From 757dca2b78c8b218295c855d6b7529bad05ae24b Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 6 Mar 2015 13:26:33 +0100 Subject: Escape wildcards when searching LDAP by username. --- lib/gitlab/ldap/authentication.rb | 2 +- lib/gitlab/ldap/person.rb | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/gitlab/ldap/authentication.rb b/lib/gitlab/ldap/authentication.rb index 8af2c74e959..649cf3194b8 100644 --- a/lib/gitlab/ldap/authentication.rb +++ b/lib/gitlab/ldap/authentication.rb @@ -50,7 +50,7 @@ module Gitlab end def user_filter(login) - filter = Net::LDAP::Filter.eq(config.uid, login) + filter = Net::LDAP::Filter.equals(config.uid, login) # Apply LDAP user filter if present if config.user_filter.present? diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb index 3e0b3e6cbf8..3c426179375 100644 --- a/lib/gitlab/ldap/person.rb +++ b/lib/gitlab/ldap/person.rb @@ -9,10 +9,12 @@ module Gitlab attr_accessor :entry, :provider def self.find_by_uid(uid, adapter) + uid = Net::LDAP::Filter.escape(uid) adapter.user(adapter.config.uid, uid) end def self.find_by_dn(dn, adapter) + dn = Net::LDAP::Filter.escape(dn) adapter.user('dn', dn) end -- cgit v1.2.3 From 9f089ac48c22b2f7cfbc7dd0ca29da924c566363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 6 Mar 2015 19:49:38 +0100 Subject: use constant-time string compare for internal api authentication Ruby str_equal uses memcmp internally to compare String. Memcmp is vunerable to timing attacks because it returns early on mismatch (on most x32 platforms memcmp uses a bytewise comparision). Devise.secure_compare implements a constant time comparision instead. --- lib/api/helpers.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 228a719fbdf..ee678d84c84 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -83,7 +83,10 @@ module API end def authenticate_by_gitlab_shell_token! - unauthorized! unless secret_token == params['secret_token'].try(:chomp) + input = params['secret_token'].try(:chomp) + unless Devise.secure_compare(secret_token, input) + unauthorized! + end end def authenticated_as_admin! -- cgit v1.2.3 From 4dddaef8661c8bfb5127d5db12b91d18cfcf0b8f Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 6 Mar 2015 23:08:28 +0100 Subject: Automatically link commit ranges to compare page. --- lib/gitlab/markdown.rb | 28 +++++++++++++++++++++++++++- lib/gitlab/reference_extractor.rb | 16 +++++++++++++--- 2 files changed, 40 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index d85c2ee4f2d..2dfa18da482 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -14,6 +14,7 @@ module Gitlab # * !123 for merge requests # * $123 for snippets # * 123456 for commits + # * 123456...7890123 for commit ranges (comparisons) # # It also parses Emoji codes to insert images. See # http://www.emoji-cheat-sheet.com/ for a list of the supported icons. @@ -133,13 +134,14 @@ module Gitlab |#{PROJ_STR}?\#(?([a-zA-Z\-]+-)?\d+) # Issue ID |#{PROJ_STR}?!(?\d+) # MR ID |\$(?\d+) # Snippet ID + |(#{PROJ_STR}@)?(?[\h]{6,40}\.{2,3}[\h]{6,40}) # Commit range |(#{PROJ_STR}@)?(?[\h]{6,40}) # Commit ID |(?gfm-extraction-[\h]{6,40}) # Skip gfm extractions. Otherwise will be parsed as commit ) (?\W)? # Suffix }x.freeze - TYPES = [:user, :issue, :label, :merge_request, :snippet, :commit].freeze + TYPES = [:user, :issue, :label, :merge_request, :snippet, :commit, :commit_range].freeze def parse_references(text, project = @project) # parse reference links @@ -290,6 +292,30 @@ module Gitlab end end + def reference_commit_range(identifier, project = @project, prefix_text = nil) + from_id, to_id = identifier.split(/\.{2,3}/, 2) + + inclusive = identifier !~ /\.{3}/ + from_id << "^" if inclusive + + if project.valid_repo? && + from = project.repository.commit(from_id) && + to = project.repository.commit(to_id) + + options = html_options.merge( + title: "Commits #{from_id} through #{to_id}", + class: "gfm gfm-commit_range #{html_options[:class]}" + ) + prefix_text = "#{prefix_text}@" if prefix_text + + link_to( + "#{prefix_text}#{identifier}", + namespace_project_compare_url(project.namespace, project, from: from_id, to: to_id), + options + ) + end + end + def reference_external_issue(identifier, project = @project, prefix_text = nil) url = url_for_issue(identifier, project) diff --git a/lib/gitlab/reference_extractor.rb b/lib/gitlab/reference_extractor.rb index 7e5c991a222..5b9772de168 100644 --- a/lib/gitlab/reference_extractor.rb +++ b/lib/gitlab/reference_extractor.rb @@ -1,13 +1,13 @@ module Gitlab # Extract possible GFM references from an arbitrary String for further processing. class ReferenceExtractor - attr_accessor :users, :labels, :issues, :merge_requests, :snippets, :commits + attr_accessor :users, :labels, :issues, :merge_requests, :snippets, :commits, :commit_ranges include Markdown def initialize - @users, @labels, @issues, @merge_requests, @snippets, @commits = - [], [], [], [], [], [] + @users, @labels, @issues, @merge_requests, @snippets, @commits, @commit_ranges = + [], [], [], [], [], [], [] end def analyze(string, project) @@ -60,6 +60,16 @@ module Gitlab end.reject(&:nil?) end + def commit_ranges_for(project = nil) + commit_ranges.map do |entry| + repo = entry[:project].repository if entry[:project] + if repo && should_lookup?(project, entry[:project]) + from_id, to_id = entry[:id].split(/\.{2,3}/, 2) + [repo.commit(from_id), repo.commit(to_id)] + end + end.reject(&:nil?) + end + private def reference_link(type, identifier, project, _) -- cgit v1.2.3 From b7a31a4b024e2c5f607003f1c42e2cd46adb2ff4 Mon Sep 17 00:00:00 2001 From: Nicole Cordes Date: Wed, 3 Sep 2014 22:28:04 +0200 Subject: Generate valid json for hooks It seems that ruby can handle 'nil' value but other json processors (like PHP) throw an error. This is always generated for empty arrays. --- lib/gitlab/push_data_builder.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'lib') diff --git a/lib/gitlab/push_data_builder.rb b/lib/gitlab/push_data_builder.rb index 5cefa67d3ab..ea06e1f7333 100644 --- a/lib/gitlab/push_data_builder.rb +++ b/lib/gitlab/push_data_builder.rb @@ -58,6 +58,7 @@ module Gitlab data[:commits] << commit.hook_attrs(project) end + data[:commits] = "" if data[:commits].count == 0 data end -- cgit v1.2.3 From ca9aca927970ec81387d7cd0d7372a11d03074de Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Tue, 10 Mar 2015 13:32:28 +0100 Subject: Allow smb:// links in Markdown text. --- lib/redcarpet/render/gitlab_html.rb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lib') diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb index 714261f815c..4b33d691c58 100644 --- a/lib/redcarpet/render/gitlab_html.rb +++ b/lib/redcarpet/render/gitlab_html.rb @@ -10,6 +10,12 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML super options end + def preprocess(full_document) + # Redcarpet doesn't allow SMB links when `safe_links_only` is enabled. + # FTP links are allowed, so we trick Redcarpet. + full_document.gsub("smb://", "ftp://smb:") + end + # If project has issue number 39, apostrophe will be linked in # regular text to the issue as Redcarpet will convert apostrophe to # #39; @@ -54,6 +60,8 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML end def postprocess(full_document) + full_document.gsub!("ftp://smb:", "smb://") + full_document.gsub!("’", "'") unless @template.instance_variable_get("@project_wiki") || @project.nil? full_document = h.create_relative_links(full_document) -- cgit v1.2.3 From 383c56efa1882d9cab956de5b5b72e51691c3f0c Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Tue, 10 Mar 2015 11:51:36 +0100 Subject: Use Gitlab::Git helper methods and constants as much as possible. --- lib/gitlab/git.rb | 20 ++++++++++++++++++-- lib/gitlab/git_access.rb | 10 +++++----- lib/gitlab/push_data_builder.rb | 7 ++++--- 3 files changed, 27 insertions(+), 10 deletions(-) (limited to 'lib') diff --git a/lib/gitlab/git.rb b/lib/gitlab/git.rb index 4a712c6345f..0c350d7c675 100644 --- a/lib/gitlab/git.rb +++ b/lib/gitlab/git.rb @@ -1,9 +1,25 @@ module Gitlab module Git BLANK_SHA = '0' * 40 + TAG_REF_PREFIX = "refs/tags/" + BRANCH_REF_PREFIX = "refs/heads/" - def self.extract_ref_name(ref) - ref.gsub(/\Arefs\/(tags|heads)\//, '') + class << self + def ref_name(ref) + ref.gsub(/\Arefs\/(tags|heads)\//, '') + end + + def tag_ref?(ref) + ref.start_with?(TAG_REF_PREFIX) + end + + def branch_ref?(ref) + ref.start_with?(BRANCH_REF_PREFIX) + end + + def blank_ref?(ref) + ref == BLANK_SHA + end end end end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 9b31190a882..cb69e4b13d3 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -115,7 +115,7 @@ module Gitlab # we dont allow force push to protected branch if forced_push?(project, oldrev, newrev) :force_push_code_to_protected_branches - elsif newrev == Gitlab::Git::BLANK_SHA + elsif Gitlab::Git.blank_ref?(newrev) # and we dont allow remove of protected branch :remove_protected_branches elsif project.developers_can_push_to_protected_branch?(branch_name) @@ -135,8 +135,8 @@ module Gitlab def branch_name(ref) ref = ref.to_s - if ref.start_with?('refs/heads') - ref.sub(%r{\Arefs/heads/}, '') + if Gitlab::Git.branch_ref?(ref) + Gitlab::Git.ref_name(ref) else nil end @@ -144,8 +144,8 @@ module Gitlab def tag_name(ref) ref = ref.to_s - if ref.start_with?('refs/tags') - ref.sub(%r{\Arefs/tags/}, '') + if Gitlab::Git.tag_ref?(ref) + Gitlab::Git.ref_name(ref) else nil end diff --git a/lib/gitlab/push_data_builder.rb b/lib/gitlab/push_data_builder.rb index 5cefa67d3ab..9fb0bf65949 100644 --- a/lib/gitlab/push_data_builder.rb +++ b/lib/gitlab/push_data_builder.rb @@ -65,12 +65,13 @@ module Gitlab # existing project and commits to test web hooks def build_sample(project, user) commits = project.repository.commits(project.default_branch, nil, 3) - build(project, user, commits.last.id, commits.first.id, "refs/heads/#{project.default_branch}", commits) + ref = "#{Gitlab::Git::BRANCH_REF_PREFIX}#{project.default_branch}" + build(project, user, commits.last.id, commits.first.id, ref, commits) end def checkout_sha(repository, newrev, ref) - if newrev != Gitlab::Git::BLANK_SHA && ref.start_with?('refs/tags/') - tag_name = Gitlab::Git.extract_ref_name(ref) + if newrev != Gitlab::Git::BLANK_SHA && Gitlab::Git.tag_ref?(ref) + tag_name = Gitlab::Git.ref_name(ref) tag = repository.find_tag(tag_name) if tag -- cgit v1.2.3 From 4218a2bfcf7a3f864268c3eafe8ead28bb7808d8 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Fri, 27 Feb 2015 17:17:57 -0800 Subject: Fix code preview theme setting for comments, issues, merge requests, and snippets. Also preserve code preview color scheme in events dashboard. Assign default colors to all code blocks shown as 

Closes #1139
---
 lib/redcarpet/render/gitlab_html.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb
index 714261f815c..713d7c39a11 100644
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
@@ -3,8 +3,9 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   attr_reader :template
   alias_method :h, :template
 
-  def initialize(template, options = {})
+  def initialize(template, color_scheme, options = {})
     @template = template
+    @color_scheme = color_scheme
     @project = @template.instance_variable_get("@project")
     @options = options.dup
     super options
@@ -34,7 +35,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
     end
 
     formatter = Rugments::Formatters::HTML.new(
-      cssclass: "code highlight white #{lexer.tag}"
+      cssclass: "code highlight #{@color_scheme} #{lexer.tag}"
     )
     formatter.format(lexer.lex(code))
   end
-- 
cgit v1.2.3


From ae7e3806324fbe1ab63e68da823472fcbe31d652 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets 
Date: Tue, 10 Mar 2015 12:03:04 -0700
Subject: Add active users to gitlab:check

---
 lib/tasks/gitlab/check.rake | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib')

diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index 43115915de1..976c4b5f22f 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -29,6 +29,7 @@ namespace :gitlab do
       check_redis_version
       check_ruby_version
       check_git_version
+      check_active_users
 
       finished_checking "GitLab"
     end
@@ -781,6 +782,10 @@ namespace :gitlab do
     end
   end
 
+  def check_active_users
+    puts "Active users: #{User.active.count}"
+  end
+
   def omnibus_gitlab?
     Dir.pwd == '/opt/gitlab/embedded/service/gitlab-rails'
   end
-- 
cgit v1.2.3


From 158507d942137e947a0e78a66e85a475667dd765 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets 
Date: Wed, 11 Mar 2015 21:29:11 -0700
Subject: Add blue theme to GitLab

---
 lib/gitlab/theme.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/gitlab/theme.rb b/lib/gitlab/theme.rb
index a7c83a880f6..9799e54de5d 100644
--- a/lib/gitlab/theme.rb
+++ b/lib/gitlab/theme.rb
@@ -5,6 +5,7 @@ module Gitlab
     MODERN = 3 unless const_defined?(:MODERN)
     GRAY   = 4 unless const_defined?(:GRAY)
     COLOR  = 5 unless const_defined?(:COLOR)
+    BLUE   = 6 unless const_defined?(:BLUE)
 
     def self.css_class_by_id(id)
       themes = {
@@ -12,7 +13,8 @@ module Gitlab
         MARS   => "ui_mars",
         MODERN => "ui_modern",
         GRAY   => "ui_gray",
-        COLOR  => "ui_color"
+        COLOR  => "ui_color",
+        BLUE   => "ui_blue"
       }
 
       id ||= Gitlab.config.gitlab.default_theme
-- 
cgit v1.2.3


From e7f4f0ae1db4b0d940d0c4f1e4b32bebf9e6c299 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets 
Date: Thu, 12 Mar 2015 11:53:21 -0700
Subject: Block user if he/she was blocked in Active Directory

---
 lib/gitlab/ldap/access.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 0c85acf7e69..6e30724e1f7 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -34,7 +34,14 @@ module Gitlab
       def allowed?
         if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
           return true unless ldap_config.active_directory
-          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+
+          # Block user in GitLab if he/she was blocked in AD
+          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+            user.block unless user.blocked?
+            false
+          else
+            true
+          end
         else
           false
         end
-- 
cgit v1.2.3


From 2718955441587618933a632008b85762247081a2 Mon Sep 17 00:00:00 2001
From: Douwe Maan 
Date: Fri, 13 Mar 2015 13:47:26 +0100
Subject: Fix import pages not working after first load.

---
 lib/gitlab/bitbucket_import/client.rb | 2 +-
 lib/gitlab/github_import/client.rb    | 2 +-
 lib/gitlab/gitlab_import/client.rb    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/gitlab/bitbucket_import/client.rb b/lib/gitlab/bitbucket_import/client.rb
index c907bebaef6..1e4906c9e31 100644
--- a/lib/gitlab/bitbucket_import/client.rb
+++ b/lib/gitlab/bitbucket_import/client.rb
@@ -92,7 +92,7 @@ module Gitlab
       end
 
       def bitbucket_options
-        OmniAuth::Strategies::Bitbucket.default_options[:client_options]
+        OmniAuth::Strategies::Bitbucket.default_options[:client_options].dup
       end
     end
   end
diff --git a/lib/gitlab/github_import/client.rb b/lib/gitlab/github_import/client.rb
index 676d226bddd..7fe076b333b 100644
--- a/lib/gitlab/github_import/client.rb
+++ b/lib/gitlab/github_import/client.rb
@@ -46,7 +46,7 @@ module Gitlab
       end
 
       def github_options
-        OmniAuth::Strategies::GitHub.default_options[:client_options]
+        OmniAuth::Strategies::GitHub.default_options[:client_options].dup
       end
     end
   end
diff --git a/lib/gitlab/gitlab_import/client.rb b/lib/gitlab/gitlab_import/client.rb
index ecf4ff94e39..2236439c6ce 100644
--- a/lib/gitlab/gitlab_import/client.rb
+++ b/lib/gitlab/gitlab_import/client.rb
@@ -71,7 +71,7 @@ module Gitlab
       end
 
       def gitlab_options
-        OmniAuth::Strategies::GitLab.default_options[:client_options]
+        OmniAuth::Strategies::GitLab.default_options[:client_options].dup
       end
     end
   end
-- 
cgit v1.2.3


From 4e49f21b141e8cbbf581c119c7524f6e9553f136 Mon Sep 17 00:00:00 2001
From: Douwe Maan 
Date: Fri, 13 Mar 2015 14:51:48 +0100
Subject: Set push data object kind in PushDataBuilder.

---
 lib/gitlab/push_data_builder.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/gitlab/push_data_builder.rb b/lib/gitlab/push_data_builder.rb
index 0cc6b0ac694..ea9012b8844 100644
--- a/lib/gitlab/push_data_builder.rb
+++ b/lib/gitlab/push_data_builder.rb
@@ -28,9 +28,10 @@ module Gitlab
         # Get latest 20 commits ASC
         commits_limited = commits.last(20)
 
+        type = Gitlab::Git.tag_ref?(ref) ? "tag_push" : "push"
         # Hash to be passed as post_receive_data
         data = {
-          object_kind: "push",
+          object_kind: type,
           before: oldrev,
           after: newrev,
           ref: ref,
-- 
cgit v1.2.3


From 8fed435208fed3115c740eb630c263a97b5a631d Mon Sep 17 00:00:00 2001
From: Douwe Maan 
Date: Fri, 13 Mar 2015 16:40:15 +0100
Subject: Unblock user if they were unblocked in AD.

---
 lib/gitlab/ldap/access.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib')

diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 6e30724e1f7..960fb3849b4 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -40,6 +40,7 @@ module Gitlab
             user.block unless user.blocked?
             false
           else
+            user.activate if user.blocked?
             true
           end
         else
-- 
cgit v1.2.3