Update to Rack v2.1.4

This is needed to address a few outstanding CVEs and fix cookie timestamp formats. Full list of changes: https://github.com/rack/rack/compare/2.0.9..2.1.4 Relates to: * https://gitlab.com/gitlab-org/gitlab/-/issues/36362 * https://gitlab.com/gitlab-org/gitlab/-/issues/228622 Rack v2.1.x no longer coerces the body to a string. Previously in a few places the Grape API was returning the status code as an integer, which Grape used as the response body. To preserve the legacy behavior, we explicitly set the body to the stringified integer.

Update to Rack v2.1.4
This is needed to address a few outstanding CVEs and fix cookie timestamp formats. Full list of changes: https://github.com/rack/rack/compare/2.0.9..2.1.4 Relates to: * https://gitlab.com/gitlab-org/gitlab/-/issues/36362 * https://gitlab.com/gitlab-org/gitlab/-/issues/228622 Rack v2.1.x no longer coerces the body to a string. Previously in a few places the Grape API was returning the status code as an integer, which Grape used as the response body. To preserve the legacy behavior, we explicitly set the body to the stringified integer.
7201c153 · Stan Hu · c2957bce · 7201c153 · 7201c153 · 7201c153
Commit 7201c153 authored Oct 06, 2020 by Stan Hu
11 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -172,7 +172,7 @@ gem 'diffy', '~> 3.3'
 gem 'diff_match_patch', '~> 0.1.0'
 # Application server
-gem 'rack', '~> 2.0.9'
+gem 'rack', '~> 2.1.4'
 # https://github.com/sharpstone/rack-timeout/blob/master/README.md#rails-apps-manually
 gem 'rack-timeout', '~> 0.5.1', require: 'rack/timeout/base'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -852,7 +852,7 @@ GEM
    public_suffix (4.0.3)
    pyu-ruby-sasl (0.0.3.3)
    raabro (1.1.6)
-    rack (2.0.9)
+    rack (2.1.4)
    rack-accept (0.4.5)
      rack (>= 0.4)
    rack-attack (6.3.0)
@@ -1423,7 +1423,7 @@ DEPENDENCIES
  prometheus-client-mmap (~> 0.12.0)
  pry-byebug (~> 3.9.0)
  pry-rails (~> 0.3.9)
-  rack (~> 2.0.9)
+  rack (~> 2.1.4)
  rack-attack (~> 6.3.0)
  rack-cors (~> 1.0.6)
  rack-oauth2 (~> 1.9.3)

--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -171,7 +171,7 @@ class Admin::UsersController < Admin::ApplicationController
        # restore username to keep form action url.
        user.username = params[:id]
        format.html { render "edit" }
-        format.json { render json: [result[:message]], status: result[:status] }
+        format.json { render json: [result[:message]], status: :internal_server_error }
      end
    end
  end

--- a/app/controllers/projects/merge_requests/drafts_controller.rb
+++ b/app/controllers/projects/merge_requests/drafts_controller.rb
@@ -45,7 +45,7 @@ class Projects::MergeRequests::DraftsController < Projects::MergeRequests::Appli
    if result[:status] == :success
      head :ok
    else
-      render json: { message: result[:message] }, status: result[:status]
+      render json: { message: result[:message] }, status: :internal_server_error
    end
  end

--- a/changelogs/unreleased/sh-update-rack-2-1-4.yml
+++ b/changelogs/unreleased/sh-update-rack-2-1-4.yml
+---
+title: Update to Rack v2.1.4
+merge_request: 44518
+author:
+type: fixed
--- a/lib/api/ci/runner.rb
+++ b/lib/api/ci/runner.rb
@@ -72,6 +72,7 @@ module API
        post '/verify' do
          authenticate_runner!
          status 200
+          body "200"
        end
      end
@@ -183,6 +184,7 @@ module API
          service.execute.then do |result|
            header 'X-GitLab-Trace-Update-Interval', result.backoff
            status result.status
+            body result.status.to_s
          end
        end
@@ -293,6 +295,7 @@ module API
          if result[:status] == :success
            status :created
+            body "201"
          else
            render_api_error!(result[:message], result[:http_status])
          end

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -522,7 +522,7 @@ module API
      else
        header(*Gitlab::Workhorse.send_url(file.url))
        status :ok
-        body
+        body ""
      end
    end

--- a/lib/api/internal/lfs.rb
+++ b/lib/api/internal/lfs.rb
@@ -44,7 +44,7 @@ module API
              workhorse_headers = Gitlab::Workhorse.send_url(file.url)
              header workhorse_headers[0], workhorse_headers[1]
              env['api.format'] = :binary
-              body nil
+              body ""
            end
          end
        end

--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -327,7 +327,7 @@ RSpec.describe Admin::UsersController do
  describe 'POST update' do
    context 'when the password has changed' do
-      def update_password(user, password = User.random_password, password_confirmation = password)
+      def update_password(user, password = User.random_password, password_confirmation = password, format = :html)
        params = {
          id: user.to_param,
          user: {
@@ -336,7 +336,7 @@ RSpec.describe Admin::UsersController do
          }
        }
-        post :update, params: params
+        post :update, params: params, format: format
      end
      context 'when admin changes their own password' do
@@ -435,6 +435,23 @@ RSpec.describe Admin::UsersController do
            .not_to change { user.reload.encrypted_password }
        end
      end
+      context 'when the update fails' do
+        let(:password) { User.random_password }
+        before do
+          expect_next_instance_of(Users::UpdateService) do |service|
+            allow(service).to receive(:execute).and_return({ message: 'failed', status: :error })
+          end
+        end
+        it 'returns a 500 error' do
+          expect { update_password(admin, password, password, :json) }
+            .not_to change { admin.reload.password_expired? }
+          expect(response).to have_gitlab_http_status(:error)
+        end
+      end
    end
    context 'admin notes' do

--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -142,8 +142,8 @@ RSpec.describe Gitlab::Middleware::Go do
                        response = go
                        expect(response[0]).to eq(403)
-                        expect(response[1]['Content-Length']).to eq('0')
+                        expect(response[1]['Content-Length']).to be_nil
-                        expect(response[2].body).to eq([''])
+                        expect(response[2]).to eq([''])
                      end
                    end
                  end
@@ -187,10 +187,11 @@ RSpec.describe Gitlab::Middleware::Go do
          it 'returns 404' do
            response = go
            expect(response[0]).to eq(404)
            expect(response[1]['Content-Type']).to eq('text/html')
            expected_body = %{<html><body>go get #{Gitlab.config.gitlab.url}/#{project.full_path}</body></html>}
-            expect(response[2].body).to eq([expected_body])
+            expect(response[2]).to eq([expected_body])
          end
        end
@@ -262,7 +263,7 @@ RSpec.describe Gitlab::Middleware::Go do
      expect(response[0]).to eq(200)
      expect(response[1]['Content-Type']).to eq('text/html')
      expected_body = %{<html><head><meta name="go-import" content="#{Gitlab.config.gitlab.host}/#{path} git #{repository_url}" /><meta name="go-source" content="#{Gitlab.config.gitlab.host}/#{path} #{project_url} #{project_url}/-/tree/#{branch}{/dir} #{project_url}/-/blob/#{branch}{/dir}/{file}#L{line}" /></head><body>go get #{Gitlab.config.gitlab.url}/#{path}</body></html>}
-      expect(response[2].body).to eq([expected_body])
+      expect(response[2]).to eq([expected_body])
    end
  end
 end
--- a/spec/lib/gitlab/middleware/same_site_cookies_spec.rb
+++ b/spec/lib/gitlab/middleware/same_site_cookies_spec.rb
@@ -60,12 +60,12 @@ RSpec.describe Gitlab::Middleware::SameSiteCookies do
      end
      context 'with no cookies' do
-        let(:cookies) { nil }
+        let(:cookies) { "" }
        it 'does not add headers' do
          response = do_request
-          expect(response['Set-Cookie']).to be_nil
+          expect(response['Set-Cookie']).to eq("")
        end
      end