Commit 9b3f3d30 authored by John Mason's avatar John Mason Committed by James Fargher

Add BlocksUnsafeSerialization to Project

This also changes BlocksUnsafeSerialization to allow serialization
if the `only` / `unsafe: true` options are given

Changelog: changed
parent d4716fb0
# frozen_string_literal: true
# Overrides `as_json` and `to_json` to raise an exception when called in order
# to prevent accidentally exposing attributes
#
# Not that would ever happen... but just in case.
module BlocksJsonSerialization
extend ActiveSupport::Concern
JsonSerializationError = Class.new(StandardError)
def to_json(*)
raise JsonSerializationError,
"JSON serialization has been disabled on #{self.class.name}"
end
alias_method :as_json, :to_json
end
# frozen_string_literal: true
# Overrides `#serializable_hash` to raise an exception when called without the `only` option
# in order to prevent accidentally exposing attributes.
#
# An `unsafe: true` option can also be passed in to bypass this check.
#
# `#serializable_hash` is used by ActiveModel serializers like `ActiveModel::Serializers::JSON`
# which overrides `#as_json` and `#to_json`.
#
module BlocksUnsafeSerialization
extend ActiveSupport::Concern
extend ::Gitlab::Utils::Override
UnsafeSerializationError = Class.new(StandardError)
override :serializable_hash
def serializable_hash(options = nil)
return super if allow_serialization?(options)
raise UnsafeSerializationError,
"Serialization has been disabled on #{self.class.name}"
end
private
def allow_serialization?(options = nil)
return false unless options
!!(options[:only] || options[:unsafe])
end
end
...@@ -38,6 +38,7 @@ class Project < ApplicationRecord ...@@ -38,6 +38,7 @@ class Project < ApplicationRecord
include GitlabRoutingHelper include GitlabRoutingHelper
include BulkMemberAccessLoad include BulkMemberAccessLoad
include RunnerTokenExpirationInterval include RunnerTokenExpirationInterval
include BlocksUnsafeSerialization
extend Gitlab::Cache::RequestCache extend Gitlab::Cache::RequestCache
extend Gitlab::Utils::Override extend Gitlab::Utils::Override
...@@ -3047,6 +3048,10 @@ class Project < ApplicationRecord ...@@ -3047,6 +3048,10 @@ class Project < ApplicationRecord
Projects::SyncEvent.enqueue_worker Projects::SyncEvent.enqueue_worker
end end
end end
def allow_serialization?(options = nil)
Feature.disabled?(:block_project_serialization, self, default_enabled: :yaml) || super
end
end end
Project.prepend_mod_with('Project') Project.prepend_mod_with('Project')
...@@ -14,7 +14,12 @@ class ProjectImportData < ApplicationRecord ...@@ -14,7 +14,12 @@ class ProjectImportData < ApplicationRecord
insecure_mode: true, insecure_mode: true,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
serialize :data, JSON # rubocop:disable Cop/ActiveRecordSerialize # NOTE
# We are serializing a project as `data` in an "unsafe" way here
# because the credentials are necessary for a successful import.
# This is safe because the serialization is only going between rails
# and the database, never to any end users.
serialize :data, Serializers::UnsafeJson # rubocop:disable Cop/ActiveRecordSerialize
validates :project, presence: true validates :project, presence: true
......
...@@ -16,7 +16,7 @@ class User < ApplicationRecord ...@@ -16,7 +16,7 @@ class User < ApplicationRecord
include FeatureGate include FeatureGate
include CreatedAtFilterable include CreatedAtFilterable
include BulkMemberAccessLoad include BulkMemberAccessLoad
include BlocksJsonSerialization include BlocksUnsafeSerialization
include WithUploads include WithUploads
include OptionallySearch include OptionallySearch
include FromUnion include FromUnion
......
---
name: block_project_serialization
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81900
rollout_issue_url:
milestone: '14.9'
type: development
group: group::workspace
default_enabled: false
# frozen_string_literal: true
module Serializers
class UnsafeJson
class << self
def dump(obj)
obj.to_json(unsafe: true)
end
delegate :load, to: :JSON
end
end
end
...@@ -208,7 +208,7 @@ RSpec.describe Boards::ListsController do ...@@ -208,7 +208,7 @@ RSpec.describe Boards::ListsController do
sign_in(user) sign_in(user)
params = { namespace_id: project.namespace.to_param, params = { namespace_id: project.namespace.to_param,
project_id: project, project_id: project.id,
board_id: board.to_param, board_id: board.to_param,
id: list.to_param, id: list.to_param,
list: { position: position }, list: { position: position },
...@@ -221,7 +221,7 @@ RSpec.describe Boards::ListsController do ...@@ -221,7 +221,7 @@ RSpec.describe Boards::ListsController do
sign_in(user) sign_in(user)
params = { namespace_id: project.namespace.to_param, params = { namespace_id: project.namespace.to_param,
project_id: project, project_id: project.id,
board_id: board.to_param, board_id: board.to_param,
id: list.to_param, id: list.to_param,
list: setting, list: setting,
......
...@@ -33,7 +33,7 @@ RSpec.describe Banzai::Filter::IssuableReferenceExpansionFilter do ...@@ -33,7 +33,7 @@ RSpec.describe Banzai::Filter::IssuableReferenceExpansionFilter do
end end
it 'ignores non-issuable links' do it 'ignores non-issuable links' do
link = create_link('text', project: project, reference_type: 'issue') link = create_link('text', project: project.id, reference_type: 'issue')
doc = filter(link, context) doc = filter(link, context)
expect(doc.css('a').last.text).to eq('text') expect(doc.css('a').last.text).to eq('text')
......
# frozen_string_literal: true
require 'fast_spec_helper'
require 'oj'
RSpec.describe Serializers::UnsafeJson do
let(:result) { double(:result) }
describe '.dump' do
let(:obj) { { key: "value" } }
it 'calls object#to_json with unsafe: true and returns the result' do
expect(obj).to receive(:to_json).with(unsafe: true).and_return(result)
expect(described_class.dump(obj)).to eq(result)
end
end
describe '.load' do
let(:data_string) { '{"key":"value","variables":[{"key":"VAR1","value":"VALUE1"}]}' }
let(:data_hash) { Gitlab::Json.parse(data_string) }
it 'calls JSON.load and returns the result' do
expect(JSON).to receive(:load).with(data_hash).and_return(result)
expect(described_class.load(data_hash)).to eq(result)
end
end
end
...@@ -2,21 +2,16 @@ ...@@ -2,21 +2,16 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe BlocksJsonSerialization do RSpec.describe BlocksUnsafeSerialization do
before do before do
stub_const('DummyModel', Class.new) stub_const('DummyModel', Class.new)
DummyModel.class_eval do DummyModel.class_eval do
include BlocksJsonSerialization include ActiveModel::Serializers::JSON
include BlocksUnsafeSerialization
end end
end end
it 'blocks as_json' do it_behaves_like 'blocks unsafe serialization' do
expect { DummyModel.new.as_json } let(:object) { DummyModel.new }
.to raise_error(described_class::JsonSerializationError, /DummyModel/)
end
it 'blocks to_json' do
expect { DummyModel.new.to_json }
.to raise_error(described_class::JsonSerializationError, /DummyModel/)
end end
end end
...@@ -8022,6 +8022,20 @@ RSpec.describe Project, factory_default: :keep do ...@@ -8022,6 +8022,20 @@ RSpec.describe Project, factory_default: :keep do
end end
end end
describe 'serialization' do
let(:object) { build(:project) }
it_behaves_like 'blocks unsafe serialization'
context 'when feature flag block_project_serialization is disabled' do
before do
stub_feature_flags(block_project_serialization: false)
end
it_behaves_like 'allows unsafe serialization'
end
end
describe '#runners_token' do describe '#runners_token' do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
......
...@@ -17,7 +17,7 @@ RSpec.describe User do ...@@ -17,7 +17,7 @@ RSpec.describe User do
it { is_expected.to include_module(Referable) } it { is_expected.to include_module(Referable) }
it { is_expected.to include_module(Sortable) } it { is_expected.to include_module(Sortable) }
it { is_expected.to include_module(TokenAuthenticatable) } it { is_expected.to include_module(TokenAuthenticatable) }
it { is_expected.to include_module(BlocksJsonSerialization) } it { is_expected.to include_module(BlocksUnsafeSerialization) }
it { is_expected.to include_module(AsyncDeviseEmail) } it { is_expected.to include_module(AsyncDeviseEmail) }
end end
......
# frozen_string_literal: true
require 'spec_helper'
# Requires a context with:
# - object
#
RSpec.shared_examples 'blocks unsafe serialization' do
it 'blocks as_json' do
expect { object.as_json }.to raise_error(described_class::UnsafeSerializationError, /#{object.class.name}/)
end
it 'blocks to_json' do
expect { object.to_json }.to raise_error(described_class::UnsafeSerializationError, /#{object.class.name}/)
end
end
RSpec.shared_examples 'allows unsafe serialization' do
it 'allows as_json' do
expect { object.as_json }.not_to raise_error
end
it 'allows to_json' do
expect { object.to_json }.not_to raise_error
end
end
...@@ -68,6 +68,29 @@ RSpec.shared_examples 'note entity' do ...@@ -68,6 +68,29 @@ RSpec.shared_examples 'note entity' do
end end
end end
describe ':outdated_line_change_path' do
before do
allow(note).to receive(:show_outdated_changes?).and_return(show_outdated_changes)
end
context 'when note shows outdated changes' do
let(:show_outdated_changes) { true }
it 'returns correct outdated_line_change_namespace_project_note_path' do
path = "/#{note.project.namespace.path}/#{note.project.path}/notes/#{note.id}/outdated_line_change"
expect(subject[:outdated_line_change_path]).to eq(path)
end
end
context 'when note does not show outdated changes' do
let(:show_outdated_changes) { false }
it 'does not expose outdated_line_change_path' do
expect(subject).not_to include(:outdated_line_change_path)
end
end
end
context 'when note was edited' do context 'when note was edited' do
before do before do
note.update!(updated_at: 1.minute.from_now, updated_by: user) note.update!(updated_at: 1.minute.from_now, updated_by: user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment