diff options
author | Naman Jagdish Gala <ngala@gitlab.com> | 2022-12-28 21:20:26 +0300 |
---|---|---|
committer | Naman Jagdish Gala <ngala@gitlab.com> | 2022-12-28 21:20:26 +0300 |
commit | 31f65f5f6dec198d2aeb083d1013cff266437122 (patch) | |
tree | 2966919b9457491c4b262013430e9efc5152bcba | |
parent | 973d93daeaa0e31f0cec2e09db8838cf38c67dc5 (diff) | |
parent | 97b2c4be41e426af4e43d10df23147347252e075 (diff) |
Merge branch 'master' into 'security-arbitrary-protocol-redirection'
# Conflicts:
# internal/auth/auth_test.go
-rw-r--r-- | .gitlab/issue_templates/release.md | 45 | ||||
-rw-r--r-- | .gitlab/merge_request_templates/Security Release.md | 5 | ||||
-rw-r--r-- | .ruby-version | 1 | ||||
-rw-r--r-- | .tool-versions | 3 | ||||
-rw-r--r-- | CHANGELOG.md | 34 | ||||
-rw-r--r-- | PROCESS.md | 55 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | doc/dependency_decisions.yml | 126 | ||||
-rw-r--r-- | docs/README.md | 3 | ||||
-rw-r--r-- | internal/auth/auth.go | 13 | ||||
-rw-r--r-- | internal/auth/auth_test.go | 21 |
11 files changed, 101 insertions, 207 deletions
diff --git a/.gitlab/issue_templates/release.md b/.gitlab/issue_templates/release.md deleted file mode 100644 index 7b985184..00000000 --- a/.gitlab/issue_templates/release.md +++ /dev/null @@ -1,45 +0,0 @@ -- [ ] Set the milestone on this issue -- Decide on the version number by reference to - the [Versioning](https://gitlab.com/gitlab-org/gitlab-pages/blob/master/PROCESS.md#versioning) - * Typically if you want to release code from current `master` branch you will update `MINOR` version, e.g. `1.12.0` -> `1.13.0`. In that case you **don't** need to create stable branch - * If you want to backport some bug fix or security fix you will need to create a stable branch `X-Y-stable` on the [security project](https://gitlab.com/gitlab-org/security/gitlab-pages). You will need maintainer access to create the stable branch. -- [ ] Create an MR for [gitlab-pages project](https://gitlab.com/gitlab-org/gitlab-pages). - You can use [this MR](https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/711) as an example. - - [ ] Update `VERSION`, and push your branch - - [ ] Update `CHANGELOG` by running `GITLAB_PRIVATE_TOKEN= make changelog`, note that you need to create a personal access token - - [ ] Assign to reviewer -- [ ] Once `gitlab-pages` is merged create a signed+annotated tag pointing to the **merge commit** on the **stable branch** - In case of `master` branch: - ```shell - git fetch origin master - git fetch dev master - git tag -a -s -m "Release v1.0.0" v1.0.0 origin/master - ``` - In case of `stable` branch: - ```shell - git fetch origin 1-0-stable - git fetch dev 1-0-stable - git tag -a -s -m "Release v1.0.0" v1.0.0 origin/1-0-stable - ``` -- [ ] Verify that you created tag properly: - ```shell - git show v1.0.0 - ``` - it should include something like: - * ```(tag: v1.0.0, origin/master, dev/master, master)``` for `master` - * ```(tag: v1.0.1, origin/1-0-stable, dev/1-0-stable, 1-0-stable)``` for `stable` branch -- [ ] Push this tag to origin(**Skip this for security release!**) - ```shell - git push origin v1.0.0 - ``` -- [ ] Wait for tag to be mirrored to `dev` or push it: - ```shell - git push dev v1.0.0 - ``` -- [ ] Create an MR for [gitlab project](https://gitlab.com/gitlab-org/gitlab). - You can use [this MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82901) as an example. - - [ ] Update `GITLAB_PAGES_VERSION` - - [ ] Added `Changelog: added` footer to your commit - - [ ] Assign to a reviewer - -/label ~backend ~"Category:Pages" ~"section::dev" ~"devops::create" ~"group::editor" ~"type::maintenance" diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md index 2f7b41d7..7f115f16 100644 --- a/.gitlab/merge_request_templates/Security Release.md +++ b/.gitlab/merge_request_templates/Security Release.md @@ -26,9 +26,8 @@ When submitting a merge request for gitlab-pages, CE and EE merge requests for u ## Reviewer checklist -- [ ] Correct milestone is applied and the title is matching across all backports -- [ ] Merge this merge request -- [ ] Create corresponding tag and push it to https://gitlab.com/gitlab-org/security/gitlab-pages +- [ ] Correct milestone is applied and the title is matching across all backports. +- [ ] Approve the MR. Do not merge it, release managers will assist with merging at the time of release. [CHANGELOG entry]: https://docs.gitlab.com/ee/development/changelog.html#overview diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 00000000..eca690e7 --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +3.0.5 diff --git a/.tool-versions b/.tool-versions index ce61bc0e..7c1b88d1 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1,3 @@ golang 1.18.7 -ruby 3.0.4 +golangci-lint 1.46.2 +ruby 3.0.5 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ded69c4..10508e71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,37 @@ +## 15.7.0 (2022-12-21) + +No changes. Same content of 1.64.0. + +## 15.6.3 (2022-12-21) + +No changes. + +## 15.6.2 (2022-12-15) + +No changes. Same content of 1.63.0. + +## 15.5.6 (2022-12-15) + +No changes. Same content of 1.62.0. + +## 15.4.6 (2022-12-15) + +No changes. Same content of 1.62.0. + +## 1.64.0 (2022-12-01) + +No changes. + +## 1.63.0 (2022-11-10) + +### Security (1 change) + +- [Fix CVE-2022-32149 in golang.org/x/text](gitlab-org/gitlab-pages@7e01bfda3f59a5bcb78af4f4d3001dfa7fe1078a) ([merge request](gitlab-org/gitlab-pages!832)) + +### Other (1 change) + +- [Add note about docs](gitlab-org/gitlab-pages@b6b2bf5a25558a1c9173b2ca55063528bc6c6c7f) ([merge request](gitlab-org/gitlab-pages!835)) + ## 1.62.0 (2022-07-28) ### Fixed (2 changes) @@ -16,41 +16,42 @@ rewritten. Tags should never be deleted. ## Releasing -Pages is tightly coupled to GitLab itself. To align with GitLab's -[development month](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/PROCESS.md), -new versions of GitLab Pages are released before the 7th of each month (assuming -any changes have been made). -To do so create [release issue](https://gitlab.com/gitlab-org/gitlab-pages/issues/new?issuable_template=release) and follow the instructions. +[GitLab Pages] releases are tagged automatically by [Release Tools] when a Release Manager +tags a GitLab version. + +The version of GitLab Pages used will depend on the `GITLAB_PAGES_VERSION` file in +the [`gitlab-org/gitlab`](https://gitlab.com/gitlab-org/gitlab) repository. This file +is managed manually, so when changes to GitLab Pages are ready to be released with GitLab, the +target commit SHA from the GitLab Pages default branch should be committed to the +`GITLAB_PAGES_VERSION` file on the `gitlab-org/gitlab` default branch. When GitLab.com +is deployed, the new version of GitLab Pages will be used. When GitLab is tagged for a monthly release, +the version of GitLab Pages from the selected deployment of GitLab will be used for tagging +GitLab Pages. ## Stable releases -Typically, release tags point to a specific commit on the **master** branch. As -the Pages repository experiences a low rate of change, this allows most releases -to happen in conformance with semver, without the overhead of multiple -[stable branches](https://docs.gitlab.com/ee/workflow/gitlab_flow.html). +Each month, when GitLab is released, a new stable branch will be created in alignment +with the version of GitLab being released. For example, release of version 15.2.0 +will result in a branch named `15-2-stable` being created on [GitLab Pages]. -A bug fix may required in a particular version after the **master** branch has -moved on. This may happen between the 7th and 22nd of a release month, relating -to the **previous** release, or at any time for a security fix. +To backport a change: -GitLab may backport security fixes for up to three releases, which may -correspond to three separate minor versions of GitLab Pages - and so three new -versions to release. See [Security releases](#Security releases) for the details. - -In either case, the fix should first be developed against the master branch. -Once ready, the fix should be merged to master, where it will be -included in the next major or minor release as usual. - -The fix may be cherry-picked into each relevant stable branch, and a new patch -release made in the same way as defined above. - -When updating `GITLAB_PAGES_VERSION` in the [GitLab](https://gitlab.com/gitlab-org/gitlab) -repository, you should target the relevant `X-Y-stable` branches there. In -general, these branches should only ever have the patch version of GitLab pages -incremented. +1. Develop an MR to fix the bug against the master branch. +1. Once ready, the MR should be merged to master, where it will be included in the next major or minor release as usual. +1. Create a merge request for `gitlab-org/gitlab` that updates `GITLAB_PAGES_VERSION` with the +merge commit SHA from the GitLab Pages default branch to deploy the changes. +1. To create a backport MR for a given stable version: + 1. Create a new branch off of the stable branch for the targeted version. + 1. Cherry-pick the commit onto the new branch. + 1. Open an MR targeting the relevant stable branch. + 1. Have the MR reviewed and merged. Note: security backports should not be merged, see [security releases](#Security releases) for more details. +1. When release managers tag a patch or security release, the stable branch will be tagged automatically. ## Security releases +This process is currently [under discussion](https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/2746). Please consult with release managers +about any process changes in the interim. + Pages security releases are built on top of the [GitLab Security Release process]. Engineers follow the same steps stated on the [Security Developer] guidelines with some adjustments: @@ -1 +1 @@ -1.62.0 +1.64.0 diff --git a/doc/dependency_decisions.yml b/doc/dependency_decisions.yml deleted file mode 100644 index 69231c06..00000000 --- a/doc/dependency_decisions.yml +++ /dev/null @@ -1,126 +0,0 @@ ---- -- - :license - - github.com/beorn7/perks/quantile - - MIT - - :who: - :why: - :versions: [] - :when: 2019-04-03 13:58:37.693164000 Z -- - :license - - github.com/matttproud/golang_protobuf_extensions/pbutil - - Apache 2.0 - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:08:10.359320000 Z -- - :license - - github.com/karrick/godirwalk - - BSD-2-Clause - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:09:35.519709000 Z -- - :license - - github.com/pkg/errors - - BSD-2-Clause - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:10:49.901903000 Z -- - :license - - github.com/prometheus/client_golang/prometheus - - Apache-2.0 - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:11:57.417366000 Z -- - :license - - github.com/prometheus/client_model/go - - Apache-2.0 - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:14:16.841551000 Z -- - :license - - gitlab.com/gitlab-org/gitaly/auth - - MIT - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:15:26.240245000 Z -- - :license - - gitlab.com/gitlab-org/gitlab-pages-proto/go - - MIT - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:16:18.620931000 Z -- - :license - - google.golang.org/genproto/googleapis/rpc/status - - Apache-2.0 - - :who: - :why: - :versions: [] - :when: 2019-04-03 15:19:19.394529000 Z -- - :license - - golang.org/x/crypto/ssh/terminal - - BSD-3-clause - - :who: - :why: - :versions: [] - :when: 2019-04-05 10:26:09.636346000 Z -- - :ignore - - github.com/certifi/gocertifi - - :who: - :why: - :versions: [] - :when: 2019-07-10 17:01:35.894437233 Z -- - :license - - github.com/go-logfmt/logfmt - - MIT - - :who: - :why: - :versions: [] - :when: 2019-09-10 14:57:15.905705202 Z -- - :license - - github.com/pmezard/go-difflib - - BSD-3-Clause - - :who: - :why: - :versions: [] - :when: 2019-09-10 14:59:14.300178506 Z -- - :license - - github.com/gogo/protobuf - - BSD-3-clause - - :who: Ben Kochie - :why: https://github.com/gogo/protobuf/blob/master/LICENSE - :versions: [] - :when: 2019-09-11 12:57:17.184823077 Z -- - :license - - github.com/modern-go/concurrent - - Apache-2.0 - - :who: Ben Kochie - :why: https://github.com/modern-go/concurrent/blob/master/LICENSE - :versions: [] - :when: 2019-09-11 12:58:04.927007992 Z -- - :license - - github.com/modern-go/reflect2 - - Apache-2.0 - - :who: Ben Kochie - :why: https://github.com/modern-go/reflect2/blob/master/LICENSE - :versions: [] - :when: 2019-09-11 12:58:33.840590099 Z -- - :license - - gopkg.in/check.v1 - - BSD-2-Clause - - :who: Krasimir Angelov - :why: https://github.com/go-check/check/blob/e54ca221ea41951970e0249fb5163642c915dbb2/LICENSE - :versions: [] - :when: 2019-10-08 02:12:00.000000000 Z -- - :license - - github.com/kr/pretty - - MIT - - :who: Krasimir Angelov - :why: https://github.com/kr/pretty/blob/088c856450c08c03eb32f7a6c221e6eefaa10e6f/License - :versions: [] - :when: 2019-10-08 02:12:00.000000000 Z diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..805fcc8b --- /dev/null +++ b/docs/README.md @@ -0,0 +1,3 @@ +# GitLab Pages Documentation + +The GitLab Pages documentation has moved to the [GitLab development documentation](https://docs.gitlab.com/ee/development/pages/). diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 4f085e38..8df98178 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -416,9 +416,14 @@ func (a *Auth) checkTokenExists(session *hostSession, w http.ResponseWriter, r * if session.Values["access_token"] == nil { logRequest(r).Debug("No access token exists, redirecting user to OAuth2 login") - // Generate state hash and store requested address - state := base64.URLEncoding.EncodeToString(securecookie.GenerateRandomKey(16)) - session.Values["state"] = state + // When the user tries to authenticate and reload the page concurrently, + // gitlab pages might receive a authentication request with the state already set. + // In these cases, we should re-use the state instead of creating a new one. + if session.Values["state"] == nil { + //Generate state hash and store requested address + session.Values["state"] = base64.URLEncoding.EncodeToString(securecookie.GenerateRandomKey(16)) + } + session.Values["uri"] = getRequestAddress(r) // Clear possible proxying @@ -435,7 +440,7 @@ func (a *Auth) checkTokenExists(session *hostSession, w http.ResponseWriter, r * // Because the pages domain might be in public suffix list, we have to // redirect to pages domain to trigger authorization flow - http.Redirect(w, r, a.getProxyAddress(r, state), http.StatusFound) + http.Redirect(w, r, a.getProxyAddress(r, session.Values["state"].(string)), http.StatusFound) return true } diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index c2b25635..9226f847 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -173,6 +173,27 @@ func TestTryAuthenticateWithDomainAndState(t *testing.T) { require.Equal(t, "/public-gitlab.example.com/oauth/authorize?client_id=id&redirect_uri=http://pages.gitlab-example.com/auth&response_type=code&state=state&scope=scope", redirect.String()) } +func TestCheckAuthenticationWhenStateIsAlreadySet(t *testing.T) { + auth := createTestAuth(t, "", "") + + result := httptest.NewRecorder() + + r, err := http.NewRequest("Get", "https://example.com/", nil) + require.NoError(t, err) + + // pre-set an state + setSessionValues(t, r, auth, map[interface{}]interface{}{ + "state": "given_state", + }) + + contentServed := auth.CheckAuthentication(result, r, &domainMock{projectID: 1000}) + require.True(t, contentServed) + + // check if the state was re-used instead of re-created + session, _ := auth.getSessionFromStore(r) + require.Equal(t, "given_state", session.Values["state"], "did not reuse the pre-set state") +} + func TestTryAuthenticateWithNonHttpDomainAndState(t *testing.T) { auth := createTestAuth(t, "", "") |