......@@ -2,6 +2,55 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 11.7.8 (2019-03-26)
### Security (7 changes)
- Disallow guest users from accessing Releases.
- Fix PDF.js vulnerability.
- Hide "related branches" when user does not have permission.
- Fix XSS in resolve conflicts form.
- Added rake task for removing EXIF data from existing uploads.
- Disallow updating namespace when updating a project.
- Use UntrustedRegexp for matching refs policy.
## 11.7.7 (2019-03-19)
### Security (2 changes)
- Remove project serialization in quick actions response.
- Fixed ability to see private groups by users not belonging to given group.
## 11.7.6 (2019-02-28)
### Security (22 changes)
- Stop linking to unrecognized package sources. !55518
- Don't allow non-members to see private related MRs.
- Fix potential Addressable::URI::InvalidURIError.
- Do not display impersonated sessions under active sessions and remove ability to revoke session.
- Display only information visible to current user on the Milestone page.
- Show only merge requests visible to user on milestone detail page.
- Disable issue boards API when issues are disabled.
- Don't show new issue link after move when a user does not have permissions.
- Fix git clone revealing private repo's presence.
- Fix blind SSRF in Prometheus integration by checking URL before querying.
- Check snippet attached file to be moved is within designated directory.
- Check if desired milestone for an issue is available.
- Fix arbitrary file read via diffs during import.
- Display the correct number of MRs a user has access to.
- Forbid creating discussions for users with restricted access.
- Do not disclose milestone titles for unauthorized users.
- Validate session key when authorizing with GCP to create a cluster.
- Block local URLs for Kubernetes integration.
- Limit mermaid rendering to 5K characters.
- Remove the possibility to share a project with a group that a user is not a member of.
- Fix leaking private repository information in API.
- Prevent releases links API to leak tag existance.
## 11.7.5 (2019-02-06)
### Fixed (8 changes)
......
......
8.0.2
8.0.3
11.7.5
11.7.8
......@@ -16,7 +16,9 @@ export default class Issue {
Issue.createMrDropdownWrap = document.querySelector('.create-mr-dropdown-wrap');
Issue.initMergeRequests();
if (document.querySelector('#related-branches')) {
Issue.initRelatedBranches();
}
this.closeButtons = $('a.btn-close');
this.reopenButtons = $('a.btn-reopen');
......
......
......@@ -28,7 +28,7 @@ export default {
},
watch: { pdf: 'load' },
mounted() {
pdfjsLib.PDFJS.workerSrc = workerSrc;
pdfjsLib.GlobalWorkerOptions.workerSrc = workerSrc;
if (this.hasPDF) this.load();
},
methods: {
......
......
......@@ -54,7 +54,7 @@ module NotesActions
respond_to do |format|
format.json do
json = {
commands_changes: @note.commands_changes
commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
}
if @note.persisted? && return_discussion?
......
......
......@@ -38,6 +38,7 @@ class Projects::IssuesController < Projects::ApplicationController
before_action :authorize_create_merge_request_from!, only: [:create_merge_request]
before_action :authorize_import_issues!, only: [:import_csv]
before_action :authorize_download_code!, only: [:related_branches]
before_action :set_suggested_issues_feature_flags, only: [:new]
......
......
......@@ -46,7 +46,7 @@ class ProjectsController < Projects::ApplicationController
end
def create
@project = ::Projects::CreateService.new(current_user, project_params).execute
@project = ::Projects::CreateService.new(current_user, project_params(attributes: project_params_create_attributes)).execute
if @project.saved?
cookies[:issue_board_welcome_hidden] = { path: project_path(@project), value: nil, expires: Time.at(0) }
......@@ -327,9 +327,9 @@ class ProjectsController < Projects::ApplicationController
end
# rubocop: enable CodeReuse/ActiveRecord
def project_params
def project_params(attributes: [])
params.require(:project)
.permit(project_params_attributes)
.permit(project_params_attributes + attributes)
end
def project_params_attributes
......@@ -348,11 +348,10 @@ class ProjectsController < Projects::ApplicationController
:last_activity_at,
:lfs_enabled,
:name,
:namespace_id,
:only_allow_merge_if_all_discussions_are_resolved,
:only_allow_merge_if_pipeline_succeeds,
:printing_merge_request_link_enabled,
:path,
:printing_merge_request_link_enabled,
:public_builds,
:request_access_enabled,
:runners_token,
......@@ -374,6 +373,10 @@ class ProjectsController < Projects::ApplicationController
]
end
def project_params_create_attributes
[:namespace_id]
end
def custom_import_params
{}
end
......
......
......@@ -126,6 +126,10 @@ class Label < ActiveRecord::Base
fuzzy_search(query, [:title, :description])
end
def self.by_ids(ids)
where(id: ids)
end
def open_issues_count(user = nil)
issues_count(user, state: 'opened')
end
......
......
......@@ -53,7 +53,6 @@ class GroupPolicy < BasePolicy
rule { admin }.enable :read_group
rule { has_projects }.policy do
enable :read_group
enable :read_label
end
......
......
......@@ -178,7 +178,6 @@ class ProjectPolicy < BasePolicy
enable :read_cycle_analytics
enable :award_emoji
enable :read_pages_content
enable :read_release
end
# These abilities are not allowed to admins that are not members of the project,
......@@ -204,6 +203,7 @@ class ProjectPolicy < BasePolicy
enable :read_deployment
enable :read_merge_request
enable :read_sentry_issue
enable :read_release
end
# We define `:public_user_access` separately because there are cases in gitlab-ee
......
......
......@@ -70,10 +70,14 @@ class IssuableBaseService < BaseService
end
def filter_labels
filter_labels_in_param(:add_label_ids)
filter_labels_in_param(:remove_label_ids)
filter_labels_in_param(:label_ids)
find_or_create_label_ids
params[:add_label_ids] = labels_service.filter_labels_ids_in_param(:add_label_ids) if params[:add_label_ids]
params[:remove_label_ids] = labels_service.filter_labels_ids_in_param(:remove_label_ids) if params[:remove_label_ids]
if params[:label_ids]
params[:label_ids] = labels_service.filter_labels_ids_in_param(:label_ids)
elsif params[:labels]
params[:label_ids] = labels_service.find_or_create_by_titles.map(&:id)
end
end
# rubocop: disable CodeReuse/ActiveRecord
......@@ -101,6 +105,10 @@ class IssuableBaseService < BaseService
end.compact
end
def labels_service
@labels_service ||= ::Labels::AvailableLabelsService.new(current_user, parent, params)
end
def process_label_ids(attributes, existing_label_ids: nil)
label_ids = attributes.delete(:label_ids)
add_label_ids = attributes.delete(:add_label_ids)
......@@ -118,10 +126,6 @@ class IssuableBaseService < BaseService
new_label_ids
end
def available_labels
@available_labels ||= LabelsFinder.new(current_user, project_id: @project.id, include_ancestor_groups: true).execute
end
def handle_quick_actions_on_create(issuable)
merge_quick_actions_into_params!(issuable)
end
......
......
# frozen_string_literal: true
module Labels
class AvailableLabelsService
attr_reader :current_user, :parent, :params
def initialize(current_user, parent, params)
@current_user = current_user
@parent = parent
@params = params
end
def find_or_create_by_titles
labels = params.delete(:labels)
return [] unless labels
labels = labels.split(',') if labels.is_a?(String)
labels.map do |label_name|
label = Labels::FindOrCreateService.new(
current_user,
parent,
include_ancestor_groups: true,
title: label_name.strip,
available_labels: available_labels
).execute
label
end.compact
end
def filter_labels_ids_in_param(key)
return [] if params[key].to_a.empty?
# rubocop:disable CodeReuse/ActiveRecord
available_labels.by_ids(params[key]).pluck(:id)
# rubocop:enable CodeReuse/ActiveRecord
end
private
def available_labels
@available_labels ||= LabelsFinder.new(current_user, finder_params).execute
end
def finder_params
params = { include_ancestor_groups: true }
case parent
when Group
params[:group_id] = parent.id
params[:only_group_labels] = true
when Project
params[:project_id] = parent.id
end
params
end
end
end
......@@ -74,6 +74,7 @@
#merge-requests{ data: { url: referenced_merge_requests_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript.
- if can?(current_user, :download_code, @project)
#related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }
// This element is filled in using JavaScript.
......
......
......@@ -6,7 +6,7 @@
.form-group.row
.col-md-4
%h4= _('Resolve conflicts on source branch')
.resolve-info
.resolve-info{ "v-pre": true }
= translation.html_safe
.col-md-8
%label.label-bold{ "for" => "commit-message" }
......
......
---
title: Remove the possibility to share a project with a group that a user is not a member
of
merge_request:
author:
type: security
---
title: Check if desired milestone for an issue is available
merge_request:
author:
type: security
---
title: Fix potential Addressable::URI::InvalidURIError
merge_request:
author:
type: security
---
title: Do not display impersonated sessions under active sessions and remove ability
to revoke session
merge_request:
author:
type: security
---
title: Display only information visible to current user on the Milestone page
merge_request:
author:
type: security