Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
ca9b99ff
Commit
ca9b99ff
authored
Oct 05, 2018
by
Bob Van Landuyt
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
parents
34646406
36bd0783
Changes
16
Hide whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
194 additions
and
39 deletions
+194
-39
CHANGELOG.md
CHANGELOG.md
+18
-0
app/models/note.rb
app/models/note.rb
+15
-12
app/models/project_services/hipchat_service.rb
app/models/project_services/hipchat_service.rb
+1
-1
app/models/system_note_metadata.rb
app/models/system_note_metadata.rb
+5
-0
app/serializers/discussion_entity.rb
app/serializers/discussion_entity.rb
+1
-1
changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml
.../security-bw-confidential-titles-through-markdown-api.yml
+5
-0
changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
...leased/security-fix-leaking-private-project-namespace.yml
+5
-0
changelogs/unreleased/security-osw-user-info-leak-discussions.yml
...gs/unreleased/security-osw-user-info-leak-discussions.yml
+5
-0
lib/api/markdown.rb
lib/api/markdown.rb
+3
-4
lib/banzai.rb
lib/banzai.rb
+7
-0
lib/banzai/object_renderer.rb
lib/banzai/object_renderer.rb
+1
-0
lib/banzai/redactor.rb
lib/banzai/redactor.rb
+7
-1
spec/fixtures/api/schemas/entities/note_user_entity.json
spec/fixtures/api/schemas/entities/note_user_entity.json
+21
-0
spec/models/note_spec.rb
spec/models/note_spec.rb
+47
-20
spec/requests/api/markdown_spec.rb
spec/requests/api/markdown_spec.rb
+46
-0
spec/serializers/discussion_entity_spec.rb
spec/serializers/discussion_entity_spec.rb
+7
-0
No files found.
CHANGELOG.md
View file @
ca9b99ff
...
@@ -279,6 +279,15 @@ entry.
...
@@ -279,6 +279,15 @@ entry.
-
Creates Vue component for artifacts block on job page.
-
Creates Vue component for artifacts block on job page.
## 11.2.5 (2018-10-05)
### Security (3 changes)
-
Filter user sensitive data from discussions JSON. !2538
-
Properly filter private references from system notes.
-
Markdown API no longer displays confidential title references unless authorized.
## 11.2.4 (2018-09-26)
## 11.2.4 (2018-09-26)
### Security (6 changes)
### Security (6 changes)
...
@@ -558,6 +567,15 @@ entry.
...
@@ -558,6 +567,15 @@ entry.
-
Moves help_popover component to a common location.
-
Moves help_popover component to a common location.
## 11.1.8 (2018-10-05)
### Security (3 changes)
-
Filter user sensitive data from discussions JSON. !2539
-
Properly filter private references from system notes.
-
Markdown API no longer displays confidential title references unless authorized.
## 11.1.7 (2018-09-26)
## 11.1.7 (2018-09-26)
### Security (6 changes)
### Security (6 changes)
...
...
app/models/note.rb
View file @
ca9b99ff
...
@@ -38,10 +38,12 @@ class Note < ActiveRecord::Base
...
@@ -38,10 +38,12 @@ class Note < ActiveRecord::Base
alias_attribute
:last_edited_at
,
:updated_at
alias_attribute
:last_edited_at
,
:updated_at
alias_attribute
:last_edited_by
,
:updated_by
alias_attribute
:last_edited_by
,
:updated_by
# Attribute containing rendered and redacted Markdown as generated by
# Number of user visible references as generated by Banzai::ObjectRenderer
# Banzai::ObjectRenderer.
attr_accessor
:redacted_note_html
attr_accessor
:redacted_note_html
# Total of all references as generated by Banzai::ObjectRenderer
attr_accessor
:total_reference_count
# An Array containing the number of visible references as generated by
# An Array containing the number of visible references as generated by
# Banzai::ObjectRenderer
# Banzai::ObjectRenderer
attr_accessor
:user_visible_reference_count
attr_accessor
:user_visible_reference_count
...
@@ -288,15 +290,7 @@ class Note < ActiveRecord::Base
...
@@ -288,15 +290,7 @@ class Note < ActiveRecord::Base
end
end
def
cross_reference_not_visible_for?
(
user
)
def
cross_reference_not_visible_for?
(
user
)
cross_reference?
&&
!
has_referenced_mentionables?
(
user
)
cross_reference?
&&
!
all_referenced_mentionables_allowed?
(
user
)
end
def
has_referenced_mentionables?
(
user
)
if
user_visible_reference_count
.
present?
user_visible_reference_count
>
0
else
referenced_mentionables
(
user
).
any?
end
end
end
def
award_emoji?
def
award_emoji?
...
@@ -466,9 +460,18 @@ class Note < ActiveRecord::Base
...
@@ -466,9 +460,18 @@ class Note < ActiveRecord::Base
self
.
discussion_id
||=
discussion_class
.
discussion_id
(
self
)
self
.
discussion_id
||=
discussion_class
.
discussion_id
(
self
)
end
end
def
all_referenced_mentionables_allowed?
(
user
)
if
user_visible_reference_count
.
present?
&&
total_reference_count
.
present?
# if they are not equal, then there are private/confidential references as well
user_visible_reference_count
>
0
&&
user_visible_reference_count
==
total_reference_count
else
referenced_mentionables
(
user
).
any?
end
end
def
force_cross_reference_regex_check?
def
force_cross_reference_regex_check?
return
unless
system
?
return
unless
system
?
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
include?
(
system_note_metadata
&
.
action
)
system_note_metadata
&
.
cross_reference_types
&
.
include?
(
system_note_metadata
&
.
action
)
end
end
end
end
app/models/project_services/hipchat_service.rb
View file @
ca9b99ff
...
@@ -149,7 +149,7 @@ class HipchatService < Service
...
@@ -149,7 +149,7 @@ class HipchatService < Service
context
.
merge!
(
options
)
context
.
merge!
(
options
)
html
=
Banzai
.
post_process
(
Banzai
.
render
(
text
,
context
)
,
context
)
html
=
Banzai
.
render_and_post_process
(
text
,
context
)
sanitized_html
=
sanitize
(
html
,
tags:
HIPCHAT_ALLOWED_TAGS
,
attributes:
%w[href title alt]
)
sanitized_html
=
sanitize
(
html
,
tags:
HIPCHAT_ALLOWED_TAGS
,
attributes:
%w[href title alt]
)
sanitized_html
.
truncate
(
200
,
separator:
' '
,
omission:
'...'
)
sanitized_html
.
truncate
(
200
,
separator:
' '
,
omission:
'...'
)
...
...
app/models/system_note_metadata.rb
View file @
ca9b99ff
...
@@ -9,6 +9,7 @@ class SystemNoteMetadata < ActiveRecord::Base
...
@@ -9,6 +9,7 @@ class SystemNoteMetadata < ActiveRecord::Base
TYPES_WITH_CROSS_REFERENCES
=
%w[
TYPES_WITH_CROSS_REFERENCES
=
%w[
commit cross_reference
commit cross_reference
close duplicate
close duplicate
moved
]
.
freeze
]
.
freeze
ICON_TYPES
=
%w[
ICON_TYPES
=
%w[
...
@@ -26,4 +27,8 @@ class SystemNoteMetadata < ActiveRecord::Base
...
@@ -26,4 +27,8 @@ class SystemNoteMetadata < ActiveRecord::Base
def
icon_types
def
icon_types
ICON_TYPES
ICON_TYPES
end
end
def
cross_reference_types
TYPES_WITH_CROSS_REFERENCES
end
end
end
app/serializers/discussion_entity.rb
View file @
ca9b99ff
...
@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity
...
@@ -27,7 +27,7 @@ class DiscussionEntity < Grape::Entity
expose
:resolved?
,
as: :resolved
expose
:resolved?
,
as: :resolved
expose
:resolved_by_push?
,
as: :resolved_by_push
expose
:resolved_by_push?
,
as: :resolved_by_push
expose
:resolved_by
expose
:resolved_by
,
using:
NoteUserEntity
expose
:resolved_at
expose
:resolved_at
expose
:resolve_path
,
if:
->
(
d
,
_
)
{
d
.
resolvable?
}
do
|
discussion
|
expose
:resolve_path
,
if:
->
(
d
,
_
)
{
d
.
resolvable?
}
do
|
discussion
|
resolve_project_merge_request_discussion_path
(
discussion
.
project
,
discussion
.
noteable
,
discussion
.
id
)
resolve_project_merge_request_discussion_path
(
discussion
.
project
,
discussion
.
noteable
,
discussion
.
id
)
...
...
changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml
0 → 100644
View file @
ca9b99ff
---
title
:
Markdown API no longer displays confidential title references unless authorized
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-fix-leaking-private-project-namespace.yml
0 → 100644
View file @
ca9b99ff
---
title
:
Properly filter private references from system notes
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-osw-user-info-leak-discussions.yml
0 → 100644
View file @
ca9b99ff
---
title
:
Filter user sensitive data from discussions JSON
merge_request
:
2536
author
:
type
:
security
lib/api/markdown.rb
View file @
ca9b99ff
...
@@ -12,7 +12,8 @@ module API
...
@@ -12,7 +12,8 @@ module API
detail
"This feature was introduced in GitLab 11.0."
detail
"This feature was introduced in GitLab 11.0."
end
end
post
do
post
do
context
=
{
only_path:
false
}
context
=
{
only_path:
false
,
current_user:
current_user
}
context
[
:pipeline
]
=
params
[
:gfm
]
?
:full
:
:plain_markdown
if
params
[
:project
]
if
params
[
:project
]
project
=
Project
.
find_by_full_path
(
params
[
:project
])
project
=
Project
.
find_by_full_path
(
params
[
:project
])
...
@@ -24,9 +25,7 @@ module API
...
@@ -24,9 +25,7 @@ module API
context
[
:skip_project_check
]
=
true
context
[
:skip_project_check
]
=
true
end
end
context
[
:pipeline
]
=
params
[
:gfm
]
?
:full
:
:plain_markdown
{
html:
Banzai
.
render_and_post_process
(
params
[
:text
],
context
)
}
{
html:
Banzai
.
render
(
params
[
:text
],
context
)
}
end
end
end
end
end
end
...
...
lib/banzai.rb
View file @
ca9b99ff
module
Banzai
module
Banzai
# if you need to render markdown, then you probably need to post_process as well,
# such as removing references that the current user doesn't have
# permission to make
def
self
.
render_and_post_process
(
text
,
context
=
{})
post_process
(
render
(
text
,
context
),
context
)
end
def
self
.
render
(
text
,
context
=
{})
def
self
.
render
(
text
,
context
=
{})
Renderer
.
render
(
text
,
context
)
Renderer
.
render
(
text
,
context
)
end
end
...
...
lib/banzai/object_renderer.rb
View file @
ca9b99ff
...
@@ -38,6 +38,7 @@ module Banzai
...
@@ -38,6 +38,7 @@ module Banzai
redacted_data
=
redacted
[
index
]
redacted_data
=
redacted
[
index
]
object
.
__send__
(
"redacted_
#{
attribute
}
_html="
,
redacted_data
[
:document
].
to_html
(
save_options
).
html_safe
)
# rubocop:disable GitlabSecurity/PublicSend
object
.
__send__
(
"redacted_
#{
attribute
}
_html="
,
redacted_data
[
:document
].
to_html
(
save_options
).
html_safe
)
# rubocop:disable GitlabSecurity/PublicSend
object
.
user_visible_reference_count
=
redacted_data
[
:visible_reference_count
]
if
object
.
respond_to?
(
:user_visible_reference_count
)
object
.
user_visible_reference_count
=
redacted_data
[
:visible_reference_count
]
if
object
.
respond_to?
(
:user_visible_reference_count
)
object
.
total_reference_count
=
redacted_data
[
:total_reference_count
]
if
object
.
respond_to?
(
:total_reference_count
)
end
end
end
end
...
...
lib/banzai/redactor.rb
View file @
ca9b99ff
...
@@ -37,7 +37,13 @@ module Banzai
...
@@ -37,7 +37,13 @@ module Banzai
all_document_nodes
.
each
do
|
entry
|
all_document_nodes
.
each
do
|
entry
|
nodes_for_document
=
entry
[
:nodes
]
nodes_for_document
=
entry
[
:nodes
]
doc_data
=
{
document:
entry
[
:document
],
visible_reference_count:
nodes_for_document
.
count
}
doc_data
=
{
document:
entry
[
:document
],
total_reference_count:
nodes_for_document
.
count
,
visible_reference_count:
nodes_for_document
.
count
}
metadata
<<
doc_data
metadata
<<
doc_data
nodes_for_document
.
each
do
|
node
|
nodes_for_document
.
each
do
|
node
|
...
...
spec/fixtures/api/schemas/entities/note_user_entity.json
0 → 100644
View file @
ca9b99ff
{
"type"
:
"object"
,
"required"
:
[
"id"
,
"state"
,
"avatar_url"
,
"path"
,
"name"
,
"username"
],
"properties"
:
{
"id"
:
{
"type"
:
"integer"
},
"state"
:
{
"type"
:
"string"
},
"avatar_url"
:
{
"type"
:
"string"
},
"path"
:
{
"type"
:
"string"
},
"name"
:
{
"type"
:
"string"
},
"username"
:
{
"type"
:
"string"
},
"status_tooltip_html"
:
{
"$ref"
:
"../types/nullable_string.json"
}
},
"additionalProperties"
:
false
}
spec/models/note_spec.rb
View file @
ca9b99ff
...
@@ -231,33 +231,60 @@ describe Note do
...
@@ -231,33 +231,60 @@ describe Note do
let
(
:ext_proj
)
{
create
(
:project
,
:public
)
}
let
(
:ext_proj
)
{
create
(
:project
,
:public
)
}
let
(
:ext_issue
)
{
create
(
:issue
,
project:
ext_proj
)
}
let
(
:ext_issue
)
{
create
(
:issue
,
project:
ext_proj
)
}
let
(
:note
)
do
shared_examples
"checks references"
do
create
:note
,
it
"returns true"
do
noteable:
ext_issue
,
project:
ext_proj
,
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
end
system:
true
end
it
"returns tru
e"
do
it
"returns fals
e"
do
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truth
y
expect
(
note
.
cross_reference_not_visible_for?
(
private_user
)).
to
be_fals
y
end
end
it
"returns false"
do
it
"returns false if user visible reference count set"
do
expect
(
note
.
cross_reference_not_visible_for?
(
private_user
)).
to
be_falsy
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
1
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_falsy
end
it
"returns true if ref count is 0"
do
note
.
user_visible_reference_count
=
0
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
end
end
it
"returns false if user visible reference count set"
do
context
"when there is one reference in note"
do
note
.
user_visible_reference_count
=
1
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
it_behaves_like
"checks references"
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_falsy
end
end
it
"returns true if ref count is 0"
do
context
"when there are two references in note"
do
note
.
user_visible_reference_count
=
0
let
(
:note
)
do
create
:note
,
noteable:
ext_issue
,
project:
ext_proj
,
note:
"mentioned in issue
#{
private_issue
.
to_reference
(
ext_proj
)
}
and "
\
"public issue
#{
ext_issue
.
to_reference
(
ext_proj
)
}
"
,
system:
true
end
it_behaves_like
"checks references"
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
it
"returns true if user visible reference count set and there is a private reference"
do
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
note
.
user_visible_reference_count
=
1
note
.
total_reference_count
=
2
expect
(
note
).
not_to
receive
(
:reference_mentionables
)
expect
(
note
.
cross_reference_not_visible_for?
(
ext_issue
.
author
)).
to
be_truthy
end
end
end
end
end
...
@@ -269,7 +296,7 @@ describe Note do
...
@@ -269,7 +296,7 @@ describe Note do
end
end
context
'when the note might contain cross references'
do
context
'when the note might contain cross references'
do
SystemNoteMetadata
::
TYPES_WITH_CROSS_REFERENCES
.
each
do
|
type
|
SystemNoteMetadata
.
new
.
cross_reference_types
.
each
do
|
type
|
let
(
:note
)
{
create
(
:note
,
:system
)
}
let
(
:note
)
{
create
(
:note
,
:system
)
}
let!
(
:metadata
)
{
create
(
:system_note_metadata
,
note:
note
,
action:
type
)
}
let!
(
:metadata
)
{
create
(
:system_note_metadata
,
note:
note
,
action:
type
)
}
...
...
spec/requests/api/markdown_spec.rb
View file @
ca9b99ff
...
@@ -106,6 +106,52 @@ describe API::Markdown do
...
@@ -106,6 +106,52 @@ describe API::Markdown do
.
and
include
(
"#1</a>"
)
.
and
include
(
"#1</a>"
)
end
end
end
end
context
'with a public project and confidential issue'
do
let
(
:public_project
)
{
create
(
:project
,
:public
)
}
let
(
:confidential_issue
)
{
create
(
:issue
,
:confidential
,
project:
public_project
,
title:
'Confidential title'
)
}
let
(
:text
)
{
":tada: Hello world! :100:
#{
confidential_issue
.
to_reference
}
"
}
let
(
:params
)
{
{
text:
text
,
gfm:
true
,
project:
public_project
.
full_path
}
}
shared_examples
'user without proper access'
do
it
'does not render the title or link'
do
expect
(
response
).
to
have_http_status
(
201
)
expect
(
json_response
[
"html"
]).
not_to
include
(
'Confidential title'
)
expect
(
json_response
[
"html"
]).
not_to
include
(
'<a href='
)
expect
(
json_response
[
"html"
]).
to
include
(
'Hello world!'
)
.
and
include
(
'data-name="tada"'
)
.
and
include
(
'data-name="100"'
)
.
and
include
(
'#1</p>'
)
end
end
context
'when not logged in'
do
let
(
:user
)
{
}
it_behaves_like
'user without proper access'
end
context
'when logged in as user without access'
do
let
(
:user
)
{
create
(
:user
)
}
it_behaves_like
'user without proper access'
end
context
'when logged in as author'
do
let
(
:user
)
{
confidential_issue
.
author
}
it
'renders the title or link'
do
expect
(
response
).
to
have_http_status
(
201
)
expect
(
json_response
[
"html"
]).
to
include
(
'Confidential title'
)
expect
(
json_response
[
"html"
]).
to
include
(
'Hello world!'
)
.
and
include
(
'data-name="tada"'
)
.
and
include
(
'data-name="100"'
)
.
and
include
(
"<a href=
\"
#{
IssuesHelper
.
url_for_issue
(
confidential_issue
.
iid
,
public_project
)
}
\"
"
)
.
and
include
(
"#1</a>"
)
end
end
end
end
end
end
end
end
end
...
...
spec/serializers/discussion_entity_spec.rb
View file @
ca9b99ff
...
@@ -36,6 +36,13 @@ describe DiscussionEntity do
...
@@ -36,6 +36,13 @@ describe DiscussionEntity do
)
)
end
end
it
'resolved_by matches note_user_entity schema'
do
Notes
::
ResolveService
.
new
(
note
.
project
,
user
).
execute
(
note
)
expect
(
subject
[
:resolved_by
].
with_indifferent_access
)
.
to
match_schema
(
'entities/note_user_entity'
)
end
context
'when is LegacyDiffDiscussion'
do
context
'when is LegacyDiffDiscussion'
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:merge_request
)
{
create
(
:merge_request
,
source_project:
project
)
}
let
(
:merge_request
)
{
create
(
:merge_request
,
source_project:
project
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment