Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
c49e0365
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
c49e0365
编写于
2月 28, 2020
作者:
G
GitLab Bot
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add latest changes from gitlab-org/security/gitlab@12-7-stable-ee
上级
15322f21
变更
18
隐藏空白更改
内联
并排
Showing
18 changed file
with
231 addition
and
13 deletion
+231
-13
app/models/application_setting.rb
app/models/application_setting.rb
+30
-0
app/models/members/group_member.rb
app/models/members/group_member.rb
+1
-0
app/validators/addressable_url_validator.rb
app/validators/addressable_url_validator.rb
+5
-3
app/views/admin/application_settings/_grafana.html.haml
app/views/admin/application_settings/_grafana.html.haml
+1
-1
app/views/layouts/nav/sidebar/_admin.html.haml
app/views/layouts/nav/sidebar/_admin.html.haml
+1
-1
changelogs/unreleased/enfoce-group-member-2fa.yml
changelogs/unreleased/enfoce-group-member-2fa.yml
+5
-0
changelogs/unreleased/security-expire-confirmation-token.yml
changelogs/unreleased/security-expire-confirmation-token.yml
+5
-0
changelogs/unreleased/security-grafana-stored-xss.yml
changelogs/unreleased/security-grafana-stored-xss.yml
+5
-0
config/initializers/8_devise.rb
config/initializers/8_devise.rb
+10
-2
db/migrate/20200214085940_clean_grafana_url.rb
db/migrate/20200214085940_clean_grafana_url.rb
+22
-0
db/schema.rb
db/schema.rb
+1
-1
doc/administration/monitoring/performance/grafana_configuration.md
...istration/monitoring/performance/grafana_configuration.md
+3
-2
lib/gitlab/utils.rb
lib/gitlab/utils.rb
+9
-0
spec/lib/gitlab/utils_spec.rb
spec/lib/gitlab/utils_spec.rb
+14
-0
spec/migrations/clean_grafana_url_spec.rb
spec/migrations/clean_grafana_url_spec.rb
+37
-0
spec/models/application_setting_spec.rb
spec/models/application_setting_spec.rb
+48
-0
spec/models/members/group_member_spec.rb
spec/models/members/group_member_spec.rb
+18
-3
spec/validators/addressable_url_validator_spec.rb
spec/validators/addressable_url_validator_spec.rb
+16
-0
未找到文件。
app/models/application_setting.rb
浏览文件 @
c49e0365
...
...
@@ -6,6 +6,9 @@ class ApplicationSetting < ApplicationRecord
include
TokenAuthenticatable
include
ChronicDurationAttribute
GRAFANA_URL_ERROR_MESSAGE
=
'Please check your Grafana URL setting in '
\
'Admin Area > Settings > Metrics and profiling > Metrics - Grafana'
add_authentication_token_field
:runners_registration_token
,
encrypted:
->
{
Feature
.
enabled?
(
:application_settings_tokens_optional_encryption
,
default_enabled:
true
)
?
:optional
:
:required
}
add_authentication_token_field
:health_check_access_token
add_authentication_token_field
:static_objects_external_storage_auth_token
...
...
@@ -36,6 +39,14 @@ class ApplicationSetting < ApplicationRecord
chronic_duration_attr_writer
:archive_builds_in_human_readable
,
:archive_builds_in_seconds
validates
:grafana_url
,
system_hook_url:
{
blocked_message:
"is blocked: %{exception_message}. "
+
GRAFANA_URL_ERROR_MESSAGE
},
if: :grafana_url_absolute?
validate
:validate_grafana_url
validates
:uuid
,
presence:
true
validates
:outbound_local_requests_whitelist
,
...
...
@@ -355,6 +366,19 @@ class ApplicationSetting < ApplicationRecord
end
after_commit
:expire_performance_bar_allowed_user_ids_cache
,
if:
->
{
previous_changes
.
key?
(
'performance_bar_allowed_group_id'
)
}
def
validate_grafana_url
unless
parsed_grafana_url
self
.
errors
.
add
(
:grafana_url
,
"must be a valid relative or absolute URL.
#{
GRAFANA_URL_ERROR_MESSAGE
}
"
)
end
end
def
grafana_url_absolute?
parsed_grafana_url
&
.
absolute?
end
def
sourcegraph_url_is_com?
!!
(
sourcegraph_url
=~
/\Ahttps:\/\/(www\.)?sourcegraph\.com/
)
end
...
...
@@ -379,6 +403,12 @@ class ApplicationSetting < ApplicationRecord
def
recaptcha_or_login_protection_enabled
recaptcha_enabled
||
login_recaptcha_protection_enabled
end
private
def
parsed_grafana_url
@parsed_grafana_url
||=
Gitlab
::
Utils
.
parse_url
(
grafana_url
)
end
end
ApplicationSetting
.
prepend_if_ee
(
'EE::ApplicationSetting'
)
app/models/members/group_member.rb
浏览文件 @
c49e0365
...
...
@@ -66,6 +66,7 @@ class GroupMember < Member
def
after_accept_invite
notification_service
.
accept_group_invite
(
self
)
update_two_factor_requirement
super
end
...
...
app/validators/addressable_url_validator.rb
浏览文件 @
c49e0365
...
...
@@ -23,7 +23,8 @@
# protect against Server-side Request Forgery (SSRF), or check for the right port.
#
# Configuration options:
# * <tt>message</tt> - A custom error message (default is: "must be a valid URL").
# * <tt>message</tt> - A custom error message, used when the URL is blank. (default is: "must be a valid URL").
# * <tt>blocked_message</tt> - A custom error message, used when the URL is blocked. Default: +'is blocked: %{exception_message}'+.
# * <tt>schemes</tt> - Array of URI schemes. Default: +['http', 'https']+
# * <tt>allow_localhost</tt> - Allow urls pointing to +localhost+. Default: +true+
# * <tt>allow_local_network</tt> - Allow urls pointing to private network addresses. Default: +true+
...
...
@@ -59,7 +60,8 @@ class AddressableUrlValidator < ActiveModel::EachValidator
}.
freeze
DEFAULT_OPTIONS
=
BLOCKER_VALIDATE_OPTIONS
.
merge
({
message:
'must be a valid URL'
message:
'must be a valid URL'
,
blocked_message:
'is blocked: %{exception_message}'
}).
freeze
def
initialize
(
options
)
...
...
@@ -80,7 +82,7 @@ class AddressableUrlValidator < ActiveModel::EachValidator
Gitlab
::
UrlBlocker
.
validate!
(
value
,
blocker_args
)
rescue
Gitlab
::
UrlBlocker
::
BlockedUrlError
=>
e
record
.
errors
.
add
(
attribute
,
"is blocked:
#{
e
.
message
}
"
)
record
.
errors
.
add
(
attribute
,
options
.
fetch
(
:blocked_message
)
%
{
exception_message:
e
.
message
}
)
end
private
...
...
app/views/admin/application_settings/_grafana.html.haml
浏览文件 @
c49e0365
=
form_for
@application_setting
,
url:
admin_application_settings_path
(
anchor:
'js-grafana-settings'
),
html:
{
class:
'fieldset-form'
}
do
|
f
|
=
form_for
@application_setting
,
url:
metrics_and_profiling_
admin_application_settings_path
(
anchor:
'js-grafana-settings'
),
html:
{
class:
'fieldset-form'
}
do
|
f
|
=
form_errors
(
@application_setting
)
%fieldset
...
...
app/views/layouts/nav/sidebar/_admin.html.haml
浏览文件 @
c49e0365
...
...
@@ -83,7 +83,7 @@
=
_
(
'Requests Profiles'
)
-
if
Gitlab
::
CurrentSettings
.
current_application_settings
.
grafana_enabled?
=
nav_link
do
=
link_to
Gitlab
::
CurrentSettings
.
current_application_settings
.
grafana_url
,
target:
'_blank'
,
title:
_
(
'Metrics Dashboard'
)
do
=
link_to
Gitlab
::
CurrentSettings
.
current_application_settings
.
grafana_url
,
target:
'_blank'
,
title:
_
(
'Metrics Dashboard'
)
,
rel:
'noopener noreferrer'
do
%span
=
_
(
'Metrics Dashboard'
)
=
render_if_exists
'layouts/nav/ee/admin/new_monitoring_sidebar'
...
...
changelogs/unreleased/enfoce-group-member-2fa.yml
0 → 100644
浏览文件 @
c49e0365
---
title
:
Update user 2fa when accepting a group invite
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-expire-confirmation-token.yml
0 → 100644
浏览文件 @
c49e0365
---
title
:
Expire account confirmation token
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-grafana-stored-xss.yml
0 → 100644
浏览文件 @
c49e0365
---
title
:
Prevent XSS in admin grafana URL setting
merge_request
:
author
:
type
:
security
config/initializers/8_devise.rb
浏览文件 @
c49e0365
...
...
@@ -80,8 +80,16 @@ Devise.setup do |config|
# When allow_unconfirmed_access_for is zero, the user won't be able to sign in without confirming.
# You can use this to let your user access some features of your application
# without confirming the account, but blocking it after a certain period
# (ie 2 days).
config
.
allow_unconfirmed_access_for
=
30
.
days
# (e.g. 3 days).
config
.
allow_unconfirmed_access_for
=
3
.
days
# A period that the user is allowed to confirm their account before their
# token becomes invalid. For example, if set to 1.day, the user can confirm
# their account within 1 days after the mail was sent, but on the second day
# their account can't be confirmed with the token any more.
# Default is nil, meaning there is no restriction on how long a user can take
# before confirming their account.
config
.
confirm_within
=
1
.
day
# Defines which key will be used when confirming an account
# config.confirmation_keys = [ :email ]
...
...
db/migrate/20200214085940_clean_grafana_url.rb
0 → 100644
浏览文件 @
c49e0365
# frozen_string_literal: true
class
CleanGrafanaUrl
<
ActiveRecord
::
Migration
[
5.2
]
DOWNTIME
=
false
def
up
execute
(
<<-
SQL
UPDATE
application_settings
SET
grafana_url = default
WHERE
position('javascript:' IN btrim(application_settings.grafana_url)) = 1
SQL
)
end
def
down
# no-op
end
end
db/schema.rb
浏览文件 @
c49e0365
...
...
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord
::
Schema
.
define
(
version:
2020_02_
04_113223
)
do
ActiveRecord
::
Schema
.
define
(
version:
2020_02_
14_085940
)
do
# These are extensions that must be enabled in order to support this database
enable_extension
"pg_trgm"
...
...
doc/administration/monitoring/performance/grafana_configuration.md
浏览文件 @
c49e0365
...
...
@@ -117,8 +117,9 @@ If you have set up Grafana, you can enable a link to access it easily from the s
1.
Expand
**Metrics - Grafana**
.
1.
Check the "Enable access to Grafana" checkbox.
1.
If Grafana is enabled through Omnibus GitLab and on the same server,
leave "Grafana URL" unchanged. In any other case, enter the full URL
path of the Grafana instance.
leave
**Grafana URL**
unchanged. It should be
`/-/grafana`
.
In any other case, enter the full URL of the Grafana instance.
1.
Click
**Save changes**
.
1.
The new link will be available in the
**Admin Area > Monitoring > Metrics Dashboard**
.
...
...
lib/gitlab/utils.rb
浏览文件 @
c49e0365
...
...
@@ -136,5 +136,14 @@ module Gitlab
IPAddr
.
new
(
str
)
rescue
IPAddr
::
InvalidAddressError
end
# Converts a string to an Addressable::URI object.
# If the string is not a valid URI, it returns nil.
# Param uri_string should be a String object.
# This method returns an Addressable::URI object or nil.
def
parse_url
(
uri_string
)
Addressable
::
URI
.
parse
(
uri_string
)
rescue
Addressable
::
URI
::
InvalidURIError
,
TypeError
end
end
end
spec/lib/gitlab/utils_spec.rb
浏览文件 @
c49e0365
...
...
@@ -283,4 +283,18 @@ describe Gitlab::Utils do
expect
(
described_class
.
string_to_ip_object
(
'1:0:0:0:0:0:0:0/124'
)).
to
eq
(
IPAddr
.
new
(
'1:0:0:0:0:0:0:0/124'
))
end
end
describe
'.parse_url'
do
it
'returns Addressable::URI object'
do
expect
(
described_class
.
parse_url
(
'http://gitlab.com'
)).
to
be_instance_of
(
Addressable
::
URI
)
end
it
'returns nil when URI cannot be parsed'
do
expect
(
described_class
.
parse_url
(
'://gitlab.com'
)).
to
be
nil
end
it
'returns nil with invalid parameter'
do
expect
(
described_class
.
parse_url
(
1
)).
to
be
nil
end
end
end
spec/migrations/clean_grafana_url_spec.rb
0 → 100644
浏览文件 @
c49e0365
# frozen_string_literal: true
require
'spec_helper'
require
Rails
.
root
.
join
(
'db'
,
'migrate'
,
'20200214085940_clean_grafana_url.rb'
)
describe
CleanGrafanaUrl
,
:migration
do
let
(
:application_settings_table
)
{
table
(
:application_settings
)
}
[
'javascript:alert(window.opener.document.location)'
,
' javascript:alert(window.opener.document.location)'
].
each
do
|
grafana_url
|
it
"sets grafana_url back to its default value when grafana_url is '
#{
grafana_url
}
'"
do
application_settings
=
application_settings_table
.
create!
(
grafana_url:
grafana_url
)
migrate!
expect
(
application_settings
.
reload
.
grafana_url
).
to
eq
(
'/-/grafana'
)
end
end
[
'/-/grafana'
,
'/some/relative/url'
,
'http://localhost:9000'
].
each
do
|
grafana_url
|
it
"does not modify grafana_url when grafana_url is '
#{
grafana_url
}
'"
do
application_settings
=
application_settings_table
.
create!
(
grafana_url:
grafana_url
)
migrate!
expect
(
application_settings
.
reload
.
grafana_url
).
to
eq
(
grafana_url
)
end
end
context
'when application_settings table has no rows'
do
it
'does not fail'
do
migrate!
end
end
end
spec/models/application_setting_spec.rb
浏览文件 @
c49e0365
...
...
@@ -19,6 +19,7 @@ describe ApplicationSetting do
let
(
:http
)
{
'http://example.com'
}
let
(
:https
)
{
'https://example.com'
}
let
(
:ftp
)
{
'ftp://example.com'
}
let
(
:javascript
)
{
'javascript:alert(window.opener.document.location)'
}
it
{
is_expected
.
to
allow_value
(
nil
).
for
(
:home_page_url
)
}
it
{
is_expected
.
to
allow_value
(
http
).
for
(
:home_page_url
)
}
...
...
@@ -81,6 +82,53 @@ describe ApplicationSetting do
it
{
is_expected
.
not_to
allow_value
(
'abc'
).
for
(
:minimum_password_length
)
}
it
{
is_expected
.
to
allow_value
(
10
).
for
(
:minimum_password_length
)
}
context
'grafana_url validations'
do
before
do
subject
.
instance_variable_set
(
:@parsed_grafana_url
,
nil
)
end
it
{
is_expected
.
to
allow_value
(
http
).
for
(
:grafana_url
)
}
it
{
is_expected
.
to
allow_value
(
https
).
for
(
:grafana_url
)
}
it
{
is_expected
.
not_to
allow_value
(
ftp
).
for
(
:grafana_url
)
}
it
{
is_expected
.
not_to
allow_value
(
javascript
).
for
(
:grafana_url
)
}
it
{
is_expected
.
to
allow_value
(
'/-/grafana'
).
for
(
:grafana_url
)
}
it
{
is_expected
.
to
allow_value
(
'http://localhost:9000'
).
for
(
:grafana_url
)
}
context
'when local URLs are not allowed in system hooks'
do
before
do
stub_application_setting
(
allow_local_requests_from_system_hooks:
false
)
end
it
{
is_expected
.
not_to
allow_value
(
'http://localhost:9000'
).
for
(
:grafana_url
)
}
end
context
'with invalid grafana URL'
do
it
'adds an error'
do
subject
.
grafana_url
=
' '
+
http
expect
(
subject
.
save
).
to
be
false
expect
(
subject
.
errors
[
:grafana_url
]).
to
eq
([
'must be a valid relative or absolute URL. '
\
'Please check your Grafana URL setting in '
\
'Admin Area > Settings > Metrics and profiling > Metrics - Grafana'
])
end
end
context
'with blocked grafana URL'
do
it
'adds an error'
do
subject
.
grafana_url
=
javascript
expect
(
subject
.
save
).
to
be
false
expect
(
subject
.
errors
[
:grafana_url
]).
to
eq
([
'is blocked: Only allowed schemes are http, https. Please check your '
\
'Grafana URL setting in '
\
'Admin Area > Settings > Metrics and profiling > Metrics - Grafana'
])
end
end
end
context
'when snowplow is enabled'
do
before
do
setting
.
snowplow_enabled
=
true
...
...
spec/models/members/group_member_spec.rb
浏览文件 @
c49e0365
...
...
@@ -65,10 +65,10 @@ describe GroupMember do
end
describe
'#update_two_factor_requirement'
do
let
(
:user
)
{
build
:user
}
let
(
:group_member
)
{
build
:group_member
,
user:
user
}
it
'is called after creation and deletion'
do
user
=
build
:user
group_member
=
build
:group_member
,
user:
user
expect
(
user
).
to
receive
(
:update_two_factor_requirement
)
group_member
.
save
...
...
@@ -79,6 +79,21 @@ describe GroupMember do
end
end
describe
'#after_accept_invite'
do
it
'calls #update_two_factor_requirement'
do
email
=
'foo@email.com'
user
=
build
(
:user
,
email:
email
)
group
=
create
(
:group
,
require_two_factor_authentication:
true
)
group_member
=
create
(
:group_member
,
group:
group
,
invite_token:
'1234'
,
invite_email:
email
)
expect
(
user
).
to
receive
(
:require_two_factor_authentication_from_group
).
and_call_original
group_member
.
accept_invite!
(
user
)
expect
(
user
.
require_two_factor_authentication_from_group
).
to
be_truthy
end
end
context
'access levels'
do
context
'with parent group'
do
it_behaves_like
'inherited access level as a member of entity'
do
...
...
spec/validators/addressable_url_validator_spec.rb
浏览文件 @
c49e0365
...
...
@@ -5,6 +5,9 @@ require 'spec_helper'
describe
AddressableUrlValidator
do
let!
(
:badge
)
{
build
(
:badge
,
link_url:
'http://www.example.com'
)
}
let
(
:validator
)
{
described_class
.
new
(
validator_options
.
reverse_merge
(
attributes:
[
:link_url
]))
}
let
(
:validator_options
)
{
{}
}
subject
{
validator
.
validate
(
badge
)
}
include_examples
'url validator examples'
,
described_class
::
DEFAULT_OPTIONS
[
:schemes
]
...
...
@@ -114,6 +117,19 @@ describe AddressableUrlValidator do
end
end
context
'when blocked_message is set'
do
let
(
:message
)
{
'is not allowed due to: %{exception_message}'
}
let
(
:validator_options
)
{
{
blocked_message:
message
}
}
it
'blocks url with provided error message'
do
badge
.
link_url
=
'javascript:alert(window.opener.document.location)'
subject
expect
(
badge
.
errors
.
first
[
1
]).
to
eq
'is not allowed due to: Only allowed schemes are http, https'
end
end
context
'when allow_nil is set to true'
do
let
(
:validator
)
{
described_class
.
new
(
attributes:
[
:link_url
],
allow_nil:
true
)
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录