Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e0a6a21a
Commit
e0a6a21a
authored
Mar 31, 2021
by
GitLab Release Tools Bot
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'dev/master'
parents
825cde32
cb4bd170
Changes
30
Hide whitespace changes
Inline
Side-by-side
Showing
30 changed files
with
382 additions
and
50 deletions
+382
-50
CHANGELOG-EE.md
CHANGELOG-EE.md
+21
-0
CHANGELOG.md
CHANGELOG.md
+65
-0
app/models/merge_request.rb
app/models/merge_request.rb
+2
-2
app/models/project.rb
app/models/project.rb
+1
-1
app/services/projects/unlink_fork_service.rb
app/services/projects/unlink_fork_service.rb
+2
-0
app/views/shared/issuable/_sidebar.html.haml
app/views/shared/issuable/_sidebar.html.haml
+1
-1
changelogs/unreleased/mimemagic_shim.yml
changelogs/unreleased/mimemagic_shim.yml
+0
-5
changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml
...unreleased/remove-direct-mimemagic-dependency-minimal.yml
+0
-5
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
+0
-5
changelogs/unreleased/remove_hipchat_gem.yml
changelogs/unreleased/remove_hipchat_gem.yml
+0
-5
config/initializers/asciidoctor_patch.rb
config/initializers/asciidoctor_patch.rb
+20
-0
doc/api/system_hooks.md
doc/api/system_hooks.md
+2
-2
ee/app/policies/ee/issuable_policy.rb
ee/app/policies/ee/issuable_policy.rb
+13
-0
ee/changelogs/security-360-prevent-any-users-from-deleting-metrics-issue-images.yml
...-prevent-any-users-from-deleting-metrics-issue-images.yml
+5
-0
ee/lib/ee/api/issues.rb
ee/lib/ee/api/issues.rb
+3
-6
ee/lib/ee/banzai/filter/label_reference_filter.rb
ee/lib/ee/banzai/filter/label_reference_filter.rb
+8
-2
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
+8
-3
ee/spec/policies/issuable_policy_spec.rb
ee/spec/policies/issuable_policy_spec.rb
+66
-0
ee/spec/requests/api/issues_spec.rb
ee/spec/requests/api/issues_spec.rb
+12
-3
lib/api/system_hooks.rb
lib/api/system_hooks.rb
+1
-1
lib/gitlab/markdown_cache.rb
lib/gitlab/markdown_cache.rb
+1
-1
lib/gitlab/user_access.rb
lib/gitlab/user_access.rb
+6
-1
spec/factories/pool_repositories.rb
spec/factories/pool_repositories.rb
+1
-1
spec/features/merge_request/user_views_open_merge_request_spec.rb
...tures/merge_request/user_views_open_merge_request_spec.rb
+17
-0
spec/lib/gitlab/asciidoc_spec.rb
spec/lib/gitlab/asciidoc_spec.rb
+43
-0
spec/lib/gitlab/user_access_spec.rb
spec/lib/gitlab/user_access_spec.rb
+9
-0
spec/models/project_spec.rb
spec/models/project_spec.rb
+58
-0
spec/requests/api/system_hooks_spec.rb
spec/requests/api/system_hooks_spec.rb
+5
-5
spec/services/projects/fork_service_spec.rb
spec/services/projects/fork_service_spec.rb
+1
-1
spec/services/projects/unlink_fork_service_spec.rb
spec/services/projects/unlink_fork_service_spec.rb
+11
-0
No files found.
CHANGELOG-EE.md
View file @
e0a6a21a
Please view this file on the master branch, on stable branches it's out of date.
## 13.10.1 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.10.0 (2021-03-22)
### Removed (1 change)
...
...
@@ -167,6 +174,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Delete redirect files. !56169
## 13.9.5 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.9.4 (2021-03-17)
-
No changes.
...
...
@@ -337,6 +351,13 @@ Please view this file on the master branch, on stable branches it's out of date.
-
Review UI text - repo push rules settings. !52797
## 13.8.7 (2021-03-31)
### Security (1 change)
-
Escape HTML on scoped labels tooltip.
## 13.8.6 (2021-03-17)
-
No changes.
...
...
CHANGELOG.md
View file @
e0a6a21a
...
...
@@ -2,6 +2,28 @@
documentation
](
doc/development/changelog.md
)
for instructions on adding your own
entry.
## 13.10.1 (2021-03-31)
### Security (6 changes)
-
Leave pool repository on fork unlinking.
-
Fixed XSS in merge requests sidebar.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Disable arbitrary URI and file reads in JSON validator.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.10.0 (2021-03-22)
### Security (3 changes)
...
...
@@ -529,6 +551,28 @@ entry.
-
Convert mattermost alert to pajamas. !56556
## 13.9.5 (2021-03-31)
### Security (6 changes)
-
Leave pool repository on fork unlinking.
-
Fixed XSS in merge requests sidebar.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Disable arbitrary URI and file reads in JSON validator.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.9.4 (2021-03-17)
### Security (1 change)
...
...
@@ -1144,6 +1188,27 @@ entry.
-
Apply new GitLab UI for buttons in pipeline schedules.
## 13.8.7 (2021-03-31)
### Security (5 changes)
-
Fixed XSS in merge requests sidebar.
-
Leave pool repository on fork unlinking.
-
Fix arbitrary read/write in AsciiDoctor and Kroki gems.
-
Prevent infinite loop when checking if collaboration is allowed.
-
Require POST request to trigger system hooks.
### Removed (1 change)
-
Make HipChat project service do nothing. !57434
### Other (3 changes)
-
Remove direct mimemagic dependency. !57387
-
Refactor MimeMagic calls to new MimeType class. !57421
-
Switch to using a fake mimemagic gem. !57443
## 13.8.6 (2021-03-17)
### Security (1 change)
...
...
app/models/merge_request.rb
View file @
e0a6a21a
...
...
@@ -1350,8 +1350,8 @@ class MergeRequest < ApplicationRecord
has_no_commits?
||
branch_missing?
||
cannot_be_merged?
end
def
can_be_merged_by?
(
user
)
access
=
::
Gitlab
::
UserAccess
.
new
(
user
,
container:
project
)
def
can_be_merged_by?
(
user
,
skip_collaboration_check:
false
)
access
=
::
Gitlab
::
UserAccess
.
new
(
user
,
container:
project
,
skip_collaboration_check:
skip_collaboration_check
)
access
.
can_update_branch?
(
target_branch
)
end
...
...
app/models/project.rb
View file @
e0a6a21a
...
...
@@ -2711,7 +2711,7 @@ class Project < ApplicationRecord
# Issue for N+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/49322
Gitlab
::
GitalyClient
.
allow_n_plus_1_calls
do
merge_requests_allowing_collaboration
(
branch_name
).
any?
do
|
merge_request
|
merge_request
.
can_be_merged_by?
(
user
)
merge_request
.
can_be_merged_by?
(
user
,
skip_collaboration_check:
true
)
end
end
end
...
...
app/services/projects/unlink_fork_service.rb
View file @
e0a6a21a
...
...
@@ -32,6 +32,8 @@ module Projects
if
fork_network
=
@project
.
root_of_fork_network
fork_network
.
update
(
root_project:
nil
,
deleted_root_project_name:
@project
.
full_name
)
end
@project
.
leave_pool_repository
end
# rubocop: disable Cop/InBatches
...
...
app/views/shared/issuable/_sidebar.html.haml
View file @
e0a6a21a
...
...
@@ -138,7 +138,7 @@
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
.gl-display-flex.gl-align-items-center.gl-justify-content-space-between.gl-mb-2.hide-collapsed
%span
.gl-overflow-hidden.gl-text-overflow-ellipsis.gl-white-space-nowrap
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<span class='gl-font-monospace'
title='
#{
source_branch
}
'>"
.
html_safe
,
source_branch_close:
"</span>"
.
html_safe
,
source_branch:
source_branch
}
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<span class='gl-font-monospace'
data-testid='ref-name' title='
#{
html_escape
(
source_branch
)
}
'>"
.
html_safe
,
source_branch_close:
"</span>"
.
html_safe
,
source_branch:
html_escape
(
source_branch
)
}
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
-
if
show_forwarding_email
...
...
changelogs/unreleased/mimemagic_shim.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Switch to using a fake mimemagic gem
merge_request
:
57443
author
:
type
:
other
changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Refactor MimeMagic calls to new MimeType class
merge_request
:
57421
author
:
type
:
other
changelogs/unreleased/remove-direct-mimemagic-dependency.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Remove direct mimemagic dependency
merge_request
:
57387
author
:
type
:
other
changelogs/unreleased/remove_hipchat_gem.yml
deleted
100644 → 0
View file @
825cde32
---
title
:
Make HipChat project service do nothing
merge_request
:
57434
author
:
type
:
removed
config/initializers/asciidoctor_patch.rb
0 → 100644
View file @
e0a6a21a
# frozen_string_literal: true
# Ensure that locked attributes can not be changed using a counter.
# TODO: this can be removed once `asciidoctor` gem is > 2.0.12
# and https://github.com/asciidoctor/asciidoctor/issues/3939 is merged
module
Asciidoctor
module
DocumentPatch
def
counter
(
name
,
seed
=
nil
)
return
@parent_document
.
counter
(
name
,
seed
)
if
@parent_document
# rubocop: disable Gitlab/ModuleWithInstanceVariables
unless
attribute_locked?
name
super
end
end
end
end
class
Asciidoctor::Document
prepend
Asciidoctor
::
DocumentPatch
end
doc/api/system_hooks.md
View file @
e0a6a21a
...
...
@@ -88,7 +88,7 @@ Example response:
## Test system hook
```
plaintext
GE
T /hooks/:id
POS
T /hooks/:id
```
| Attribute | Type | Required | Description |
...
...
@@ -98,7 +98,7 @@ GET /hooks/:id
Example request:
```
shell
curl
--
header
"PRIVATE-TOKEN: <your_access_token>"
"https://gitlab.example.com/api/v4/hooks/2
"
curl
--
request
POST
--header
"PRIVATE-TOKEN: <your_access_token>"
"https://gitlab.example.com/api/v4/hooks/1
"
```
Example response:
...
...
ee/app/policies/ee/issuable_policy.rb
View file @
e0a6a21a
...
...
@@ -5,6 +5,10 @@ module EE
extend
ActiveSupport
::
Concern
prepended
do
condition
(
:is_author
)
do
@user
&&
@subject
.
author_id
==
@user
.
id
end
rule
{
can?
(
:read_issue
)
}.
policy
do
enable
:read_issuable_metric_image
end
...
...
@@ -12,6 +16,15 @@ module EE
rule
{
can?
(
:create_issue
)
&
can?
(
:update_issue
)
}.
policy
do
enable
:upload_issuable_metric_image
end
rule
{
is_author
|
can?
(
:create_issue
)
&
can?
(
:update_issue
)
}.
policy
do
enable
:destroy_issuable_metric_image
end
rule
{
~
is_project_member
}.
policy
do
prevent
:upload_issuable_metric_image
prevent
:destroy_issuable_metric_image
end
end
end
end
ee/changelogs/security-360-prevent-any-users-from-deleting-metrics-issue-images.yml
0 → 100644
View file @
e0a6a21a
---
title
:
Fix permissions for modifying issue metric images
merge_request
:
author
:
type
:
security
ee/lib/ee/api/issues.rb
View file @
e0a6a21a
...
...
@@ -79,6 +79,9 @@ module EE
end
delete
':metric_image_id'
do
issue
=
find_project_issue
(
params
[
:issue_iid
])
authorize!
(
:destroy_issuable_metric_image
,
issue
)
metric_image
=
issue
.
metric_images
.
find_by_id
(
params
[
:metric_image_id
])
render_api_error!
(
'Metric image not found'
,
404
)
unless
metric_image
...
...
@@ -93,12 +96,6 @@ module EE
end
helpers
do
include
::
API
::
Helpers
::
Packages
::
BasicAuthHelpers
def
project
authorized_user_project
end
def
max_file_size_exceeded?
params
[
:file
].
size
>
::
IssuableMetricImage
::
MAX_FILE_SIZE
end
...
...
ee/lib/ee/banzai/filter/label_reference_filter.rb
View file @
e0a6a21a
...
...
@@ -10,12 +10,18 @@ module EE
def
data_attributes_for
(
text
,
parent
,
object
,
link_content:
false
,
link_reference:
false
)
return
super
unless
object
.
scoped_label?
# Enabling HTML tooltips for scoped labels here but we do not need to do any additional
# escaping because the label's tooltips are already stripped of dangerous HTML
# Enabling HTML tooltips for scoped labels here and additional escaping is done in `object_link_title`
super
.
merge!
(
html:
true
)
end
override
:object_link_title
def
object_link_title
(
object
,
matches
)
return
super
unless
object
.
scoped_label?
ERB
::
Util
.
html_escape
(
super
)
end
end
end
end
...
...
ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
View file @
e0a6a21a
...
...
@@ -5,9 +5,10 @@ require 'spec_helper'
RSpec
.
describe
Banzai
::
Filter
::
LabelReferenceFilter
do
include
FilterSpecHelper
let
(
:project
)
{
create
(
:project
,
:public
,
name:
'sample-project'
)
}
let
(
:label
)
{
create
(
:label
,
name:
'label'
,
project:
project
)
}
let
(
:scoped_label
)
{
create
(
:label
,
name:
'key::value'
,
project:
project
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
name:
'sample-project'
)
}
let
(
:label
)
{
create
(
:label
,
name:
'label'
,
project:
project
)
}
let
(
:scoped_description
)
{
'xss <script>alert("scriptAlert");</script> &<a>lt;svg id="svgId"></svg>'
}
let
(
:scoped_label
)
{
create
(
:label
,
name:
'key::value'
,
project:
project
,
description:
scoped_description
)
}
context
'with scoped labels enabled'
do
before
do
...
...
@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
it
'renders HTML tooltips'
do
expect
(
doc
.
at_css
(
'.gl-label-scoped a'
).
attr
(
'data-html'
)).
to
eq
(
'true'
)
end
it
"escapes HTML in the label's title"
do
expect
(
doc
.
at_css
(
'.gl-label-scoped a'
).
attr
(
'title'
)).
to
include
(
'xss <svg id="svgId">'
)
end
end
context
'with a common label'
do
...
...
ee/spec/policies/issuable_policy_spec.rb
0 → 100644
View file @
e0a6a21a
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
IssuablePolicy
,
models:
true
do
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest_issue
)
{
create
(
:issue
,
project:
project
,
author:
guest
)
}
let
(
:reporter_issue
)
{
create
(
:issue
,
project:
project
,
author:
reporter
)
}
before
do
project
.
add_guest
(
guest
)
project
.
add_reporter
(
reporter
)
end
def
permissions
(
user
,
issue
)
described_class
.
new
(
user
,
issue
)
end
describe
'#rules'
do
context
'in a public project'
do
let_it_be
(
:project
)
{
create
(
:project
,
:public
)
}
let_it_be
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
it
'disallows non-members from creating and deleting metric images'
do
expect
(
permissions
(
non_member
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
non_member
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows guests to read, create metric images, and delete them in their own issues'
do
expect
(
permissions
(
guest
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
guest
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
guest
,
guest_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows reporters to create and delete metric images'
do
expect
(
permissions
(
reporter
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
reporter
,
reporter_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
end
context
'in a private project'
do
let_it_be
(
:project
)
{
create
(
:project
,
:private
)
}
let_it_be
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
it
'disallows non-members from creating and deleting metric images'
do
expect
(
permissions
(
non_member
,
issue
)).
to
be_disallowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows guests to read metric images, and create + delete in their own issues'
do
expect
(
permissions
(
guest
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
)
expect
(
permissions
(
guest
,
issue
)).
to
be_disallowed
(
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
guest
,
guest_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
it
'allows reporters to create and delete metric images'
do
expect
(
permissions
(
reporter
,
issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
expect
(
permissions
(
reporter
,
reporter_issue
)).
to
be_allowed
(
:read_issuable_metric_image
,
:upload_issuable_metric_image
,
:destroy_issuable_metric_image
)
end
end
end
end
ee/spec/requests/api/issues_spec.rb
View file @
e0a6a21a
...
...
@@ -705,7 +705,7 @@ RSpec.describe API::Issues, :mailer do
using
RSpec
::
Parameterized
::
TableSyntax
let_it_be
(
:project
)
do
create
(
:project
,
:p
rivate
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
create
(
:project
,
:p
ublic
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
end
let!
(
:image
)
{
create
(
:issuable_metric_image
,
issue:
issue
)
}
...
...
@@ -722,6 +722,15 @@ RSpec.describe API::Issues, :mailer do
end
shared_examples
'unauthorized_delete'
do
it
'cannot delete the metric image'
do
subject
expect
(
response
).
to
have_gitlab_http_status
(
:forbidden
)
expect
(
image
.
reload
).
to
eq
(
image
)
end
end
shared_examples
'not_found'
do
it
'cannot delete the metric image'
do
subject
...
...
@@ -734,9 +743,9 @@ RSpec.describe API::Issues, :mailer do
:not_member
|
false
|
false
|
:unauthorized_delete
:not_member
|
true
|
false
|
:unauthorized_delete
:not_member
|
true
|
true
|
:unauthorized_delete
:guest
|
false
|
true
|
:unauthorized_delete
:guest
|
false
|
true
|
:not_found
:guest
|
false
|
false
|
:unauthorized_delete
:guest
|
true
|
false
|
:can_delete_metric_image
:guest
|
false
|
false
|
:can_delete_metric_image
:reporter
|
true
|
false
|
:can_delete_metric_image
:reporter
|
false
|
false
|
:can_delete_metric_image
end
...
...
lib/api/system_hooks.rb
View file @
e0a6a21a
...
...
@@ -47,7 +47,7 @@ module API
params
do
requires
:id
,
type:
Integer
,
desc:
'The ID of the system hook'
end
ge
t
":id"
do
pos
t
":id"
do
hook
=
SystemHook
.
find
(
params
[
:id
])
data
=
{
event_name:
"project_create"
,
...
...
lib/gitlab/markdown_cache.rb
View file @
e0a6a21a
...
...
@@ -3,7 +3,7 @@
module
Gitlab
module
MarkdownCache
# Increment this number every time the renderer changes its output
CACHE_COMMONMARK_VERSION
=
2
6
CACHE_COMMONMARK_VERSION
=
2
7
CACHE_COMMONMARK_VERSION_START
=
10
BaseError
=
Class
.
new
(
StandardError
)
...
...
lib/gitlab/user_access.rb
View file @
e0a6a21a
...
...
@@ -11,10 +11,11 @@ module Gitlab
attr_reader
:user
,
:push_ability
attr_accessor
:container
def
initialize
(
user
,
container:
nil
,
push_ability: :push_code
)
def
initialize
(
user
,
container:
nil
,
push_ability: :push_code
,
skip_collaboration_check:
false
)
@user
=
user
@container
=
container
@push_ability
=
push_ability
@skip_collaboration_check
=
skip_collaboration_check
end
def
can_do_action?
(
action
)
...
...
@@ -87,6 +88,8 @@ module Gitlab
private
attr_reader
:skip_collaboration_check
def
can_push?
user
.
can?
(
push_ability
,
container
)
end
...
...
@@ -98,6 +101,8 @@ module Gitlab
end
def
branch_allows_collaboration_for?
(
ref
)
return
false
if
skip_collaboration_check
# Checking for an internal project or group to prevent an infinite loop:
# https://gitlab.com/gitlab-org/gitlab/issues/36805
(
!
project
.
internal?
&&
project
.
branch_allows_collaboration?
(
user
,
ref
))
...
...
spec/factories/pool_repositories.rb
View file @
e0a6a21a
...
...
@@ -6,7 +6,7 @@ FactoryBot.define do
state
{
:none
}
before
(
:create
)
do
|
pool
|
pool
.
source_project
=
create
(
:project
,
:repository
)
pool
.
source_project
||
=
create
(
:project
,
:repository
)
pool
.
source_project
.
update!
(
pool_repository:
pool
)
end
...
...
spec/features/merge_request/user_views_open_merge_request_spec.rb
View file @
e0a6a21a
...
...
@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
end
end
end
context
'XSS source branch'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let
(
:source_branch
)
{
"'><iframe/srcdoc=''></iframe>"
}
before
do
project
.
repository
.
create_branch
(
source_branch
,
"master"
)
mr
=
create
(
:merge_request
,
source_project:
project
,
target_project:
project
,
source_branch:
source_branch
)
visit
(
merge_request_path
(
mr
))
end
it
'encodes branch name'
do
expect
(
find
(
"[data-testid='ref-name']"
)[
:title
]).
to
eq
(
source_branch
)
end
end
end
spec/lib/gitlab/asciidoc_spec.rb
View file @
e0a6a21a
...
...
@@ -92,6 +92,15 @@ module Gitlab
expect
(
render
(
data
[
:input
],
context
)).
to
include
(
data
[
:output
])
end
end
it
'does not allow locked attributes to be overridden'
do
input
=
<<~
ADOC
{counter:max-include-depth:1234}
<|-- {max-include-depth}
ADOC
expect
(
render
(
input
,
{})).
not_to
include
(
'1234'
)
end
end
context
"images"
do
...
...
@@ -543,6 +552,40 @@ module Gitlab
expect
(
render
(
input
,
context
)).
to
include
(
output
.
strip
)
end
it
'does not allow kroki-plantuml-include to be overridden'
do
input
=
<<~
ADOC
[plantuml, test="{counter:kroki-plantuml-include:/etc/passwd}", format="png"]
....
class BlockProcessor
BlockProcessor <|-- {counter:kroki-plantuml-include}
....
ADOC
output
=
<<~
HTML
<div>
<div>
<a class=
\"
no-attachment-icon
\"
href=
\"
https://kroki.io/plantuml/png/eNpLzkksLlZwyslPzg4oyk9OLS7OL-LiQuUr2NTo6ipUJ-eX5pWkFlllF-VnZ-oW5CTmlZTm5uhm5iXnlKak1gIABQEb8A==
\"
target=
\"
_blank
\"
rel=
\"
noopener noreferrer
\"
><img src=
\"
data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
\"
alt=
\"
Diagram
\"
class=
\"
lazy
\"
data-src=
\"
https://kroki.io/plantuml/png/eNpLzkksLlZwyslPzg4oyk9OLS7OL-LiQuUr2NTo6ipUJ-eX5pWkFlllF-VnZ-oW5CTmlZTm5uhm5iXnlKak1gIABQEb8A==
\"
></a>
</div>
</div>
HTML
expect
(
render
(
input
,
{})).
to
include
(
output
.
strip
)
end
it
'does not allow kroki-server-url to be overridden'
do
input
=
<<~
ADOC
[plantuml, test="{counter:kroki-server-url:evilsite}", format="png"]
....
class BlockProcessor
BlockProcessor
....
ADOC
expect
(
render
(
input
,
{})).
not_to
include
(
'evilsite'
)
end
end
context
'with Kroki and BlockDiag (additional format) enabled'
do
...
...
spec/lib/gitlab/user_access_spec.rb
View file @
e0a6a21a
...
...
@@ -216,6 +216,15 @@ RSpec.describe Gitlab::UserAccess do
expect
(
access
.
can_merge_to_branch?
(
@branch
.
name
)).
to
be_falsey
end
end
context
'when skip_collaboration_check is true'
do
let
(
:access
)
{
described_class
.
new
(
user
,
container:
project
,
skip_collaboration_check:
true
)
}
it
'does not call Project#branch_allows_collaboration?'
do
expect
(
project
).
not_to
receive
(
:branch_allows_collaboration?
)
expect
(
access
.
can_push_to_branch?
(
'master'
)).
to
be_falsey
end
end
end
describe
'#can_create_tag?'
do
...
...
spec/models/project_spec.rb
View file @
e0a6a21a
...
...
@@ -5319,6 +5319,64 @@ RSpec.describe Project, factory_default: :keep do
end
end
describe
'#branch_allows_collaboration?'
do
context
'when there are open merge requests that have their source/target branches point to each other'
do
let_it_be
(
:project
)
{
create
(
:project
,
:repository
)
}
let_it_be
(
:developer
)
{
create
(
:user
)
}
let_it_be
(
:reporter
)
{
create
(
:user
)
}
let_it_be
(
:guest
)
{
create
(
:user
)
}
before_all
do
create
(
:merge_request
,
target_project:
project
,
target_branch:
'master'
,
source_project:
project
,
source_branch:
'merge-test'
,
allow_collaboration:
true
)
create
(
:merge_request
,
target_project:
project
,
target_branch:
'merge-test'
,
source_project:
project
,
source_branch:
'master'
,
allow_collaboration:
true
)
project
.
add_developer
(
developer
)
project
.
add_reporter
(
reporter
)
project
.
add_guest
(
guest
)
end
shared_examples_for
'successful check'
do
it
'does not go into an infinite loop'
do
expect
{
project
.
branch_allows_collaboration?
(
user
,
'master'
)
}
.
not_to
raise_error
end
end
context
'when user is a developer'
do
let
(
:user
)
{
developer
}
it_behaves_like
'successful check'
end
context
'when user is a reporter'
do
let
(
:user
)
{
reporter
}
it_behaves_like
'successful check'
end
context
'when user is a guest'
do
let
(
:user
)
{
guest
}
it_behaves_like
'successful check'
end
end
end
context
'with cross project merge requests'
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:target_project
)
{
create
(
:project
,
:repository
)
}
...
...
spec/requests/api/system_hooks_spec.rb
View file @
e0a6a21a
...
...
@@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do
end
end
describe
"GET /hooks/:id"
do
it
"returns hook by id"
do
ge
t
api
(
"/hooks/
#{
hook
.
id
}
"
,
admin
)
expect
(
response
).
to
have_gitlab_http_status
(
:
ok
)
describe
'POST /hooks/:id'
do
it
"returns
and trigger
hook by id"
do
pos
t
api
(
"/hooks/
#{
hook
.
id
}
"
,
admin
)
expect
(
response
).
to
have_gitlab_http_status
(
:
created
)
expect
(
json_response
[
'event_name'
]).
to
eq
(
'project_create'
)
end
it
"returns 404 on failure"
do
ge
t
api
(
"/hooks/404"
,
admin
)
pos
t
api
(
"/hooks/404"
,
admin
)
expect
(
response
).
to
have_gitlab_http_status
(
:not_found
)
end
end
...
...
spec/services/projects/fork_service_spec.rb
View file @
e0a6a21a
...
...
@@ -403,7 +403,7 @@ RSpec.describe Projects::ForkService do
end
context
'when forking with object pools'
do
let
(
:fork_from_project
)
{
create
(
:project
,
:public
)
}
let
(
:fork_from_project
)
{
create
(
:project
,
:
repository
,
:
public
)
}
let
(
:forker
)
{
create
(
:user
)
}
context
'when no pool exists'
do
...
...
spec/services/projects/unlink_fork_service_spec.rb
View file @
e0a6a21a
...
...
@@ -207,6 +207,17 @@ RSpec.describe Projects::UnlinkForkService, :use_clean_rails_memory_store_cachin
end
end
context
'a project with pool repository'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let!
(
:pool_repository
)
{
create
(
:pool_repository
,
:ready
,
source_project:
project
)
}
subject
{
described_class
.
new
(
project
,
user
)
}
it
'when unlinked leaves pool repository'
do
expect
{
subject
.
execute
}.
to
change
{
project
.
reload
.
has_pool_repository?
}.
from
(
true
).
to
(
false
)
end
end
context
'when given project is not part of a fork network'
do
let!
(
:project_without_forks
)
{
create
(
:project
,
:public
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment