc9c7f89a48a277 Mon Sep 17 00:00:00 2001 From: Luke Duncalfe Date: Thu, 3 Oct 2019 17:01:57 +1300 Subject: Pass all wiki markup formats through pipelines Previously, when the wiki page format was anything other than `markdown` or `asciidoc` the formatted content would be returned though a Gitaly call. Gitaly in turn would delegate formatting to the gitlab-gollum-lib gem, which in turn would delegate that to various gems (like RDoc for `rdoc`) and then apply some very liberal sanitization. It was too liberal! This change brings our wiki content formatting in line with how we format other markdown at GitLab, so we have a SSOT for sanitization. https://gitlab.com/gitlab-org/gitlab/issues/30540 --- lib/gitlab/other_markup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/gitlab/other_markup.rb b/lib/gitlab/other_markup.rb index bc467486eee..0dd6b8a809c 100644 --- a/lib/gitlab/other_markup.rb +++ b/lib/gitlab/other_markup.rb @@ -10,7 +10,7 @@ module Gitlab def self.render(file_name, input, context) html = GitHub::Markup.render(file_name, input) .force_encoding(input.encoding) - context[:pipeline] = :markup + context[:pipeline] ||= :markup html = Banzai.render(html, context) -- cgit v1.2.3 From 1689559facc7d50130c11c8fdc496641f719ae75 Mon Sep 17 00:00:00 2001 From: charlieablett Date: Fri, 23 Aug 2019 00:17:38 +1000 Subject: Check for recursion and fail if too recursive - List all overly-recursive fields - Reduce recursion threshold to 2 - Add test for not-recursive-enough query - Use reusable methods in tests - Add changelog - Set changeable acceptable recursion level - Add error check test helpers --- .../graphql/query_analyzers/recursion_analyzer.rb | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb (limited to 'lib') diff --git a/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb b/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb new file mode 100644 index 00000000000..70d4672d079 --- /dev/null +++ b/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb @@ -0,0 +1,58 @@ +# frozen_string_literal: true + +# Recursive queries, with relatively low effort, can quickly spiral out of control exponentially +# and may not be picked up by depth and complexity alone. +module Gitlab + module Graphql + module QueryAnalyzers + class RecursionAnalyzer + IGNORED_FIELDS = %w(node edges ofType).freeze + RECURSION_THRESHOLD = 2 + + def initial_value(query) + { + recurring_fields: {} + } + end + + def call(memo, visit_type, irep_node) + return memo if skip_node?(irep_node) + + node_name = irep_node.ast_node.name + times_encountered = memo[node_name] || 0 + + if visit_type == :enter + times_encountered += 1 + memo[:recurring_fields][node_name] = times_encountered if recursion_too_deep?(node_name, times_encountered) + else + times_encountered -= 1 + end + + memo[node_name] = times_encountered + memo + end + + def final_value(memo) + recurring_fields = memo[:recurring_fields] + recurring_fields = recurring_fields.select { |k, v| recursion_too_deep?(k, v) } + if recurring_fields.any? + GraphQL::AnalysisError.new("Recursive query - too many of fields '#{recurring_fields}' detected in single branch of the query") + end + end + + private + + def recursion_too_deep?(node_name, times_encountered) + return if IGNORED_FIELDS.include?(node_name) + + times_encountered > RECURSION_THRESHOLD + end + + def skip_node?(irep_node) + ast_node = irep_node.ast_node + !ast_node.is_a?(GraphQL::Language::Nodes::Field) || ast_node.selections.empty? + end + end + end + end +end -- cgit v1.2.3 From c57fc849060cbfe0ff5abd3fdc2ca32adbc35790 Mon Sep 17 00:00:00 2001 From: charlieablett Date: Wed, 28 Aug 2019 15:47:29 +1200 Subject: Allow tests to ignore recursion --- lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb b/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb index 70d4672d079..ccf9e597307 100644 --- a/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb +++ b/lib/gitlab/graphql/query_analyzers/recursion_analyzer.rb @@ -45,13 +45,17 @@ module Gitlab def recursion_too_deep?(node_name, times_encountered) return if IGNORED_FIELDS.include?(node_name) - times_encountered > RECURSION_THRESHOLD + times_encountered > recursion_threshold end def skip_node?(irep_node) ast_node = irep_node.ast_node !ast_node.is_a?(GraphQL::Language::Nodes::Field) || ast_node.selections.empty? end + + def recursion_threshold + RECURSION_THRESHOLD + end end end end -- cgit v1.2.3