Commit 64ed8e1d authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

parent 484b5969
...@@ -157,7 +157,7 @@ gem 'github-markup', '~> 1.7.0', require: 'github/markup' ...@@ -157,7 +157,7 @@ gem 'github-markup', '~> 1.7.0', require: 'github/markup'
gem 'commonmarker', '~> 0.21' gem 'commonmarker', '~> 0.21'
gem 'kramdown', '~> 2.3.1' gem 'kramdown', '~> 2.3.1'
gem 'RedCloth', '~> 4.3.2' gem 'RedCloth', '~> 4.3.2'
gem 'rdoc', '~> 6.1.2' gem 'gitlab-rdoc', '~> 6.3.2', require: 'rdoc' # We need this fork until rdoc releases a new version. See https://gitlab.com/gitlab-org/gitlab/-/issues/334695
gem 'org-ruby', '~> 0.9.12' gem 'org-ruby', '~> 0.9.12'
gem 'creole', '~> 0.5.0' gem 'creole', '~> 0.5.0'
gem 'wikicloth', '0.8.1' gem 'wikicloth', '0.8.1'
......
...@@ -483,6 +483,7 @@ GEM ...@@ -483,6 +483,7 @@ GEM
addressable (~> 2.7) addressable (~> 2.7)
omniauth (~> 1.9) omniauth (~> 1.9)
openid_connect (~> 1.2) openid_connect (~> 1.2)
gitlab-rdoc (6.3.2)
gitlab-sidekiq-fetcher (0.5.6) gitlab-sidekiq-fetcher (0.5.6)
sidekiq (~> 5) sidekiq (~> 5)
gitlab-styles (6.2.0) gitlab-styles (6.2.0)
...@@ -1008,7 +1009,6 @@ GEM ...@@ -1008,7 +1009,6 @@ GEM
msgpack (>= 0.4.3) msgpack (>= 0.4.3)
optimist (>= 3.0.0) optimist (>= 3.0.0)
rchardet (1.8.0) rchardet (1.8.0)
rdoc (6.1.2)
re2 (1.2.0) re2 (1.2.0)
recaptcha (4.13.1) recaptcha (4.13.1)
json json
...@@ -1485,6 +1485,7 @@ DEPENDENCIES ...@@ -1485,6 +1485,7 @@ DEPENDENCIES
gitlab-markup (~> 1.7.1) gitlab-markup (~> 1.7.1)
gitlab-net-dns (~> 0.9.1) gitlab-net-dns (~> 0.9.1)
gitlab-omniauth-openid-connect (~> 0.4.0) gitlab-omniauth-openid-connect (~> 0.4.0)
gitlab-rdoc (~> 6.3.2)
gitlab-sidekiq-fetcher (= 0.5.6) gitlab-sidekiq-fetcher (= 0.5.6)
gitlab-styles (~> 6.2.0) gitlab-styles (~> 6.2.0)
gitlab_chronic_duration (~> 0.10.6.2) gitlab_chronic_duration (~> 0.10.6.2)
...@@ -1594,7 +1595,6 @@ DEPENDENCIES ...@@ -1594,7 +1595,6 @@ DEPENDENCIES
raindrops (~> 0.18) raindrops (~> 0.18)
rblineprof (~> 0.3.6) rblineprof (~> 0.3.6)
rbtrace (~> 0.4) rbtrace (~> 0.4)
rdoc (~> 6.1.2)
re2 (~> 1.2.0) re2 (~> 1.2.0)
recaptcha (~> 4.11) recaptcha (~> 4.11)
redis (~> 4.0) redis (~> 4.0)
......
...@@ -238,6 +238,7 @@ class User < ApplicationRecord ...@@ -238,6 +238,7 @@ class User < ApplicationRecord
validate :owns_commit_email, if: :commit_email_changed? validate :owns_commit_email, if: :commit_email_changed?
validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id } validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id }
validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id } validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id }
validate :check_username_format, if: :username_changed?
validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids, validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids,
message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } } message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } }
...@@ -2083,6 +2084,12 @@ class User < ApplicationRecord ...@@ -2083,6 +2084,12 @@ class User < ApplicationRecord
end end
end end
def check_username_format
return if username.blank? || Mime::EXTENSION_LOOKUP.keys.none? { |type| username.end_with?(type) }
errors.add(:username, _('ending with MIME type format is not allowed.'))
end
def groups_with_developer_maintainer_project_access def groups_with_developer_maintainer_project_access
project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS] project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS]
......
...@@ -38357,6 +38357,9 @@ msgstr "" ...@@ -38357,6 +38357,9 @@ msgstr ""
msgid "encrypted: needs to be a :required, :optional or :migrating!" msgid "encrypted: needs to be a :required, :optional or :migrating!"
msgstr "" msgstr ""
msgid "ending with MIME type format is not allowed."
msgstr ""
msgid "entries cannot be larger than 255 characters" msgid "entries cannot be larger than 255 characters"
msgstr "" msgstr ""
......
...@@ -376,6 +376,19 @@ RSpec.describe User do ...@@ -376,6 +376,19 @@ RSpec.describe User do
expect(user.errors.full_messages).to eq(['Username has already been taken']) expect(user.errors.full_messages).to eq(['Username has already been taken'])
end end
end end
it 'validates format' do
Mime::EXTENSION_LOOKUP.keys.each do |type|
user = build(:user, username: "test.#{type}")
expect(user).not_to be_valid
expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.')
end
end
it 'validates format on updated record' do
expect(create(:user).update(username: 'profile.html')).to be_falsey
end
end end
it 'has a DB-level NOT NULL constraint on projects_limit' do it 'has a DB-level NOT NULL constraint on projects_limit' do
......
...@@ -56,7 +56,7 @@ RSpec.describe API::Projects do ...@@ -56,7 +56,7 @@ RSpec.describe API::Projects do
let_it_be(:project, reload: true) { create(:project, :repository, namespace: user.namespace) } let_it_be(:project, reload: true) { create(:project, :repository, namespace: user.namespace) }
let_it_be(:project2, reload: true) { create(:project, namespace: user.namespace) } let_it_be(:project2, reload: true) { create(:project, namespace: user.namespace) }
let_it_be(:project_member) { create(:project_member, :developer, user: user3, project: project) } let_it_be(:project_member) { create(:project_member, :developer, user: user3, project: project) }
let_it_be(:user4) { create(:user, username: 'user.with.dot') } let_it_be(:user4) { create(:user, username: 'user.withdot') }
let_it_be(:project3, reload: true) do let_it_be(:project3, reload: true) do
create(:project, create(:project,
:private, :private,
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe API::Users do RSpec.describe API::Users do
let_it_be(:admin) { create(:admin) } let_it_be(:admin) { create(:admin) }
let_it_be(:user, reload: true) { create(:user, username: 'user.with.dot') } let_it_be(:user, reload: true) { create(:user, username: 'user.withdot') }
let_it_be(:key) { create(:key, user: user) } let_it_be(:key) { create(:key, user: user) }
let_it_be(:gpg_key) { create(:gpg_key, user: user) } let_it_be(:gpg_key) { create(:gpg_key, user: user) }
let_it_be(:email) { create(:email, user: user) } let_it_be(:email) { create(:email, user: user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment