...@@ -2,6 +2,34 @@ ...@@ -2,6 +2,34 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 11.9.3 (2019-03-27)
### Security (8 changes)
- Disallow guest users from accessing Releases.
- Fix PDF.js vulnerability.
- Hide "related branches" when user does not have permission.
- Fix XSS in resolve conflicts form.
- Added rake task for removing EXIF data from existing uploads.
- Return cached languages if they've been detected before.
- Disallow updating namespace when updating a project.
- Use UntrustedRegexp for matching refs policy.
## 11.9.2 (2019-03-26)
### Security (8 changes)
- Disallow guest users from accessing Releases.
- Fix PDF.js vulnerability.
- Hide "related branches" when user does not have permission.
- Fix XSS in resolve conflicts form.
- Added rake task for removing EXIF data from existing uploads.
- Return cached languages if they've been detected before.
- Disallow updating namespace when updating a project.
- Use UntrustedRegexp for matching refs policy.
## 11.9.1 (2019-03-25) ## 11.9.1 (2019-03-25)
### Fixed (7 changes) ### Fixed (7 changes)
...@@ -548,6 +576,32 @@ entry. ...@@ -548,6 +576,32 @@ entry.
- Creates mixin to reduce code duplication between CE and EE in graph component. - Creates mixin to reduce code duplication between CE and EE in graph component.
## 11.7.10 (2019-03-28)
### Security (7 changes)
- Disallow guest users from accessing Releases.
- Fix PDF.js vulnerability.
- Hide "related branches" when user does not have permission.
- Fix XSS in resolve conflicts form.
- Added rake task for removing EXIF data from existing uploads.
- Disallow updating namespace when updating a project.
- Use UntrustedRegexp for matching refs policy.
## 11.7.8 (2019-03-26)
### Security (7 changes)
- Disallow guest users from accessing Releases.
- Fix PDF.js vulnerability.
- Hide "related branches" when user does not have permission.
- Fix XSS in resolve conflicts form.
- Added rake task for removing EXIF data from existing uploads.
- Disallow updating namespace when updating a project.
- Use UntrustedRegexp for matching refs policy.
## 11.7.7 (2019-03-19) ## 11.7.7 (2019-03-19)
### Security (2 changes) ### Security (2 changes)
... ...
......
8.3.1 8.3.3
...@@ -16,7 +16,9 @@ export default class Issue { ...@@ -16,7 +16,9 @@ export default class Issue {
Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap'); Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
Issue.initMergeRequests(); Issue.initMergeRequests();
if (document.querySelector('#related-branches')) {
Issue.initRelatedBranches(); Issue.initRelatedBranches();
}
this.closeButtons = $('a.btn-close'); this.closeButtons = $('a.btn-close');
this.reopenButtons = $('a.btn-reopen'); this.reopenButtons = $('a.btn-reopen');
... ...
......
...@@ -28,7 +28,7 @@ export default { ...@@ -28,7 +28,7 @@ export default {
}, },
watch: { pdf: 'load' }, watch: { pdf: 'load' },
mounted() { mounted() {
pdfjsLib.PDFJS.workerSrc = workerSrc; pdfjsLib.GlobalWorkerOptions.workerSrc = workerSrc;
if (this.hasPDF) this.load(); if (this.hasPDF) this.load();
}, },
methods: { methods: {
... ...
......
...@@ -46,13 +46,9 @@ class Projects::GraphsController < Projects::ApplicationController ...@@ -46,13 +46,9 @@ class Projects::GraphsController < Projects::ApplicationController
def get_languages def get_languages
@languages = @languages =
if @project.repository_languages.present? ::Projects::RepositoryLanguagesService.new(@project, current_user).execute.map do |lang|
@project.repository_languages.map do |lang|
{ value: lang.share, label: lang.name, color: lang.color, highlight: lang.color } { value: lang.share, label: lang.name, color: lang.color, highlight: lang.color }
end end
else
@project.repository.languages
end
end end
def fetch_graph def fetch_graph
... ...
......
...@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController ...@@ -39,6 +39,7 @@ class Projects::IssuesController < Projects::ApplicationController
before_action :authorize_create_merge_request_from!, only: [:create_merge_request] before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
before_action :authorize_import_issues!, only: [:import_csv] before_action :authorize_import_issues!, only: [:import_csv]
before_action :authorize_download_code!, only: [:related_branches]
before_action :set_suggested_issues_feature_flags, only: [:new] before_action :set_suggested_issues_feature_flags, only: [:new]
... ...
......
...@@ -47,7 +47,7 @@ class ProjectsController < Projects::ApplicationController ...@@ -47,7 +47,7 @@ class ProjectsController < Projects::ApplicationController
end end
def create def create
@project = ::Projects::CreateService.new(current_user, project_params).execute @project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
if @project.saved? if @project.saved?
cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) } cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
...@@ -328,9 +328,9 @@ class ProjectsController < Projects::ApplicationController ...@@ -328,9 +328,9 @@ class ProjectsController < Projects::ApplicationController
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def project_params def project_params(attributes: [])
params.require(:project) params.require(:project)
.permit(project_params_attributes) .permit(project_params_attributes + attributes)
end end
def project_params_attributes def project_params_attributes
...@@ -349,11 +349,10 @@ class ProjectsController < Projects::ApplicationController ...@@ -349,11 +349,10 @@ class ProjectsController < Projects::ApplicationController
:last_activity_at, :last_activity_at,
:lfs_enabled, :lfs_enabled,
:name, :name,
:namespace_id,
:only_allow_merge_if_all_discussions_are_resolved, :only_allow_merge_if_all_discussions_are_resolved,
:only_allow_merge_if_pipeline_succeeds, :only_allow_merge_if_pipeline_succeeds,
:printing_merge_request_link_enabled,
:path, :path,
:printing_merge_request_link_enabled,
:public_builds, :public_builds,
:request_access_enabled, :request_access_enabled,
:runners_token, :runners_token,
...@@ -375,6 +374,10 @@ class ProjectsController < Projects::ApplicationController ...@@ -375,6 +374,10 @@ class ProjectsController < Projects::ApplicationController
] ]
end end
def project_params_create_attributes
[:namespace_id]
end
def custom_import_params def custom_import_params
{} {}
end end
... ...
......
...@@ -133,6 +133,10 @@ class Label < ApplicationRecord ...@@ -133,6 +133,10 @@ class Label < ApplicationRecord
1 1
end end
def self.by_ids(ids)
where(id: ids)
end
def open_issues_count(user = nil) def open_issues_count(user = nil)
issues_count(user, state: 'opened') issues_count(user, state: 'opened')
end end
... ...
......
...@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy ...@@ -177,7 +177,6 @@ class ProjectPolicy < BasePolicy
enable :read_cycle_analytics enable :read_cycle_analytics
enable :award_emoji enable :award_emoji
enable :read_pages_content enable :read_pages_content
enable :read_release
end end
# These abilities are not allowed to admins that are not members of the project, # These abilities are not allowed to admins that are not members of the project,
...@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy ...@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy
enable :read_deployment enable :read_deployment
enable :read_merge_request enable :read_merge_request
enable :read_sentry_issue enable :read_sentry_issue
enable :read_release
end end
# We define `:public_user_access` separately because there are cases in gitlab-ee # We define `:public_user_access` separately because there are cases in gitlab-ee
... ...
......
...@@ -70,10 +70,14 @@ class IssuableBaseService < BaseService ...@@ -70,10 +70,14 @@ class IssuableBaseService < BaseService
end end
def filter_labels def filter_labels
filter_labels_in_param(:add_label_ids) params[:add_label_ids] = labels_service.filter_labels_ids_in_param(:add_label_ids) if params[:add_label_ids]
filter_labels_in_param(:remove_label_ids) params[:remove_label_ids] = labels_service.filter_labels_ids_in_param(:remove_label_ids) if params[:remove_label_ids]
filter_labels_in_param(:label_ids)
find_or_create_label_ids if params[:label_ids]
params[:label_ids] = labels_service.filter_labels_ids_in_param(:label_ids)
elsif params[:labels]
params[:label_ids] = labels_service.find_or_create_by_titles.map(&:id)
end
end end
def filter_labels_in_param(key) def filter_labels_in_param(key)
...@@ -99,6 +103,10 @@ class IssuableBaseService < BaseService ...@@ -99,6 +103,10 @@ class IssuableBaseService < BaseService
end.compact end.compact
end end
def labels_service
@labels_service ||= ::Labels::AvailableLabelsService.new(current_user, parent, params)
end
def process_label_ids(attributes, existing_label_ids: nil) def process_label_ids(attributes, existing_label_ids: nil)
label_ids = attributes.delete(:label_ids) label_ids = attributes.delete(:label_ids)
add_label_ids = attributes.delete(:add_label_ids) add_label_ids = attributes.delete(:add_label_ids)
...@@ -116,10 +124,6 @@ class IssuableBaseService < BaseService ...@@ -116,10 +124,6 @@ class IssuableBaseService < BaseService
new_label_ids.uniq new_label_ids.uniq
end end
def available_labels
@available_labels ||= LabelsFinder.new(current_user, project_id: @project.id, include_ancestor_groups: true).execute
end
def handle_quick_actions_on_create(issuable) def handle_quick_actions_on_create(issuable)
merge_quick_actions_into_params!(issuable) merge_quick_actions_into_params!(issuable)
end end
... ...
......
# frozen_string_literal: true
module Labels
class AvailableLabelsService
attr_reader :current_user, :parent, :params
def initialize(current_user, parent, params)
@current_user = current_user
@parent = parent
@params = params
end
def find_or_create_by_titles
labels = params.delete(:labels)
return [] unless labels
labels = labels.split(',') if labels.is_a?(String)
labels.map do |label_name|
label = Labels::FindOrCreateService.new(
current_user,
parent,
include_ancestor_groups: true,
title: label_name.strip,
available_labels: available_labels
).execute
label
end.compact
end
def filter_labels_ids_in_param(key)
return [] if params[key].to_a.empty?
# rubocop:disable CodeReuse/ActiveRecord
available_labels.by_ids(params[key]).pluck(:id)
# rubocop:enable CodeReuse/ActiveRecord
end
private
def available_labels
@available_labels ||= LabelsFinder.new(current_user, finder_params).execute
end
def finder_params
params = { include_ancestor_groups: true }
case parent
when Group
params[:group_id] = parent.id
params[:only_group_labels] = true
when Project
params[:project_id] = parent.id
end
params
end
end
end
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
module Projects module Projects
class DetectRepositoryLanguagesService < BaseService class DetectRepositoryLanguagesService < BaseService
attr_reader :detected_repository_languages, :programming_languages attr_reader :programming_languages
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def execute def execute
...@@ -25,6 +25,8 @@ module Projects ...@@ -25,6 +25,8 @@ module Projects
RepositoryLanguage.table_name, RepositoryLanguage.table_name,
detection.insertions(matching_programming_languages) detection.insertions(matching_programming_languages)
) )
set_detected_repository_languages
end end
project.repository_languages.reload project.repository_languages.reload
...@@ -56,5 +58,11 @@ module Projects ...@@ -56,5 +58,11 @@ module Projects
retry retry
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def set_detected_repository_languages
return if project.detected_repository_languages?
project.update_column(:detected_repository_languages, true)
end
end end
end end
# frozen_string_literal: true
module Projects
class RepositoryLanguagesService < BaseService
def execute
perform_language_detection unless project.detected_repository_languages?
persisted_repository_languages
end
private
def perform_language_detection
if persisted_repository_languages.blank?
::DetectRepositoryLanguagesWorker.perform_async(project.id, current_user.id)
else
project.update_column(:detected_repository_languages, true)
end
end
def persisted_repository_languages
project.repository_languages
end
end
end
...@@ -80,6 +80,7 @@ ...@@ -80,6 +80,7 @@
#merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } } #merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript. // This element is filled in using JavaScript.
- if can?(current_user, :download_code, @project)
#related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } } #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript. // This element is filled in using JavaScript.
... ...
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
.form-group.row .form-group.row
.col-md-4 .col-md-4
%h4= _('Resolve conflicts on source branch') %h4= _('Resolve conflicts on source branch')
.resolve-info .resolve-info{ "v-pre": true }
= translation.html_safe = translation.html_safe
.col-md-8 .col-md-8
%label.label-bold{ "for" => "commit-message" } %label.label-bold{ "for" => "commit-message" }
... ...
......
---
title: Disallow guest users from accessing Releases
merge_request:
author:
type: security
---
title: Fix PDF.js vulnerability
merge_request:
author:
type: security
---
title: Hide "related branches" when user does not have permission
merge_request:
author:
type: security
---
title: Fix XSS in resolve conflicts form
merge_request:
author:
type: security
---
title: Added rake task for removing EXIF data from existing uploads.
merge_request:
author:
type: security