Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

88725a6b · GitLab Bot · ed98b14d · 88725a6b · 88725a6b · 88725a6b
Commit 88725a6b authored Apr 27, 2020 by GitLab Bot
5 changed files
--- a/app/serializers/remote_mirror_entity.rb
+++ b/app/serializers/remote_mirror_entity.rb
@@ -2,7 +2,7 @@

 class RemoteMirrorEntity < Grape::Entity
  expose :id
-  expose :url
+  expose :safe_url, as: :url
  expose :enabled

  expose :auth_method

--- a/changelogs/unreleased/security-mirror-urls.yml
+++ b/changelogs/unreleased/security-mirror-urls.yml
+---
+title: Return only safe urls for mirrors
+merge_request:
+author:
+type: security
--- a/spec/serializers/remote_mirror_entity_spec.rb
+++ b/spec/serializers/remote_mirror_entity_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'

 describe RemoteMirrorEntity do
-  let(:project) { create(:project, :repository, :remote_mirror) }
+  let(:project) { create(:project, :repository, :remote_mirror, url: "https://test:password@gitlab.com") }
  let(:remote_mirror) { project.remote_mirrors.first }
  let(:entity) { described_class.new(remote_mirror) }

@@ -15,4 +15,9 @@ describe RemoteMirrorEntity do
      :ssh_known_hosts, :ssh_public_key, :ssh_known_hosts_fingerprints
    )
  end
+
+  it 'does not expose password information' do
+    expect(subject[:url]).not_to include('password')
+    expect(subject[:url]).to eq(remote_mirror.safe_url)
+  end
 end
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore