Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

Gemfile

@@ -500,7 +500,7 @@ gem 'ssh_data', '~> 1.3'
 gem 'spamcheck', '~> 1.0.0'
 
 # Gitaly GRPC protocol definitions
-gem 'gitaly', '~> 15.5.0'
+gem 'gitaly', '~> 15.5.2'
 
 # KAS GRPC protocol definitions
 gem 'kas-grpc', '~> 0.0.2'

Gemfile.checksum

@@ -199,7 +199,7 @@
 {"name":"gettext_i18n_rails","version":"1.8.0","platform":"ruby","checksum":"95e5cf8440b1e08705b27f2bccb56143272c5a7a0dabcf54ea1bd701140a496f"},
 {"name":"gettext_i18n_rails_js","version":"1.3.0","platform":"ruby","checksum":"5d10afe4be3639bff78c50a56768c20f39aecdabc580c08aa45573911c2bd687"},
 {"name":"git","version":"1.11.0","platform":"ruby","checksum":"7e95ba4da8298a0373ef1a6862aa22007d761f3c8274b675aa787966fecea0f1"},
-{"name":"gitaly","version":"15.5.0","platform":"ruby","checksum":"d85dd4890a1f0fd95f935c848bcedf03f19b78872f20f04b9811e602bea4ef42"},
+{"name":"gitaly","version":"15.5.2","platform":"ruby","checksum":"62babe0596a4505bf95051ea50f17160055e6cf6cacf209273691542120d7881"},
 {"name":"gitlab","version":"4.16.1","platform":"ruby","checksum":"13fd7059cbdad5a1a21b15fa2cf9070b97d92e27f8c688581fe3d84dc038074f"},
 {"name":"gitlab-chronic","version":"0.10.5","platform":"ruby","checksum":"f80f18dc699b708870a80685243331290bc10cfeedb6b99c92219722f729c875"},
 {"name":"gitlab-dangerfiles","version":"3.6.2","platform":"ruby","checksum":"88585532bbb5c0e862ad0776b3804a32129eab06c6a8a7bc96b577baa7aac6c5"},

Gemfile.lock

@@ -554,7 +554,7 @@ GEM
       rails (>= 3.2.0)
     git (1.11.0)
       rchardet (~> 1.8)
-    gitaly (15.5.0)
+    gitaly (15.5.2)
       grpc (~> 1.0)
     gitlab (4.16.1)
       httparty (~> 0.14, >= 0.14.0)
@@ -1663,7 +1663,7 @@ DEPENDENCIES
   gettext (~> 3.3)
   gettext_i18n_rails (~> 1.8.0)
   gettext_i18n_rails_js (~> 1.3)
-  gitaly (~> 15.5.0)
+  gitaly (~> 15.5.2)
   gitlab-chronic (~> 0.10.5)
   gitlab-dangerfiles (~> 3.6.2)
   gitlab-experiment (~> 0.7.1)

app/models/hooks/web_hook.rb

@@ -39,6 +39,8 @@ class WebHook < ApplicationRecord
 
   validates :token, format: { without: /\n/ }
   after_initialize :initialize_url_variables
+
+  before_validation :reset_token
   before_validation :set_branch_filter_nil, \
     if: -> { branch_filter_strategy_all_branches? && enhanced_webhook_support_regex? }
   validates :push_events_branch_filter, \
@@ -218,6 +220,10 @@ def masked_token
 
   private
 
+  def reset_token
+    self.token = nil if url_changed? && !encrypted_token_changed?
+  end
+
   def next_failure_count
     recent_failures.succ.clamp(1, MAX_FAILURES)
   end

app/models/hooks/web_hook_log.rb

@@ -48,6 +48,13 @@ def oversize?
     request_data == OVERSIZE_REQUEST_DATA
   end
 
+  def request_headers
+    super unless web_hook.token?
+    super if self[:request_headers]['X-Gitlab-Token'] == _('[REDACTED]')
+
+    self[:request_headers].merge('X-Gitlab-Token' => _('[REDACTED]'))
+  end
+
   private
 
   def obfuscate_basic_auth

app/models/integrations/jira.rb

@@ -97,7 +97,10 @@ def self.reference_pattern(only_long: true)
     def self.valid_jira_cloud_url?(url)
       return false unless url.present?
 
-      !!URI(url).hostname&.end_with?(JIRA_CLOUD_HOST)
+      uri = URI.parse(url)
+      uri.is_a?(URI::HTTPS) && !!uri.hostname&.end_with?(JIRA_CLOUD_HOST)
+    rescue URI::InvalidURIError
+      false
     end
 
     def data_fields

app/models/repository.rb

@@ -984,12 +984,12 @@ def ancestor?(ancestor_id, descendant_id)
     end
   end
 
-  def clone_as_mirror(url, http_authorization_header: "")
-    import_repository(url, http_authorization_header: http_authorization_header, mirror: true)
+  def clone_as_mirror(url, http_authorization_header: "", resolved_address: "")
+    import_repository(url, http_authorization_header: http_authorization_header, mirror: true, resolved_address: resolved_address)
   end
 
-  def fetch_as_mirror(url, forced: false, refmap: :all_refs, prune: true, http_authorization_header: "")
-    fetch_remote(url, refmap: refmap, forced: forced, prune: prune, http_authorization_header: http_authorization_header)
+  def fetch_as_mirror(url, forced: false, refmap: :all_refs, prune: true, http_authorization_header: "", resolved_address: "")
+    fetch_remote(url, refmap: refmap, forced: forced, prune: prune, http_authorization_header: http_authorization_header, resolved_address: resolved_address)
   end
 
   def fetch_source_branch!(source_repository, source_branch, local_ref)

app/services/markup/rendering_service.rb

@@ -2,8 +2,6 @@
 
 module Markup
   class RenderingService
-    include ActionView::Helpers::TextHelper
-
     # Let's increase the render timeout
     # For a smaller one, a test that renders the blob content statically fails
     # We can consider removing this custom timeout when markup_rendering_timeout FF is removed:
@@ -51,7 +49,7 @@ def markup_unsafe
     rescue StandardError => e
       Gitlab::ErrorTracking.track_exception(e, project_id: context[:project]&.id, file_name: file_name)
 
-      simple_format(text)
+      ActionController::Base.helpers.simple_format(text)
     end
 
     def markdown_unsafe
@@ -63,7 +61,9 @@ def asciidoc_unsafe
     end
 
     def plain_unsafe
-      "<pre class=\"plain-readme\">#{text}</pre>"
+      ActionController::Base.helpers.content_tag :pre, class: 'plain-readme' do
+        text
+      end
     end
 
     def other_markup_unsafe

app/services/packages/nuget/metadata_extraction_service.rb

@@ -104,9 +104,15 @@ def nuspec_file_content
           entry = zip_file.glob('*.nuspec').first
 
           raise ExtractionError, 'nuspec file not found' unless entry
-          raise ExtractionError, 'nuspec file too big' if entry.size > MAX_FILE_SIZE
+          raise ExtractionError, 'nuspec file too big' if MAX_FILE_SIZE < entry.size
 
-          entry.get_input_stream.read
+          Tempfile.open("nuget_extraction_package_file_#{@package_file_id}") do |file|
+            entry.extract(file.path) { true } # allow #extract to overwrite the file
+            file.unlink
+            file.read
+          end
+        rescue Zip::EntrySizeError => e
+          raise ExtractionError, "nuspec file has the wrong entry size: #{e.message}"
         end
       end
 

app/services/projects/import_service.rb

@@ -53,6 +53,8 @@ def extra_attributes_for_measurement
 
     private
 
+    attr_reader :resolved_address
+
     def after_execute_hook
       # Defined in EE::Projects::ImportService
     end
@@ -64,11 +66,7 @@ def track_start_import
     def add_repository_to_project
       if project.external_import? && !unknown_url?
         begin
-          Gitlab::UrlBlocker.validate!(
-            project.import_url,
-            schemes: Project::VALID_IMPORT_PROTOCOLS,
-            ports: Project::VALID_IMPORT_PORTS
-          )
+          @resolved_address = get_resolved_address
         rescue Gitlab::UrlBlocker::BlockedUrlError => e
           raise e, s_("ImportProjects|Blocked import URL: %{message}") % { message: e.message }
         end
@@ -97,9 +95,9 @@ def import_repository
 
       if refmap
         project.ensure_repository
-        project.repository.fetch_as_mirror(project.import_url, refmap: refmap)
+        project.repository.fetch_as_mirror(project.import_url, refmap: refmap, resolved_address: resolved_address)
       else
-        project.repository.import_repository(project.import_url)
+        project.repository.import_repository(project.import_url, resolved_address: resolved_address)
       end
     rescue ::Gitlab::Git::CommandError => e
       # Expire cache to prevent scenarios such as:
@@ -157,6 +155,26 @@ def unknown_url?
     def importer_imports_repository?
       has_importer? && importer_class.try(:imports_repository?)
     end
+
+    def get_resolved_address
+      Gitlab::UrlBlocker
+        .validate!(
+          project.import_url,
+          schemes: Project::VALID_IMPORT_PROTOCOLS,
+          ports: Project::VALID_IMPORT_PORTS,
+          dns_rebind_protection: dns_rebind_protection?)
+        .then do |(import_url, resolved_host)|
+          next '' if resolved_host.nil? || !import_url.scheme.in?(%w[http https])
+
+          import_url.host.to_s
+        end
+    end
+
+    def dns_rebind_protection?
+      return false if Gitlab.http_proxy_env?
+
+      Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
+    end
   end
 end
 

app/services/web_hooks/log_execution_service.rb

@@ -24,6 +24,8 @@ def execute
     private
 
     def log_execution
+      log_data[:request_headers]['X-Gitlab-Token'] = _('[REDACTED]') if hook.token?
+
       WebHookLog.create!(web_hook: hook, **log_data)
     end
 

app/views/projects/tags/_release_link.html.haml

@@ -1,4 +1,5 @@
-.gl-text-secondary
-  = sprite_icon("rocket", size: 12)
-  = _("Release")
-  = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"
+- if can?(current_user, :read_release, release)
+  .gl-text-secondary
+    = sprite_icon("rocket", size: 12)
+    = _("Release")
+    = link_to release.name, project_release_path(project, release), class: "gl-text-blue-600!"

app/views/projects/tags/show.html.haml

@@ -57,12 +57,13 @@
     %pre.wrap{ data: { qa_selector: 'tag_message_content' } }
       = strip_signature(@tag.message)
 
-.gl-mb-3.gl-mt-3
-  - if @release&.description.present?
-    .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
-      = markdown_field(@release, :description)
-  - else
-    = s_('TagsPage|This tag has no release notes.')
+- if can?(current_user, :read_release, @release)
+  .gl-mb-3.gl-mt-3
+    - if @release&.description.present?
+      .description.md{ data: { qa_selector: 'tag_release_notes_content' } }
+        = markdown_field(@release, :description)
+    - else
+      = s_('TagsPage|This tag has no release notes.')
 
 - if can?(current_user, :admin_tag, @project)
   .js-delete-tag-modal

lib/gitlab/git/repository.rb

@@ -861,7 +861,11 @@ def empty?
       # no_tags - should we use --no-tags flag?
       # prune - should we use --prune flag?
       # check_tags_changed - should we ask gitaly to calculate whether any tags changed?
-      def fetch_remote(url, refmap: nil, ssh_auth: nil, forced: false, no_tags: false, prune: true, check_tags_changed: false, http_authorization_header: "")
+      # resolved_address - resolved IP address for provided URL
+      def fetch_remote( # rubocop:disable Metrics/ParameterLists
+        url,
+        refmap: nil, ssh_auth: nil, forced: false, no_tags: false, prune: true,
+        check_tags_changed: false, http_authorization_header: "", resolved_address: "")
         wrapped_gitaly_errors do
           gitaly_repository_client.fetch_remote(
             url,
@@ -872,16 +876,17 @@ def fetch_remote(url, refmap: nil, ssh_auth: nil, forced: false, no_tags: false,
             prune: prune,
             check_tags_changed: check_tags_changed,
             timeout: GITLAB_PROJECTS_TIMEOUT,
-            http_authorization_header: http_authorization_header
+            http_authorization_header: http_authorization_header,
+            resolved_address: resolved_address
           )
         end
       end
 
-      def import_repository(url, http_authorization_header: '', mirror: false)
+      def import_repository(url, http_authorization_header: '', mirror: false, resolved_address: '')
         raise ArgumentError, "don't use disk paths with import_repository: #{url.inspect}" if url.start_with?('.', '/')
 
         wrapped_gitaly_errors do
-          gitaly_repository_client.import_repository(url, http_authorization_header: http_authorization_header, mirror: mirror)
+          gitaly_repository_client.import_repository(url, http_authorization_header: http_authorization_header, mirror: mirror, resolved_address: resolved_address)
         end
       end
 

lib/gitlab/gitaly_client/repository_service.rb

@@ -81,7 +81,7 @@ def info_attributes
       # rubocop: disable Metrics/ParameterLists
       # The `remote` parameter is going away soonish anyway, at which point the
       # Rubocop warning can be enabled again.
-      def fetch_remote(url, refmap:, ssh_auth:, forced:, no_tags:, timeout:, prune: true, check_tags_changed: false, http_authorization_header: "")
+      def fetch_remote(url, refmap:, ssh_auth:, forced:, no_tags:, timeout:, prune: true, check_tags_changed: false, http_authorization_header: "", resolved_address: "")
         request = Gitaly::FetchRemoteRequest.new(
           repository: @gitaly_repo,
           force: forced,
@@ -92,7 +92,8 @@ def fetch_remote(url, refmap:, ssh_auth:, forced:, no_tags:, timeout:, prune: tr
           remote_params: Gitaly::Remote.new(
             url: url,
             mirror_refmaps: Array.wrap(refmap).map(&:to_s),
-            http_authorization_header: http_authorization_header
+            http_authorization_header: http_authorization_header,
+            resolved_address: resolved_address
           )
         )
 
@@ -148,12 +149,13 @@ def fork_repository(source_repository)
         )
       end
 
-      def import_repository(source, http_authorization_header: '', mirror: false)
+      def import_repository(source, http_authorization_header: '', mirror: false, resolved_address: '')
         request = Gitaly::CreateRepositoryFromURLRequest.new(
           repository: @gitaly_repo,
           url: source,
           http_authorization_header: http_authorization_header,
-          mirror: mirror
+          mirror: mirror,
+          resolved_address: resolved_address
         )
 
         gitaly_client_call(

spec/features/tags/developer_views_tags_spec.rb

@@ -53,6 +53,8 @@
     end
 
     it 'views a specific tag page' do
+      create(:release, project: project, tag: 'v1.0.0', name: 'v1.0.0', description: nil)
+
       click_on 'v1.0.0'
 
       expect(page).to have_current_path(

spec/lib/gitlab/git/repository_spec.rb

@@ -524,12 +524,13 @@ def submodule_url(path)
         prune: false,
         check_tags_changed: false,
         refmap: nil,
-        http_authorization_header: ""
+        http_authorization_header: "",
+        resolved_address: '172.16.123.1'
       }
 
       expect(repository.gitaly_repository_client).to receive(:fetch_remote).with(url, expected_opts)
 
-      repository.fetch_remote(url, ssh_auth: ssh_auth, forced: true, no_tags: true, prune: false, check_tags_changed: false)
+      repository.fetch_remote(url, ssh_auth: ssh_auth, forced: true, no_tags: true, prune: false, check_tags_changed: false, resolved_address: '172.16.123.1')
     end
 
     it_behaves_like 'wrapping gRPC errors', Gitlab::GitalyClient::RepositoryService, :fetch_remote do
@@ -2448,7 +2449,7 @@ def create_remote_branch(remote_name, branch_name, source_branch_name)
 
     it 'delegates to Gitaly' do
       expect_next_instance_of(Gitlab::GitalyClient::RepositoryService) do |svc|
-        expect(svc).to receive(:import_repository).with(url, http_authorization_header: '', mirror: false).and_return(nil)
+        expect(svc).to receive(:import_repository).with(url, http_authorization_header: '', mirror: false, resolved_address: '').and_return(nil)
       end
 
       repository.import_repository(url)