Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
592ff4e9
Commit
592ff4e9
authored
Oct 05, 2018
by
Bob Van Landuyt
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee
parents
88145e75
531b60ff
Changes
9
Show whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
123 additions
and
33 deletions
+123
-33
CHANGELOG-EE.md
CHANGELOG-EE.md
+14
-0
CHANGELOG.md
CHANGELOG.md
+18
-0
app/models/note.rb
app/models/note.rb
+15
-12
app/models/system_note_metadata.rb
app/models/system_note_metadata.rb
+5
-0
ee/app/models/ee/system_note_metadata.rb
ee/app/models/ee/system_note_metadata.rb
+11
-0
ee/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
...leased/security-fix-leaking-private-project-namespace.yml
+5
-0
lib/banzai/object_renderer.rb
lib/banzai/object_renderer.rb
+1
-0
lib/banzai/redactor.rb
lib/banzai/redactor.rb
+7
-1
spec/models/note_spec.rb
spec/models/note_spec.rb
+47
-20
No files found.
CHANGELOG-EE.md
View file @
592ff4e9
Please view this file on the master branch, on stable branches it's out of date.
## 11.3.4 (2018-10-05)
### Security (1 change)
-
Properly filter private references from system notes.
## 11.3.3 (2018-10-04)
-
No changes.
...
...
@@ -95,6 +102,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Remove differences between CE and EE settings panel component.
## 11.2.5 (2018-10-05)
### Security (1 change)
-
Properly filter private references from system notes.
## 11.2.4 (2018-09-26)
### Security (2 changes)
...
...
CHANGELOG.md
View file @
592ff4e9
...
...
@@ -2,6 +2,15 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 11.3.4 (2018-10-05)
### Security (3 changes)
-
Filter user sensitive data from discussions JSON. !2537
-
Properly filter private references from system notes.
-
Markdown API no longer displays confidential title references unless authorized.
## 11.3.3 (2018-10-04)
-
No changes.
...
...
@@ -279,6 +288,15 @@ entry.
-
Creates Vue component for artifacts block on job page.
## 11.2.5 (2018-10-05)
### Security (3 changes)
-
Filter user sensitive data from discussions JSON. !2538
-
Properly filter private references from system notes.
-
Markdown API no longer displays confidential title references unless authorized.
## 11.2.4 (2018-09-26)
### Security (6 changes)
...
...
app/models/note.rb
View file @
592ff4e9
...
...
@@ -45,10 +45,12 @@ class Note < ActiveRecord::Base
# Banzai::ObjectRenderer.
attr_accessor
:redacted_note_html
# An Array containing the number of visible references as generated by
# Banzai::ObjectRenderer
# Number of user visible references as generated by Banzai::ObjectRenderer
attr_accessor
:user_visible_reference_count
# Total of all references as generated by Banzai::ObjectRenderer
attr_accessor
:total_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
attr_accessor
:commands_changes
...
...
@@ -296,15 +298,7 @@ class Note < ActiveRecord::Base
end
def
cross_reference_not_visible_for?
(
user
)
cross_reference?
&&
!
has_referenced_mentionables?
(
user
)
end
def
has_referenced_mentionables?
(
user
)
if
user_visible_reference_count
.
present?
user_visible_reference_count
>
0
else
referenced_mentionables
(
user
).
any?
end
cross_reference?
&&
!
all_referenced_mentionables_allowed?
(
user
)
end
def
award_emoji?
...
...
@@ -474,9 +468,18 @@ class Note < ActiveRecord::Base
self
.
discussion_id
||=
discussion_class
.
discussion_id
(
self
)
end
def
all_referenced_mentionables_allowed?
(
user
)
if
user_visible_reference_count
.
present?
&&
total_reference_count
.
present?
# if they are not equal, then there are private/confidential references as well
user_visible_reference_count
>
0
&&
user_visible_reference_count
==
total_reference_count
else
referenced_mentionables
(
user
).
any?
end
end
def
force_cross_reference_regex_check?
return
unless
system
?
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
include?
(
system_note_metadata
&
.
action
)
system_note_metadata
&
.
cross_reference_types
&
.
include?
(
system_note_metadata
&
.
action
)
end
end
app/models/system_note_metadata.rb
View file @
592ff4e9
...
...
@@ -12,6 +12,7 @@ class SystemNoteMetadata < ActiveRecord::Base
commit cross_reference
close duplicate
relate unrelate
moved
]
.
freeze
ICON_TYPES
=
%w[
...
...
@@ -29,4 +30,8 @@ class SystemNoteMetadata < ActiveRecord::Base
def
icon_types
ICON_TYPES
end
def
cross_reference_types
TYPES_WITH_CROSS_REFERENCES
end
end
ee/app/models/ee/system_note_metadata.rb
View file @
592ff4e9
...
...
@@ -8,9 +8,20 @@ module EE
epic_issue_moved issue_changed_epic epic_date_changed
]
.
freeze
EE_TYPES_WITH_CROSS_REFERENCES
=
%w[
relate unrelate
epic_issue_added issue_added_to_epic epic_issue_removed issue_removed_from_epic
epic_issue_moved issue_changed_epic
]
.
freeze
override
:icon_types
def
icon_types
@icon_types
||=
(
super
+
EE_ICON_TYPES
).
freeze
end
override
:cross_reference_types
def
cross_reference_types
@cross_reference_types
||=
(
super
+
EE_TYPES_WITH_CROSS_REFERENCES
).
freeze
end
end
end
ee/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
0 → 100644
View file @
592ff4e9
---
title
:
Properly filter private references from system notes
merge_request
:
author
:
type
:
security
lib/banzai/object_renderer.rb
View file @
592ff4e9
...
...
@@ -38,6 +38,7 @@ module Banzai
redacted_data
=
redacted
[
index
]
object
.
__send__
(
"redacted_
#{
attribute
}
_html="
,
redacted_data
[
:document
].
to_html
(
save_options
).
html_safe
)
# rubocop:disable GitlabSecurity/PublicSend
object
.
user_visible_reference_count
=
redacted_data
[
:visible_reference_count
]
if
object
.
respond_to?
(
:user_visible_reference_count
)
object
.
total_reference_count
=
redacted_data
[
:total_reference_count
]
if
object
.
respond_to?
(
:total_reference_count
)
end
end
...
...
lib/banzai/redactor.rb
View file @
592ff4e9
...
...
@@ -37,7 +37,13 @@ module Banzai
all_document_nodes
.
each
do
|
entry
|
nodes_for_document
=
entry
[
:nodes
]
doc_data
=
{
document:
entry
[
:document
],
visible_reference_count:
nodes_for_document
.
count
}
doc_data
=
{
document:
entry
[
:document
],
total_reference_count:
nodes_for_document
.
count
,
visible_reference_count:
nodes_for_document
.
count
}
metadata
<<
doc_data
nodes_for_document
.
each
do
|
node
|
...
...
spec/models/note_spec.rb
View file @
592ff4e9
...
...
@@ -231,13 +231,7 @@ describe Note do
let
(
:ext_proj
)
{
create
(
:project
,
:public
)
}
let
(
:ext_issue
)
{
create
(
:issue
,
project:
ext_proj
)
}
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
shared_examples
"checks references"
do
it
"returns true"
do
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
...
...
@@ -248,6 +242,7 @@ describe Note do
it
"returns false if user visible reference count set"
do
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
1
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_falsy
...
...
@@ -261,6 +256,38 @@ describe Note do
end
end
context
"when there is one reference in note"
do
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it_behaves_like
"checks references"
end
context
"when there are two references in note"
do
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
and "
\
"public issue
#{
ext_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it_behaves_like
"checks references"
it
"returns true if user visible reference count set and there is a private reference"
do
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
2
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
end
end
describe
'#cross_reference?'
do
it
'falsey for user-generated notes'
do
note
=
create
(
:note
,
system:
false
)
...
...
@@ -269,7 +296,7 @@ describe Note do
end
context
'when the note might contain cross references'
do
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
each
do
|
type
|
SystemNoteMetadata
.
new
.
cross_reference_types
.
each
do
|
type
|
let
(
:note
)
{
create
(
:note
,
:system
)
}
let!
(
:metadata
)
{
create
(
:system_note_metadata
,
note:
note
,
action:
type
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment