Merge remote-tracking branch 'dev/master'

230e1c02 · John T Skarbek · a4f730c5 · 4bcea37c · 230e1c02 · 230e1c02
Commit 230e1c02 authored Dec 10, 2019 by John T Skarbek
8 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.

+## 12.5.4
+
+### Security (1 change)
+
+- Fix stale Elasticsearch permissions when moving group from public group to private parent group.
+
+
 ## 12.5.3

 ### Performance (1 change)
@@ -251,6 +258,13 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Docs for protected branch code owner approval API. !17132


+## 12.3.9
+
+### Security (1 change)
+
+- Fix stale Elasticsearch permissions when moving group from public group to private parent group.
+
+
 ## 12.3.7

 ### Security (6 changes)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 12.5.4
+
+### Security (1 change)
+
+- Update maven_file_name_regex for full string match.
+
+
 ## 12.5.3

 ### Fixed (4 changes)
@@ -756,6 +763,13 @@ entry.
 - Remove Postgresql specific setup tasks and move to schema.rb.


+## 12.3.9
+
+### Security (1 change)
+
+- Update maven_file_name_regex for full string match.
+
+
 ## 12.3.7

 ### Security (12 changes)

--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -39,9 +39,15 @@ module Groups
        ensure_ownership
      end

+      post_update_hooks(@updated_project_ids)
+
      true
    end

+    # Overridden in EE
+    def post_update_hooks(updated_project_ids)
+    end
+
    def ensure_allowed_transfer
      raise_transfer_error(:group_is_already_root) if group_is_already_root?
      raise_transfer_error(:same_parent_as_current) if same_parent?
@@ -96,9 +102,16 @@ module Groups
        .where(id: descendants.select(:id))
        .update_all(visibility_level: @new_parent_group.visibility_level)

-      @group
+      projects_to_update = @group
        .all_projects
        .where("visibility_level > ?", @new_parent_group.visibility_level)
+
+      # Used in post_update_hooks in EE. Must use pluck (and not select)
+      # here as after we perform the update below we won't be able to find
+      # these records again.
+      @updated_project_ids = projects_to_update.pluck(:id)
+
+      projects_to_update
        .update_all(visibility_level: @new_parent_group.visibility_level)
    end
    # rubocop: enable CodeReuse/ActiveRecord

--- a/changelogs/unreleased/security-400-path-traversal-rce2.yml
+++ b/changelogs/unreleased/security-400-path-traversal-rce2.yml
+---
+title: Update maven_file_name_regex for full string match
+merge_request:
+author:
+type: security
--- a/ee/app/services/ee/groups/transfer_service.rb
+++ b/ee/app/services/ee/groups/transfer_service.rb
@@ -22,6 +22,24 @@ module EE
        end
      end

+      override :post_update_hooks
+      # rubocop: disable CodeReuse/ActiveRecord
+      def post_update_hooks(updated_project_ids)
+        ::Project.where(id: updated_project_ids).find_each do |project|
+          # TODO: Refactor out this duplication per https://gitlab.com/gitlab-org/gitlab/issues/38232
+          if ::Gitlab::CurrentSettings.elasticsearch_indexing? && project.searchable?
+            ElasticIndexerWorker.perform_async(
+              :update,
+              project.class.to_s,
+              project.id,
+              project.es_id,
+              changed_fields: ['visibility_level']
+            )
+          end
+        end
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+
      def raise_ee_transfer_error(message)
        raise ::Groups::TransferService::TransferError, EE_ERROR_MESSAGES[message]
      end

--- a/ee/lib/ee/gitlab/regex.rb
+++ b/ee/lib/ee/gitlab/regex.rb
@@ -28,7 +28,7 @@ module EE
        end

        def maven_file_name_regex
-          @maven_file_name_regex ||= %r{^[A-Za-z0-9\.\_\-\+]+$}.freeze
+          @maven_file_name_regex ||= %r{\A[A-Za-z0-9\.\_\-\+]+\z}.freeze
        end

        def maven_path_regex

--- a/ee/spec/lib/gitlab/regex_spec.rb
+++ b/ee/spec/lib/gitlab/regex_spec.rb
@@ -67,6 +67,7 @@ describe Gitlab::Regex do
    it { is_expected.not_to match('@@foo/bar') }
    it { is_expected.not_to match('my package name') }
    it { is_expected.not_to match('!!()()') }
+    it { is_expected.not_to match("..\n..\foo") }
  end

  describe '.maven_file_name_regex' do

--- a/ee/spec/services/groups/transfer_service_spec.rb
+++ b/ee/spec/services/groups/transfer_service_spec.rb
@@ -52,4 +52,30 @@ describe Groups::TransferService, '#execute' do
      end
    end
  end
+
+  context 'when visibility changes' do
+    let(:new_group) { create(:group, :private) }
+
+    before do
+      stub_ee_application_setting(elasticsearch_indexing: true)
+    end
+
+    it 'reindexes projects' do
+      project1 = create(:project, :repository, :public, namespace: group)
+      project2 = create(:project, :repository, :public, namespace: group)
+      project3 = create(:project, :repository, :private, namespace: group)
+
+      expect(ElasticIndexerWorker).to receive(:perform_async)
+        .with(:update, "Project", project1.id, project1.es_id, changed_fields: array_including('visibility_level'))
+      expect(ElasticIndexerWorker).to receive(:perform_async)
+        .with(:update, "Project", project2.id, project2.es_id, changed_fields: array_including('visibility_level'))
+      expect(ElasticIndexerWorker).not_to receive(:perform_async)
+        .with(:update, "Project", project3.id, project3.es_id, changed_fields: array_including('visibility_level'))
+
+      transfer_service.execute(new_group)
+
+      expect(transfer_service.error).not_to be
+      expect(group.parent).to eq(new_group)
+    end
+  end
 end