Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

64ed8e1d · GitLab Bot · 484b5969 · 64ed8e1d · 64ed8e1d · 64ed8e1d
Commit 64ed8e1d authored Jun 30, 2021 by GitLab Bot
7 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -157,7 +157,7 @@ gem 'github-markup', '~> 1.7.0', require: 'github/markup'
 gem 'commonmarker', '~> 0.21'
 gem 'kramdown', '~> 2.3.1'
 gem 'RedCloth', '~> 4.3.2'
-gem 'rdoc', '~> 6.1.2'
+gem 'gitlab-rdoc', '~> 6.3.2', require: 'rdoc' # We need this fork until rdoc releases a new version. See https://gitlab.com/gitlab-org/gitlab/-/issues/334695
 gem 'org-ruby', '~> 0.9.12'
 gem 'creole', '~> 0.5.0'
 gem 'wikicloth', '0.8.1'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -483,6 +483,7 @@ GEM
      addressable (~> 2.7)
      omniauth (~> 1.9)
      openid_connect (~> 1.2)
+    gitlab-rdoc (6.3.2)
    gitlab-sidekiq-fetcher (0.5.6)
      sidekiq (~> 5)
    gitlab-styles (6.2.0)
@@ -1008,7 +1009,6 @@ GEM
      msgpack (>= 0.4.3)
      optimist (>= 3.0.0)
    rchardet (1.8.0)
-    rdoc (6.1.2)
    re2 (1.2.0)
    recaptcha (4.13.1)
      json
@@ -1485,6 +1485,7 @@ DEPENDENCIES
  gitlab-markup (~> 1.7.1)
  gitlab-net-dns (~> 0.9.1)
  gitlab-omniauth-openid-connect (~> 0.4.0)
+  gitlab-rdoc (~> 6.3.2)
  gitlab-sidekiq-fetcher (= 0.5.6)
  gitlab-styles (~> 6.2.0)
  gitlab_chronic_duration (~> 0.10.6.2)
@@ -1594,7 +1595,6 @@ DEPENDENCIES
  raindrops (~> 0.18)
  rblineprof (~> 0.3.6)
  rbtrace (~> 0.4)
-  rdoc (~> 6.1.2)
  re2 (~> 1.2.0)
  recaptcha (~> 4.11)
  redis (~> 4.0)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -238,6 +238,7 @@ class User < ApplicationRecord
  validate :owns_commit_email, if: :commit_email_changed?
  validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id }
  validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id }
+  validate :check_username_format, if: :username_changed?
  validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids,
    message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } }
@@ -2083,6 +2084,12 @@ class User < ApplicationRecord
    end
  end
+  def check_username_format
+    return if username.blank? || Mime::EXTENSION_LOOKUP.keys.none? { |type| username.end_with?(type) }
+    errors.add(:username, _('ending with MIME type format is not allowed.'))
+  end
  def groups_with_developer_maintainer_project_access
    project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS]

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38357,6 +38357,9 @@ msgstr ""
 msgid "encrypted: needs to be a :required, :optional or :migrating!"
 msgstr ""
+msgid "ending with MIME type format is not allowed."
+msgstr ""
 msgid "entries cannot be larger than 255 characters"
 msgstr ""

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -376,6 +376,19 @@ RSpec.describe User do
          expect(user.errors.full_messages).to eq(['Username has already been taken'])
        end
      end
+      it 'validates format' do
+        Mime::EXTENSION_LOOKUP.keys.each do |type|
+          user = build(:user, username: "test.#{type}")
+          expect(user).not_to be_valid
+          expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.')
+        end
+      end
+      it 'validates format on updated record' do
+        expect(create(:user).update(username: 'profile.html')).to be_falsey
+      end
    end
    it 'has a DB-level NOT NULL constraint on projects_limit' do

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -56,7 +56,7 @@ RSpec.describe API::Projects do
  let_it_be(:project, reload: true) { create(:project, :repository, namespace: user.namespace) }
  let_it_be(:project2, reload: true) { create(:project, namespace: user.namespace) }
  let_it_be(:project_member) { create(:project_member, :developer, user: user3, project: project) }
-  let_it_be(:user4) { create(:user, username: 'user.with.dot') }
+  let_it_be(:user4) { create(:user, username: 'user.withdot') }
  let_it_be(:project3, reload: true) do
    create(:project,
    :private,

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe API::Users do
  let_it_be(:admin) { create(:admin) }
-  let_it_be(:user, reload: true) { create(:user, username: 'user.with.dot') }
+  let_it_be(:user, reload: true) { create(:user, username: 'user.withdot') }
  let_it_be(:key) { create(:key, user: user) }
  let_it_be(:gpg_key) { create(:gpg_key, user: user) }
  let_it_be(:email) { create(:email, user: user) }