Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
132dd283
Commit
132dd283
authored
Mar 28, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/gitlab@master
parent
dcc65c87
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
187 additions
and
4 deletions
+187
-4
app/views/projects/graphs/charts.html.haml
app/views/projects/graphs/charts.html.haml
+1
-1
changelogs/unreleased/andr3-rails-session-samesite-strict.yml
...gelogs/unreleased/andr3-rails-session-samesite-strict.yml
+5
-0
changelogs/unreleased/djensen-update-repository-analytics-title.yml
.../unreleased/djensen-update-repository-analytics-title.yml
+5
-0
config/application.rb
config/application.rb
+3
-0
lib/gitlab/middleware/same_site_cookies.rb
lib/gitlab/middleware/same_site_cookies.rb
+63
-0
locale/gitlab.pot
locale/gitlab.pot
+3
-3
spec/lib/gitlab/middleware/same_site_cookies_spec.rb
spec/lib/gitlab/middleware/same_site_cookies_spec.rb
+107
-0
No files found.
app/views/projects/graphs/charts.html.haml
View file @
132dd283
-
page_title
_
(
"
Contribution Chart
s"
)
-
page_title
_
(
"
Repository Analytic
s"
)
.repo-charts
.repo-charts
%h4
.sub-header
%h4
.sub-header
...
...
changelogs/unreleased/andr3-rails-session-samesite-strict.yml
0 → 100644
View file @
132dd283
---
title
:
Make all HTTPS cookies set SameSite to none
merge_request
:
28205
author
:
type
:
fixed
changelogs/unreleased/djensen-update-repository-analytics-title.yml
0 → 100644
View file @
132dd283
---
title
:
Renamed Contribution Charts as Repository Analytics
merge_request
:
28162
author
:
type
:
changed
config/application.rb
View file @
132dd283
...
@@ -24,6 +24,7 @@ module Gitlab
...
@@ -24,6 +24,7 @@ module Gitlab
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/current_settings'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/current_settings'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/middleware/read_only'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/middleware/read_only'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/middleware/basic_health_check'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/middleware/basic_health_check'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/middleware/same_site_cookies'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/runtime'
)
require_dependency
Rails
.
root
.
join
(
'lib/gitlab/runtime'
)
# Settings in config/environments/* take precedence over those specified here.
# Settings in config/environments/* take precedence over those specified here.
...
@@ -231,6 +232,8 @@ module Gitlab
...
@@ -231,6 +232,8 @@ module Gitlab
config
.
middleware
.
insert_after
Warden
::
Manager
,
Rack
::
Attack
config
.
middleware
.
insert_after
Warden
::
Manager
,
Rack
::
Attack
config
.
middleware
.
insert_before
ActionDispatch
::
Cookies
,
::
Gitlab
::
Middleware
::
SameSiteCookies
# Allow access to GitLab API from other domains
# Allow access to GitLab API from other domains
config
.
middleware
.
insert_before
Warden
::
Manager
,
Rack
::
Cors
do
config
.
middleware
.
insert_before
Warden
::
Manager
,
Rack
::
Cors
do
headers_to_expose
=
%w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
headers_to_expose
=
%w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
...
...
lib/gitlab/middleware/same_site_cookies.rb
0 → 100644
View file @
132dd283
# frozen_string_literal: true
# This middleware sets the SameSite directive to None on all cookies.
# It also adds the Secure directive if HTTPS is enabled.
#
# Chrome v80, rolled out in March 2020, treats any cookies without the
# SameSite directive set as though they are SameSite=Lax
# (https://www.chromestatus.com/feature/5088147346030592). This is a
# breaking change from the previous default behavior, which was to treat
# those cookies as SameSite=None.
#
# This middleware is needed until we upgrade to Rack v2.1.0+
# (https://github.com/rack/rack/commit/c859bbf7b53cb59df1837612a8c330dfb4147392)
# and a version of Rails that has native support
# (https://github.com/rails/rails/commit/7ccaa125ba396d418aad1b217b63653d06044680).
#
module
Gitlab
module
Middleware
class
SameSiteCookies
COOKIE_SEPARATOR
=
"
\n
"
.
freeze
def
initialize
(
app
)
@app
=
app
end
def
call
(
env
)
status
,
headers
,
body
=
@app
.
call
(
env
)
result
=
[
status
,
headers
,
body
]
set_cookie
=
headers
[
'Set-Cookie'
]
&
.
strip
return
result
if
set_cookie
.
blank?
||
!
ssl?
cookies
=
set_cookie
.
split
(
COOKIE_SEPARATOR
)
cookies
.
each
do
|
cookie
|
next
if
cookie
.
blank?
# Chrome will drop SameSite=None cookies without the Secure
# flag. If we remove this middleware, we may need to ensure
# that all cookies set this flag.
if
ssl?
&&
!
(
cookie
=~
/;\s*secure/i
)
cookie
<<
'; Secure'
end
unless
cookie
=~
/;\s*samesite=/i
cookie
<<
'; SameSite=None'
end
end
headers
[
'Set-Cookie'
]
=
cookies
.
join
(
COOKIE_SEPARATOR
)
result
end
private
def
ssl?
Gitlab
.
config
.
gitlab
.
https
end
end
end
end
locale/gitlab.pot
View file @
132dd283
...
@@ -5503,9 +5503,6 @@ msgstr ""
...
@@ -5503,9 +5503,6 @@ msgstr ""
msgid "Contribution Analytics"
msgid "Contribution Analytics"
msgstr ""
msgstr ""
msgid "Contribution Charts"
msgstr ""
msgid "ContributionAnalytics|<strong>%{created_count}</strong> created, <strong>%{accepted_count}</strong> accepted."
msgid "ContributionAnalytics|<strong>%{created_count}</strong> created, <strong>%{accepted_count}</strong> accepted."
msgstr ""
msgstr ""
...
@@ -16828,6 +16825,9 @@ msgstr ""
...
@@ -16828,6 +16825,9 @@ msgstr ""
msgid "Repository"
msgid "Repository"
msgstr ""
msgstr ""
msgid "Repository Analytics"
msgstr ""
msgid "Repository Graph"
msgid "Repository Graph"
msgstr ""
msgstr ""
...
...
spec/lib/gitlab/middleware/same_site_cookies_spec.rb
0 → 100644
View file @
132dd283
# frozen_string_literal: true
require
'spec_helper'
describe
Gitlab
::
Middleware
::
SameSiteCookies
do
include
Rack
::
Test
::
Methods
let
(
:mock_app
)
do
Class
.
new
do
attr_reader
:cookies
def
initialize
(
cookies
)
@cookies
=
cookies
end
def
call
(
env
)
[
200
,
{
'Set-Cookie'
=>
cookies
},
[
'OK'
]]
end
end
end
let
(
:app
)
{
mock_app
.
new
(
cookies
)
}
subject
do
described_class
.
new
(
app
)
end
describe
'#call'
do
let
(
:request
)
{
Rack
::
MockRequest
.
new
(
subject
)
}
def
do_request
request
.
post
(
'/some/path'
)
end
context
'without SSL enabled'
do
before
do
allow
(
Gitlab
.
config
.
gitlab
).
to
receive
(
:https
).
and_return
(
false
)
end
context
'with cookie'
do
let
(
:cookies
)
{
"thiscookie=12345"
}
it
'does not add headers to cookies'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
eq
(
cookies
)
end
end
end
context
'with SSL enabled'
do
before
do
allow
(
Gitlab
.
config
.
gitlab
).
to
receive
(
:https
).
and_return
(
true
)
end
context
'with no cookies'
do
let
(
:cookies
)
{
nil
}
it
'does not add headers'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
be_nil
end
end
context
'with single cookie'
do
let
(
:cookies
)
{
"thiscookie=12345"
}
it
'adds required headers'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
eq
(
"
#{
cookies
}
; Secure; SameSite=None"
)
end
end
context
'multiple cookies'
do
let
(
:cookies
)
{
"thiscookie=12345
\n
another_cookie=56789"
}
it
'adds required headers'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
eq
(
"thiscookie=12345; Secure; SameSite=None
\n
another_cookie=56789; Secure; SameSite=None"
)
end
end
context
'multiple cookies with some missing headers'
do
let
(
:cookies
)
{
"thiscookie=12345; SameSite=None
\n
another_cookie=56789; Secure"
}
it
'adds missing headers'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
eq
(
"thiscookie=12345; SameSite=None; Secure
\n
another_cookie=56789; Secure; SameSite=None"
)
end
end
context
'multiple cookies with all headers present'
do
let
(
:cookies
)
{
"thiscookie=12345; Secure; SameSite=None
\n
another_cookie=56789; Secure; SameSite=None"
}
it
'does not add new headers'
do
response
=
do_request
expect
(
response
[
'Set-Cookie'
]).
to
eq
(
cookies
)
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment