Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 11.2.3 (2018-08-28)
+
+- No changes.
+
+## 11.2.2 (2018-08-27)
+
+### Security (1 change)
+
+- Prevent regular users from moving projects to different storage shards.
+
+
 ## 11.2.1 (2018-08-22)
 
 - No changes.
@@ -96,6 +107,18 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Geo: Log to geo.log when the Log Cursor skips an event.
 
 
+## 11.1.6 (2018-08-28)
+
+- No changes.
+
+## 11.1.5 (2018-08-27)
+
+- No changes.
+### Security (1 change)
+
+- Prevent regular users from moving projects to different storage shards.
+
+
 ## 11.1.4 (2018-07-30)
 
 - No changes.
@@ -189,6 +212,13 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Geo - Make Geo repository verification flag opt-out by default. !6369
 
 
+## 11.0.6 (2018-08-27)
+
+### Security (1 change)
+
+- Prevent regular users from moving projects to different storage shards.
+
+
 ## 11.0.5 (2018-07-26)
 
 ### Security (1 change)

CHANGELOG.md

@@ -2,6 +2,19 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.2.3 (2018-08-28)
+
+- No changes.
+
+## 11.2.2 (2018-08-27)
+
+### Security (3 changes)
+
+- Fixed persistent XSS rendering/escaping of diff location lines.
+- Adding CSRF protection to Hooks resend action.
+- Block link-local addresses in URLBlocker.
+
+
 ## 11.2.1 (2018-08-22)
 
 ### Fixed (2 changes)
@@ -256,6 +269,24 @@ entry.
 - Moves help_popover component to a common location.
 
 
+## 11.1.6 (2018-08-28)
+
+- No changes.
+
+## 11.1.5 (2018-08-27)
+
+- No changes.
+### Security (3 changes)
+
+- Fixed persistent XSS rendering/escaping of diff location lines.
+- Adding CSRF protection to Hooks resend action.
+- Block link-local addresses in URLBlocker.
+
+### Fixed (1 change, 1 of them is from the community)
+
+- Sanitize git URL in import errors. (Jamie Schembri)
+
+
 ## 11.1.4 (2018-07-30)
 
 ### Fixed (4 changes, 1 of them is from the community)
@@ -538,6 +569,19 @@ entry.
 - Use monospaced font for MR diff commit link ref on GFM.
 
 
+## 11.0.6 (2018-08-27)
+
+### Security (3 changes)
+
+- Fixed persistent XSS rendering/escaping of diff location lines.
+- Adding CSRF protection to Hooks resend action.
+- Block link-local addresses in URLBlocker.
+
+### Fixed (1 change, 1 of them is from the community)
+
+- Sanitize git URL in import errors. (Jamie Schembri)
+
+
 ## 11.0.5 (2018-07-26)
 
 ### Security (4 changes)

app/views/admin/hook_logs/show.html.haml

@@ -4,7 +4,6 @@
 
 %hr
 
-= link_to 'Resend Request', retry_admin_hook_hook_log_path(@hook, @hook_log), class: "btn btn-default float-right prepend-left-10"
+= link_to 'Resend Request', retry_admin_hook_hook_log_path(@hook, @hook_log), method: :post, class: "btn btn-default float-right prepend-left-10"
 
 = render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log }
-

app/views/projects/hook_logs/show.html.haml

@@ -4,6 +4,6 @@
       Request details
   .col-lg-9
 
-    = link_to 'Resend Request', retry_project_hook_hook_log_path(@project, @hook, @hook_log), class: "btn btn-default float-right prepend-left-10"
+    = link_to 'Resend Request', retry_project_hook_hook_log_path(@project, @hook, @hook_log), method: :post, class: "btn btn-default float-right prepend-left-10"
 
     = render partial: 'shared/hook_logs/content', locals: { hook_log: @hook_log }

changelogs/unreleased/security-fj-missing-csrf-system-hooks-resend.yml

+---
+title: Adding CSRF protection to Hooks resend action
+merge_request:
+author:
+type: security

config/routes/admin.rb

@@ -65,7 +65,7 @@ namespace :admin do
 
     resources :hook_logs, only: [:show] do
       member do
-        get :retry
+        post :retry
       end
     end
   end

config/routes/project.rb

@@ -362,7 +362,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
         resources :hook_logs, only: [:show] do
           member do
-            get :retry
+            post :retry
           end
         end
       end

ee/changelogs/unreleased/sh-fix-repository-storage-api.yml

+---
+title: Prevent regular users from moving projects to different storage shards
+merge_request:
+author:
+type: security

ee/lib/ee/api/projects.rb

@@ -33,9 +33,16 @@ module EE
           def verify_update_project_attrs!(project, attrs)
             super
 
+            verify_storage_attrs!(attrs)
             verify_mirror_attrs!(project, attrs)
           end
 
+          def verify_storage_attrs!(attrs)
+            unless current_user.admin?
+              attrs.delete(:repository_storage)
+            end
+          end
+
           def verify_mirror_attrs!(project, attrs)
             unless can?(current_user, :admin_mirror, project)
               attrs.delete(:mirror)

ee/spec/requests/api/projects_spec.rb

@@ -77,16 +77,60 @@ describe API::Projects do
   describe 'PUT /projects/:id' do
     let(:project) { create(:project, namespace: user.namespace) }
 
-    before do
-      enable_external_authorization_service_check
+    context 'when updating external classification' do
+      before do
+        enable_external_authorization_service_check
+      end
+
+      it 'updates the classification label' do
+        put(api("/projects/#{project.id}", user), external_authorization_classification_label: 'new label')
+
+        expect(response).to have_gitlab_http_status(200)
+
+        expect(project.reload.external_authorization_classification_label).to eq('new label')
+      end
     end
 
-    it 'updates the classification label when enabled' do
-      put(api("/projects/#{project.id}", user), external_authorization_classification_label: 'new label')
+    context 'when updating repository storage' do
+      let(:unknown_storage) { 'new-storage' }
+      let(:new_project) { create(:project, :repository, namespace: user.namespace) }
+
+      context 'as a user' do
+        it 'returns 200 but does not change repository_storage' do
+          expect {
+            Sidekiq::Testing.fake! do
+              put(api("/projects/#{new_project.id}", user), repository_storage: unknown_storage, issues_enabled: false)
+            end
+          }.not_to change(ProjectUpdateRepositoryStorageWorker.jobs, :size)
 
-      expect(response).to have_gitlab_http_status(200)
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['issues_enabled']).to eq(false)
+          expect(new_project.reload.repository.storage).to eq('default')
+        end
+      end
 
-      expect(project.reload.external_authorization_classification_label).to eq('new label')
+      context 'as an admin' do
+        let(:admin) { create(:admin) }
+
+        it 'returns 500 when repository storage is unknown' do
+          put(api("/projects/#{new_project.id}", admin), repository_storage: unknown_storage)
+
+          expect(response).to have_gitlab_http_status(500)
+          expect(json_response['message']).to match('ArgumentError')
+        end
+
+        it 'returns 200 when repository storage has changed' do
+          stub_storage_settings('extra' => { 'path' => 'tmp/tests/extra_storage' })
+
+          expect {
+            Sidekiq::Testing.fake! do
+              put(api("/projects/#{new_project.id}", admin), repository_storage: 'extra')
+            end
+          }.to change(ProjectUpdateRepositoryStorageWorker.jobs, :size).by(1)
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
     end
 
     context 'when updating mirror related attributes' do

spec/routing/admin_routing_spec.rb

@@ -103,11 +103,11 @@ describe Admin::HooksController, "routing" do
   end
 end
 
-# admin_hook_hook_log_retry GET    /admin/hooks/:hook_id/hook_logs/:id/retry(.:format) admin/hook_logs#retry
+# admin_hook_hook_log_retry POST    /admin/hooks/:hook_id/hook_logs/:id/retry(.:format) admin/hook_logs#retry
 # admin_hook_hook_log       GET    /admin/hooks/:hook_id/hook_logs/:id(.:format)       admin/hook_logs#show
 describe Admin::HookLogsController, 'routing' do
   it 'to #retry' do
-    expect(get('/admin/hooks/1/hook_logs/1/retry')).to route_to('admin/hook_logs#retry', hook_id: '1', id: '1')
+    expect(post('/admin/hooks/1/hook_logs/1/retry')).to route_to('admin/hook_logs#retry', hook_id: '1', id: '1')
   end
 
   it 'to #show' do

spec/routing/project_routing_spec.rb

@@ -381,7 +381,7 @@ describe 'project routing' do
     end
   end
 
-  # test_project_hook GET    /:project_id/hooks/:id/test(.:format) hooks#test
+  # test_project_hook POST    /:project_id/hooks/:id/test(.:format) hooks#test
   #     project_hooks GET    /:project_id/hooks(.:format)          hooks#index
   #                   POST   /:project_id/hooks(.:format)          hooks#create
   # edit_project_hook GET    /:project_id/hooks/:id/edit(.:format) hooks#edit
@@ -398,11 +398,11 @@ describe 'project routing' do
     end
   end
 
-  # retry_namespace_project_hook_hook_log GET /:project_id/hooks/:hook_id/hook_logs/:id/retry(.:format) projects/hook_logs#retry
+  # retry_namespace_project_hook_hook_log POST /:project_id/hooks/:hook_id/hook_logs/:id/retry(.:format) projects/hook_logs#retry
   # namespace_project_hook_hook_log       GET /:project_id/hooks/:hook_id/hook_logs/:id(.:format)       projects/hook_logs#show
   describe Projects::HookLogsController, 'routing' do
     it 'to #retry' do
-      expect(get('/gitlab/gitlabhq/hooks/1/hook_logs/1/retry')).to route_to('projects/hook_logs#retry', namespace_id: 'gitlab', project_id: 'gitlabhq', hook_id: '1', id: '1')
+      expect(post('/gitlab/gitlabhq/hooks/1/hook_logs/1/retry')).to route_to('projects/hook_logs#retry', namespace_id: 'gitlab', project_id: 'gitlabhq', hook_id: '1', id: '1')
     end
 
     it 'to #show' do