Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 13.3.1 (2020-08-25)
+
+### Fixed (2 changes)
+
+- Geo: Apply selective sync to container repo updates. !39663
+- Geo: Apply selective sync to design repo updates. !39916
+
+
 ## 13.3.0 (2020-08-22)
 
 ### Removed (7 changes)

CHANGELOG.md

@@ -2,6 +2,14 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.3.1 (2020-08-25)
+
+### Fixed (2 changes)
+
+- Fix bug when promoting an Issue with attachments to an Epic. !39654
+- Avoid creating diff position when line-code is nil. !40089
+
+
 ## 13.3.0 (2020-08-22)
 
 ### Security (2 changes)

app/controllers/concerns/hooks_execution.rb

@@ -17,4 +17,16 @@ module HooksExecution
       flash[:alert] = "Hook execution failed: #{message}"
     end
   end
+
+  def create_rate_limit(key, scope)
+    if rate_limiter.throttled?(key, scope: [scope, current_user])
+      rate_limiter.log_request(request, "#{key}_request_limit".to_sym, current_user)
+
+      render plain: _('This endpoint has been requested too many times. Try again later.'), status: :too_many_requests
+    end
+  end
+
+  def rate_limiter
+    ::Gitlab::ApplicationRateLimiter
+  end
 end

app/controllers/projects/hooks_controller.rb

@@ -6,6 +6,7 @@ class Projects::HooksController < Projects::ApplicationController
   # Authorize
   before_action :authorize_admin_project!
   before_action :hook_logs, only: :edit
+  before_action -> { create_rate_limit(:project_testing_hook, @project) }, only: :test
 
   respond_to :html
 

app/controllers/projects/tags_controller.rb

@@ -92,7 +92,7 @@ class Projects::TagsController < Projects::ApplicationController
         end
 
         format.js do
-          render status: :unprocessable_entity
+          render status: :ok
         end
       end
     end

changelogs/unreleased/id-fix-nil-line-codes-for-diff-positions.yml

----
-title: Avoid creating diff position when line-code is nil
-merge_request: 40089
-author:
-type: fixed

changelogs/unreleased/security-223-webhook-dos-attack.yml

+---
+title: Add rate limit on webhooks testing feature
+merge_request:
+author:
+type: security

changelogs/unreleased/security-upgrade-jquery-3-5.yml

+---
+title: Upgrade jquery to v3.5
+merge_request:
+author:
+type: security

ee/app/controllers/groups/hooks_controller.rb

@@ -8,6 +8,7 @@ class Groups::HooksController < Groups::ApplicationController
   before_action :authorize_admin_group!
   before_action :check_group_webhooks_available!
   before_action :set_hook, only: [:edit, :update, :test, :destroy]
+  before_action -> { create_rate_limit(:group_testing_hook, @group) }, only: :test
 
   respond_to :html
 

ee/changelogs/unreleased/mk-apply-selective-sync-to-design-repo-update.yml

----
-title: 'Geo: Apply selective sync to design repo updates'
-merge_request: 39916
-author:
-type: fixed

ee/spec/controllers/groups/hooks_controller_spec.rb

@@ -154,6 +154,24 @@ RSpec.describe Groups::HooksController do
             expect(flash[:notice]).to eq('Hook executed successfully: HTTP 200')
           end
         end
+
+        context 'when the endpoint receives requests above the limit' do
+          before do
+            allow(Gitlab::ApplicationRateLimiter).to receive(:rate_limits)
+              .and_return(group_testing_hook: { threshold: 1, interval: 1.minute })
+          end
+
+          it 'prevents making test requests' do
+            expect_next_instance_of(TestHooks::ProjectService) do |service|
+              expect(service).to receive(:execute).and_return(http_status: 200)
+            end
+
+            2.times { post :test, params: { group_id: group.to_param, id: hook } }
+
+            expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
+            expect(response).to have_gitlab_http_status(:too_many_requests)
+          end
+        end
       end
     end
   end

lib/gitlab/application_rate_limiter.rb

@@ -25,11 +25,13 @@ module Gitlab
           project_repositories_archive: { threshold: 5, interval: 1.minute },
           project_generate_new_export:  { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
           project_import:               { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
+          project_testing_hook:         { threshold: 5, interval: 1.minute },
           play_pipeline_schedule:       { threshold: 1, interval: 1.minute },
           show_raw_controller:          { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
           group_export:                 { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
           group_download_export:        { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
-          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute }
+          group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
+          group_testing_hook:           { threshold: 5, interval: 1.minute }
         }.freeze
       end
 

package.json

@@ -97,7 +97,7 @@
     "ipaddr.js": "^1.9.1",
     "jed": "^1.1.1",
     "jest-transform-graphql": "^2.1.0",
-    "jquery": "^3.4.1",
+    "jquery": "^3.5.0",
     "jquery-ujs": "1.2.2",
     "jquery.caret": "^0.3.1",
     "jquery.waitforimages": "^2.2.0",

spec/controllers/projects/hooks_controller_spec.rb

@@ -47,4 +47,26 @@ RSpec.describe Projects::HooksController do
       expect(ProjectHook.first).to have_attributes(hook_params)
     end
   end
+
+  describe '#test' do
+    let(:hook) { create(:project_hook, project: project) }
+
+    context 'when the endpoint receives requests above the limit' do
+      before do
+        allow(Gitlab::ApplicationRateLimiter).to receive(:rate_limits)
+          .and_return(project_testing_hook: { threshold: 1, interval: 1.minute })
+      end
+
+      it 'prevents making test requests' do
+        expect_next_instance_of(TestHooks::ProjectService) do |service|
+          expect(service).to receive(:execute).and_return(http_status: 200)
+        end
+
+        2.times { post :test, params: { namespace_id: project.namespace, project_id: project, id: hook } }
+
+        expect(response.body).to eq(_('This endpoint has been requested too many times. Try again later.'))
+        expect(response).to have_gitlab_http_status(:too_many_requests)
+      end
+    end
+  end
 end

yarn.lock

@@ -7078,10 +7078,10 @@ jquery.waitforimages@^2.2.0:
   resolved "https://registry.yarnpkg.com/jquery.waitforimages/-/jquery.waitforimages-2.2.0.tgz#63f23131055a1b060dc913e6d874bcc9b9e6b16b"
   integrity sha1-Y/IxMQVaGwYNyRPm2HS8ybnmsWs=
 
-"jquery@>= 1.9.1", jquery@>=1.8.0, jquery@^3.4.1:
-  version "3.4.1"
-  resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.4.1.tgz#714f1f8d9dde4bdfa55764ba37ef214630d80ef2"
-  integrity sha512-36+AdBzCL+y6qjw5Tx7HgzeGCzC81MDDgaUP8ld2zhx58HdqXGoBd+tHdrBMiyjGQs0Hxs/MLZTu/eHNJJuWPw==
+"jquery@>= 1.9.1", jquery@>=1.8.0, jquery@^3.5.0:
+  version "3.5.1"
+  resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.5.1.tgz#d7b4d08e1bfdb86ad2f1a3d039ea17304717abb5"
+  integrity sha512-XwIBPqcMn57FxfT+Go5pzySnm4KWkT1Tv7gjrpT1srtf8Weynl6R273VJ5GjkRb51IzMp5nbaPjJXMWeju2MKg==
 
 js-base64@^2.1.8:
   version "2.5.1"