Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee

app/controllers/projects/raw_controller.rb

@@ -21,7 +21,7 @@ class Projects::RawController < Projects::ApplicationController
   def show
     @blob = @repository.blob_at(@ref, @path)
 
-    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: @project.public?)
+    send_blob(@repository, @blob, inline: (params[:inline] != 'false'), allow_caching: Guest.can?(:download_code, @project))
   end
 
   private

app/controllers/projects/repositories_controller.rb

@@ -53,7 +53,7 @@ class Projects::RepositoriesController < Projects::ApplicationController
   end
 
   def set_cache_headers
-    expires_in cache_max_age(archive_metadata['CommitId']), public: project.public?
+    expires_in cache_max_age(archive_metadata['CommitId']), public: Guest.can?(:download_code, project)
     fresh_when(etag: archive_metadata['ArchivePath'])
   end
 

changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml

+---
+title: Forbid public cache for private repos
+merge_request:
+author:
+type: security

changelogs/unreleased/security-nuget-regex-update-redos.yml

+---
+title: Update NuGet regular expression to protect against ReDoS
+merge_request:
+author:
+type: security

lib/api/concerns/packages/nuget_endpoints.rb

@@ -15,7 +15,7 @@ module API
         extend ActiveSupport::Concern
 
         POSITIVE_INTEGER_REGEX = %r{\A[1-9]\d*\z}.freeze
-        NON_NEGATIVE_INTEGER_REGEX = %r{\A0|[1-9]\d*\z}.freeze
+        NON_NEGATIVE_INTEGER_REGEX = %r{\A(0|[1-9]\d*)\z}.freeze
 
         included do
           helpers do

spec/controllers/projects/raw_controller_spec.rb

@@ -250,6 +250,18 @@ RSpec.describe Projects::RawController do
         expect(response.cache_control[:no_store]).to be_nil
       end
 
+      context 'when a public project has private repo' do
+        let(:project) { create(:project, :public, :repository, :repository_private) }
+        let(:user) { create(:user, maintainer_projects: [project]) }
+
+        it 'does not set public caching header' do
+          sign_in user
+          request_file
+
+          expect(response.header['Cache-Control']).to include('max-age=60, private')
+        end
+      end
+
       context 'when If-None-Match header is set' do
         it 'returns a 304 status' do
           request_file

spec/controllers/projects/repositories_controller_spec.rb

@@ -137,6 +137,18 @@ RSpec.describe Projects::RepositoriesController do
             expect(response.header['ETag']).to be_present
             expect(response.header['Cache-Control']).to include('max-age=60, public')
           end
+
+          context 'and repo is private' do
+            let(:project) { create(:project, :repository, :public, :repository_private) }
+
+            it 'sets appropriate caching headers' do
+              get_archive
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response.header['ETag']).to be_present
+              expect(response.header['Cache-Control']).to include('max-age=60, private')
+            end
+          end
         end
 
         context 'when ref is a commit SHA' do