Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

4cc9d3e2 · GitLab Bot · e81a7b71 · 4cc9d3e2 · 4cc9d3e2 · 4cc9d3e2
Commit 4cc9d3e2 authored May 26, 2020 by GitLab Bot
4 changed files
--- a/app/services/prometheus/proxy_variable_substitution_service.rb
+++ b/app/services/prometheus/proxy_variable_substitution_service.rb
@@ -4,6 +4,16 @@ module Prometheus
  class ProxyVariableSubstitutionService < BaseService
    include Stepable
+    VARIABLE_INTERPOLATION_REGEX = /
+      %{                  # Variable needs to be wrapped in these chars.
+        \s*               # Allow whitespace before and after the variable name.
+          (?<variable>    # Named capture.
+            \w+           # Match one or more word characters.
+          )
+        \s*
+      }
+    /x.freeze
    steps :validate_variables,
      :add_params_to_result,
      :substitute_params,
@@ -46,37 +56,39 @@ module Prometheus
      success(result)
    end
-    def substitute_liquid_variables(result)
+    def substitute_ruby_variables(result)
      return success(result) unless query(result)
-      result[:params][:query] =
+      result[:params][:query] = gsub(query(result), full_context)
-        TemplateEngines::LiquidService.new(query(result)).render(full_context)
      success(result)
-    rescue TemplateEngines::LiquidService::RenderError => e
-      error(e.message)
    end
-    def substitute_ruby_variables(result)
+    def substitute_liquid_variables(result)
      return success(result) unless query(result)
-      # The % operator doesn't replace variables if the hash contains string
+      result[:params][:query] =
-      # keys.
+        TemplateEngines::LiquidService.new(query(result)).render(full_context)
-      result[:params][:query] = query(result) % predefined_context.symbolize_keys
      success(result)
-    rescue TypeError, ArgumentError => exception
+    rescue TemplateEngines::LiquidService::RenderError => e
-      log_error(exception.message)
+      error(e.message)
-      Gitlab::ErrorTracking.track_exception(exception, {
+    end
-        template_string: query(result),
-        variables: predefined_context
-      })
-      error(_('Malformed string'))
+    def gsub(string, context)
+      # Search for variables of the form `%{variable}` in the string and replace
+      # them with their value.
+      string.gsub(VARIABLE_INTERPOLATION_REGEX) do |match|
+        # Replace with the value of the variable, or if there is no such variable,
+        # replace the invalid variable with itself. So,
+        # `up{instance="%{invalid_variable}"}` will remain
+        # `up{instance="%{invalid_variable}"}` after substitution.
+        context.fetch($~[:variable], match)
+      end
    end
    def predefined_context
-      @predefined_context ||= Gitlab::Prometheus::QueryVariables.call(@environment)
+      Gitlab::Prometheus::QueryVariables.call(@environment).stringify_keys
    end
    def full_context

--- a/changelogs/unreleased/security-use-gsub-variable-substitution.yml
+++ b/changelogs/unreleased/security-use-gsub-variable-substitution.yml
+---
+title: Use `gsub` instead of the Ruby `%` operator to perform variable substitution in Prometheus proxy API
+merge_request:
+author:
+type: security
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -12434,9 +12434,6 @@ msgstr ""
 msgid "Makes this issue confidential."
 msgstr ""
-msgid "Malformed string"
-msgstr ""
 msgid "Manage"
 msgstr ""

--- a/spec/services/prometheus/proxy_variable_substitution_service_spec.rb
+++ b/spec/services/prometheus/proxy_variable_substitution_service_spec.rb