Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

83380b5e · GitLab Bot · 21585f82 · 83380b5e · 83380b5e · 83380b5e
Commit 83380b5e authored Feb 10, 2021 by GitLab Bot
13 changed files
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
-13.15.0
+13.15.1
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -9,6 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController
  before_action :set_pipeline_path, only: [:show]
  before_action :authorize_read_pipeline!
  before_action :authorize_read_build!, only: [:index]
+  before_action :authorize_read_analytics!, only: [:charts]
  before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
  before_action :authorize_update_pipeline!, only: [:retry, :cancel]
  before_action do

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -218,6 +218,7 @@ class ProjectPolicy < BasePolicy
    enable :read_pages_content
    enable :read_release
    enable :read_analytics
+    enable :read_insights
  end

  # These abilities are not allowed to admins that are not members of the project,
@@ -447,6 +448,9 @@ class ProjectPolicy < BasePolicy

  rule { analytics_disabled }.policy do
    prevent(:read_analytics)
+    prevent(:read_insights)
+    prevent(:read_cycle_analytics)
+    prevent(:read_repository_graphs)
  end

  rule { wiki_disabled }.policy do
@@ -520,6 +524,7 @@ class ProjectPolicy < BasePolicy
    enable :read_cycle_analytics
    enable :read_pages_content
    enable :read_analytics
+    enable :read_insights

    # NOTE: may be overridden by IssuePolicy
    enable :read_issue

--- a/changelogs/unreleased/security-limit-fscanl.yml
+++ b/changelogs/unreleased/security-limit-fscanl.yml
+---
+title: Prevent Denial of Service Attack on gitlab-shell
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml
+++ b/changelogs/unreleased/security-respect-analytics-enabled-rule-for-project-level-analytics-featu.yml
+---
+title: Enforce the analytics enabled project setting for project-level analytics features
+merge_request:
+author:
+type: security
--- a/changelogs/unreleased/security-ssl-verification-ftc.yml
+++ b/changelogs/unreleased/security-ssl-verification-ftc.yml
+---
+title: Perform SSL verification for FortiTokenCloud Integration
+merge_request:
+author:
+type: security
--- a/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
+++ b/lib/gitlab/auth/otp/strategies/forti_token_cloud.rb
@@ -61,8 +61,7 @@ module Gitlab
              headers: {
                'Content-Type': 'application/json'
              }.merge(headers),
-              body: body,
-              verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
+              body: body
            )
          end
        end

--- a/spec/factories/projects.rb
+++ b/spec/factories/projects.rb
@@ -28,6 +28,7 @@ FactoryBot.define do
      forking_access_level { ProjectFeature::ENABLED }
      merge_requests_access_level { ProjectFeature::ENABLED }
      repository_access_level { ProjectFeature::ENABLED }
+      analytics_access_level { ProjectFeature::ENABLED }
      pages_access_level do
        visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE
      end
@@ -63,7 +64,8 @@ FactoryBot.define do
        repository_access_level: evaluator.repository_access_level,
        pages_access_level: evaluator.pages_access_level,
        metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level,
-        operations_access_level: evaluator.operations_access_level
+        operations_access_level: evaluator.operations_access_level,
+        analytics_access_level: evaluator.analytics_access_level
      }

      project.build_project_feature(hash)
@@ -335,6 +337,9 @@ FactoryBot.define do
    trait(:operations_enabled)           { operations_access_level { ProjectFeature::ENABLED } }
    trait(:operations_disabled)          { operations_access_level { ProjectFeature::DISABLED } }
    trait(:operations_private)           { operations_access_level { ProjectFeature::PRIVATE } }
+    trait(:analytics_enabled)           { analytics_access_level { ProjectFeature::ENABLED } }
+    trait(:analytics_disabled)          { analytics_access_level { ProjectFeature::DISABLED } }
+    trait(:analytics_private)           { analytics_access_level { ProjectFeature::PRIVATE } }

    trait :auto_devops do
      association :auto_devops, factory: :project_auto_devops

--- a/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
+++ b/spec/lib/gitlab/auth/otp/strategies/forti_token_cloud_spec.rb
@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
  let(:otp_verification_url) { url + '/auth' }
  let(:access_token) { 'an_access_token' }
  let(:access_token_create_response_body) { '' }
+  let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
+  let(:headers) { { 'Content-Type': 'application/json' } }

  subject(:validate) { described_class.new(user).validate(otp_code) }

@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
      client_secret: client_secret
    )

-    access_token_request_body = { client_id: client_id,
-                                  client_secret: client_secret }
-
    stub_request(:post, access_token_create_url)
-      .with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' })
+      .with(body: JSON(access_token_request_body), headers: headers)
      .to_return(
        status: access_token_create_response_status,
        body: Gitlab::Json.generate(access_token_create_response_body),
@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
    end
  end

+  context 'SSL Verification' do
+    let(:access_token_create_response_status) { 400 }
+
+    context 'with `Gitlab::HTTP`' do
+      it 'does not use a `verify` argument,'\
+         'thereby always performing SSL verification while making API calls' do
+        expect(Gitlab::HTTP).to receive(:post)
+          .with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
+
+        validate
+      end
+    end
+  end
+
  def stub_forti_token_cloud_config(forti_token_cloud_settings)
    allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
  end

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -992,6 +992,78 @@ RSpec.describe ProjectPolicy do
      it { is_expected.to be_allowed(:read_analytics) }
    end

+    context 'with various analytics features' do
+      let_it_be(:project_with_analytics_disabled) { create(:project, :analytics_disabled) }
+      let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) }
+      let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
+
+      before do
+        project_with_analytics_disabled.add_developer(developer)
+        project_with_analytics_private.add_developer(developer)
+        project_with_analytics_enabled.add_developer(developer)
+      end
+
+      context 'when analytics is enabled for the project' do
+        let(:project) { project_with_analytics_disabled }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+      end
+
+      context 'when analytics is private for the project' do
+        let(:project) { project_with_analytics_private }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+        end
+      end
+
+      context 'when analytics is enabled for the project' do
+        let(:project) { project_with_analytics_private }
+
+        context 'for guest user' do
+          let(:current_user) { guest }
+
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+        end
+
+        context 'for developer' do
+          let(:current_user) { developer }
+
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+        end
+      end
+    end
+
    context 'project member' do
      let(:project) { private_project }


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -886,6 +886,7 @@ RSpec.describe API::Projects do
        merge_method: 'ff'
      }).tap do |attrs|
        attrs[:operations_access_level] = 'disabled'
+        attrs[:analytics_access_level] = 'disabled'
      end

      post api('/projects', user), params: project

--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore