Commits · d73d10e1c8929eff0c3a35e934982f691c5f0bf0 · nexedi / gitlab-ce

28 Jul, 2021 16 commits

Replace Vulnerabilities::Feedback.only_valid_feedback without joining ci · d73d10e1

Dylan Griffith authored Jul 28, 2021

This method joins between `ci_*` and non `ci_*` tables and as such we
need to replace this logic with something that does not do this join
before we move `ci_*` tables to a different database.

This method `Vulnerabilities::Feedback.only_valid_feedback` was
introduced originally in
https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/117 to
solve a security vulnerability
https://gitlab.com/gitlab-org/gitlab/-/issues/24932. The basic issue was
that we had a controller that allowed you to create a
`Vulnerability::Feedback` and set the `pipeline_id` of that. The problem
is that for a window of time a user could have set the `pipeline_id` to
be from a different project. We also had another controller that would
present the `path` for a pipeline and as such you could learn the path
of private projects by guessing the `pipeline_id` from other projects.

The original fix used a `join ci_pipelines` to filter out any
`Vulnerabilities::Feedback` that happened to be associated to another
project. We can't do this join anymore. It seemed simpler to change the
security fix to focus on not rendering the `pipeline` if the
`project_id` was belonging to a different project. So instead we just
don't return `pipeline` if the `project_id` is not what it should be
(ie. they hacked the `pipeline_id` to be a different project). This may
present some issue in the frontend but this data should only appear if
the user in the project deliberately created this hack data so we
shouldn't be concerned about the UX impact here.

It's also possible this fix improves performance for this endpoint as it
doesn't need to do a redundant join.

Since this fixes the problem in a slightly different way it also
required us to change the test slightly to assert the `pipeline` is
filtered out now rather than the whole `Feedback` object.

d73d10e1

Merge branch 'poffey21-master-patch-02079' into 'master' · 9a177f6a
Marcel Amirault authored Jul 28, 2021
```
Add constraints regarding the registry password

See merge request gitlab-org/gitlab!66975
```
9a177f6a
Add constraints regarding the registry password · 1f2867d2
Tim Poffenbarger authored Jul 28, 2021

1f2867d2

Merge branch 'revert-' into 'master' · a482a9f4

James Fargher authored Jul 28, 2021

Revert "Merge branch 'enable_gitaly_backup' into 'master'"

See merge request gitlab-org/gitlab!66993

a482a9f4

Revert "Merge branch 'enable_gitaly_backup' into 'master'" · 37705198
Albert Salim authored Jul 28, 2021
```
This reverts merge request !66019
```
37705198
Merge branch '333066-include-dbname-in-performance-bar' into 'master' · c5b31389
Thong Kuah authored Jul 28, 2021
```
Include database name in performance bar

See merge request gitlab-org/gitlab!63819
```
c5b31389
Merge branch 'eread/refine-compliance-report-content' into 'master' · 44c83f7d
Russell Dickenson authored Jul 28, 2021
```
Refine content for recently renamed feature

See merge request gitlab-org/gitlab!66891
```
44c83f7d
Refine content for recently renamed feature · 306d1775
Evan Read authored Jul 28, 2021

306d1775
Merge branch 'ash2k/kas-14.1.1' into 'master' · 5651fc98
Thong Kuah authored Jul 28, 2021
```
Bump kas to v14.1.1

See merge request gitlab-org/gitlab!66806
```
5651fc98
Merge branch '333562-setup-gitlab-mailgun-endpoint-for-syncing-bounced-invite-email6' into 'master' · e45b862f
Mark Chao authored Jul 28, 2021
```
Setup GitLab MailGun endpoint for syncing bounced invite emails - redo

See merge request gitlab-org/gitlab!66397
```
e45b862f
Merge branch 'fix_disable_prepared_statements_clobbering_pool_size' into 'master' · b8fb8761
Ash McKenzie authored Jul 28, 2021
```
Fix disable_prepared_statements clobbering pool size

See merge request gitlab-org/gitlab!66988
```
b8fb8761
Merge branch '227049-visual-review-is-hard-to-find-confused-with-review-app' into 'master' · ea1185e2
Ezekiel Kigbo authored Jul 28, 2021
```
Resolve "Visual review is hard to find / confused with review app"

See merge request gitlab-org/gitlab!66453
```
ea1185e2
Resolve "Visual review is hard to find / confused with review app" · 3599a84e
Marcel van Remmerden authored Jul 28, 2021

3599a84e
Fix disable_prepared_statements clobbering pool size · 7f674389
Thong Kuah authored Jul 28, 2021
```
Use a fresh config when using with establish_connection
```
7f674389
Merge branch '336285-release-cpu-bound-worker-annotation' into 'master' · ef7cb02f
Shinya Maeda authored Jul 28, 2021
```
Add worker_resource_boundary to Release workers

See merge request gitlab-org/gitlab!66870
```
ef7cb02f
Merge branch '334192-aqualls-fix-intro-line' into 'master' · 4aec9e9e
Russell Dickenson authored Jul 28, 2021
```
Tidy the introduced-in line for cherry-picking

See merge request gitlab-org/gitlab!66977
```
4aec9e9e

27 Jul, 2021 24 commits
- Merge branch 'DarwinJS-add-clarification-eks-agent-install' into 'master' · e72772fd
  Marcel Amirault authored Jul 27, 2021
```
Add clarification to steps for Kubernetes Agent install

See merge request gitlab-org/gitlab!66966
```
  e72772fd
- Add clarification to steps for Kubernetes Agent install · 41e0ede8
  DarwinJS authored Jul 27, 2021
  
  41e0ede8
- Merge branch 'philipcunningham-removed-unused-dast-relations-336195' into 'master' · 2e26041e
  Dylan Griffith authored Jul 27, 2021
```
Remove unused association code from DAST models

See merge request gitlab-org/gitlab!66900
```
  2e26041e
- Merge branch '336708-update-expectation-text' into 'master' · 03c1fc6c
  Mark Lapierre authored Jul 27, 2021
```
Update expectation to match new UI text

See merge request gitlab-org/gitlab!66970
```
  03c1fc6c
- Update expectation to match new UI text · 8f784d72
  Tiffany Rea authored Jul 27, 2021
  
  8f784d72
- Merge branch '333117-migrate-redishll-ide-edit-events' into 'master' · cb26a88c
  Mayra Cabrera authored Jul 27, 2021
```
Add web_edit instrumentation class

See merge request gitlab-org/gitlab!66789
```
  cb26a88c
- Tidy the introduced-in line for cherry-picking · 0f6268be
  Amy Qualls authored Jul 27, 2021
```
Small fixes to the introduced-in line for cherry-picking into a
project. Punctuation, linking.
```
  0f6268be
- Merge branch '328443-finalize-ci-build-trace-chunks-bigint-conversion' into 'master' · ef1379fd
  Patrick Bair authored Jul 27, 2021
```
Finalize conversion to bigint for ci_build_trace_chunks

See merge request gitlab-org/gitlab!66123
```
  ef1379fd
- Merge branch 'lm-n-1-artifacts' into 'master' · 99eb2ad0
  Michael Kozono authored Jul 27, 2021
```
Update N+1 spec for artifacts

See merge request gitlab-org/gitlab!65354
```
  99eb2ad0
- Merge branch 'lkorbasiewicz-master-patch-39733' into 'master' · 1d854f3e
  Russell Dickenson authored Jul 27, 2021
```
Update broken links to ZAP documentation

See merge request gitlab-org/gitlab!66914
```
  1d854f3e
- Merge branch '336285-StoreScansWorker-worker_resource_boundary' into 'master' · e63e5f1f
  Mayra Cabrera authored Jul 27, 2021
```
Mark StoreScansWorker as cpu bound

See merge request gitlab-org/gitlab!66879
```
  e63e5f1f
- Merge branch 'llandon-master-patch-77304' into 'master' · f3f8f299
  Suzanne Selhorn authored Jul 27, 2021
```
Added new security checklist items

See merge request gitlab-org/gitlab!66965
```
  f3f8f299
- Merge branch '336903-aqualls-download-wiki' into 'master' · f3888772
  Nick Gaskill authored Jul 27, 2021
```
Explain how to export group wikis

See merge request gitlab-org/gitlab!66961
```
  f3888772
- Explain how to export group wikis · eade04b9
  Amy Qualls authored Jul 27, 2021
  
  eade04b9
- Add web_edit instrumentation class · 09b0864a
  Luis Mejia authored Jul 23, 2021
  
  09b0864a
- Merge branch 'docs-style-guide-metadata' into 'master' · 050ecf64
  Suzanne Selhorn authored Jul 27, 2021
```
Update Style Guide metadata with direct link

See merge request gitlab-org/gitlab!66934
```
  050ecf64
- Merge branch 'Add_by_saml_provider_id_query_param_to_Users_API_and_documentation' into 'master' · 9b061437
  Mayra Cabrera authored Jul 27, 2021
```
Add param to query Users API by group SAML provider id

See merge request gitlab-org/gitlab!66167
```
  9b061437
- Added new security checklist items · 09a72396
  Lyn Landon authored Jul 27, 2021
  
  09a72396
- Add Mailgun endpoint for receiving permanent failures · 0f371ed7
  Doug Stull authored Jul 19, 2021
```
- update for consuming failure endpoints from Mailgun

Changelog: added
```
  0f371ed7
- Merge branch 'cleanup-evalute_protected_tag_for_release_permissions-feature-flag' into 'master' · 2f884c4b
  Alex Kalderimis authored Jul 27, 2021
```
Clean up evalute_protected_tag_for_release_permissions feature flag

See merge request gitlab-org/gitlab!66713
```
  2f884c4b
- Merge branch '335975-index-trials-regardless-seat' into 'master' · 1d632a1e
  Doug Stull authored Jul 27, 2021
```
Advanced Search should index trials regardless of seats

See merge request gitlab-org/gitlab!66665
```
  1d632a1e
- Merge branch 'modify-experiments-api' into 'master' · 0902a6f8
  Alex Kalderimis authored Jul 27, 2021
```
Make experiments API a filter of features API

See merge request gitlab-org/gitlab!66488
```
  0902a6f8
- Make experiments API a filter of features API · b7cfcaf8
  Doug Stull authored Jul 27, 2021
```
- adds gates info with percentage

Changelog: changed
EE: true
```
  b7cfcaf8
- Merge branch 'transition-from-ep-to-tooling-labels-in-danger' into 'master' · fec40483
  Rémy Coutable authored Jul 27, 2021
```
Transition from Engineering Productivity to tooling label in Danger

See merge request gitlab-org/gitlab!66620
```
  fec40483