Merge branch 'bvl-security-patches' into 'master'

Security patches -> `master` See merge request !11230

Merge branch 'bvl-security-patches' into 'master'
Security patches -> `master` See merge request !11230
180ec711 · Robert Speicher · 09c4d27a · ebd8b7f6 · 180ec711 · 180ec711
--- a/app/controllers/dashboard/snippets_controller.rb
+++ b/app/controllers/dashboard/snippets_controller.rb
 class Dashboard::SnippetsController < Dashboard::ApplicationController
  def index
-    @snippets = SnippetsFinder.new.execute(
+    @snippets = SnippetsFinder.new(
      current_user,
-      filter: :by_user,
-      user: current_user,
+      author: current_user,
      scope: params[:scope]
-    )
+    ).execute
    @snippets = @snippets.page(params[:page])
  end
 end
--- a/app/controllers/explore/groups_controller.rb
+++ b/app/controllers/explore/groups_controller.rb
 class Explore::GroupsController < Explore::ApplicationController
  def index
-    @groups = GroupsFinder.new.execute(current_user)
+    @groups = GroupsFinder.new(current_user).execute
    @groups = @groups.search(params[:filter_groups]) if params[:filter_groups].present?
    @groups = @groups.sort(@sort = params[:sort])
    @groups = @groups.page(params[:page])

--- a/app/controllers/explore/snippets_controller.rb
+++ b/app/controllers/explore/snippets_controller.rb
 class Explore::SnippetsController < Explore::ApplicationController
  def index
-    @snippets = SnippetsFinder.new.execute(current_user, filter: :all)
+    @snippets = SnippetsFinder.new(current_user).execute
    @snippets = @snippets.page(params[:page])
  end
 end
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -64,7 +64,7 @@ def show
  end

  def subgroups
-    @nested_groups = group.children
+    @nested_groups = GroupsFinder.new(current_user, parent: group).execute
    @nested_groups = @nested_groups.search(params[:filter_groups]) if params[:filter_groups].present?
  end


--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@@ -23,12 +23,11 @@ class Projects::SnippetsController < Projects::ApplicationController
  respond_to :html

  def index
-    @snippets = SnippetsFinder.new.execute(
+    @snippets = SnippetsFinder.new(
      current_user,
-      filter: :by_project,
      project: @project,
      scope: params[:scope]
-    )
+    ).execute
    @snippets = @snippets.page(params[:page])
    if @snippets.out_of_range? && @snippets.total_pages != 0
      redirect_to namespace_project_snippets_path(page: @snippets.total_pages)

--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -27,12 +27,8 @@ def index

      return render_404 unless @user

-      @snippets = SnippetsFinder.new.execute(current_user, {
-        filter: :by_user,
-        user: @user,
-        scope: params[:scope]
-      })
-      .page(params[:page])
+      @snippets = SnippetsFinder.new(current_user, author: @user, scope: params[:scope])
+        .execute.page(params[:page])

      render 'index'
    else
@@ -103,20 +99,20 @@ def preview_markdown
  protected

  def snippet
-    @snippet ||= if current_user
-                   PersonalSnippet.where("author_id = ? OR visibility_level IN (?)",
-                     current_user.id,
-                     [Snippet::PUBLIC, Snippet::INTERNAL]).
-                     find(params[:id])
-                 else
-                   PersonalSnippet.find(params[:id])
-                 end
+    @snippet ||= PersonalSnippet.find_by(id: params[:id])
  end
+
  alias_method :awardable, :snippet
  alias_method :spammable, :snippet

  def authorize_read_snippet!
-    authenticate_user! unless can?(current_user, :read_personal_snippet, @snippet)
+    return if can?(current_user, :read_personal_snippet, @snippet)
+
+    if current_user
+      render_404
+    else
+      authenticate_user!
+    end
  end

  def authorize_update_snippet!

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -128,12 +128,11 @@ def load_groups
  end

  def load_snippets
-    @snippets = SnippetsFinder.new.execute(
+    @snippets = SnippetsFinder.new(
      current_user,
-      filter: :by_user,
-      user: user,
+      author: user,
      scope: params[:scope]
-    ).page(params[:page])
+    ).execute.page(params[:page])
  end

  def projects_for_current_user

--- a/app/finders/groups_finder.rb
+++ b/app/finders/groups_finder.rb
 class GroupsFinder < UnionFinder
-  def execute(current_user = nil)
-    segments = all_groups(current_user)
+  def initialize(current_user = nil, params = {})
+    @current_user = current_user
+    @params = params
+  end

-    find_union(segments, Group).with_route.order_id_desc
+  def execute
+    groups = find_union(all_groups, Group).with_route.order_id_desc
+    by_parent(groups)
  end

  private

-  def all_groups(current_user)
+  attr_reader :current_user, :params
+
+  def all_groups
    groups = []

    groups << current_user.authorized_groups if current_user
@@ -15,4 +21,10 @@ def all_groups(current_user)

    groups
  end
+
+  def by_parent(groups)
+    return groups unless params[:parent]
+
+    groups.where(parent: params[:parent])
+  end
 end
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -67,7 +67,7 @@ def noteables_for_type(noteable_type)
    when "merge_request"
      MergeRequestsFinder.new(@current_user, project_id: @project.id).execute
    when "snippet", "project_snippet"
-      SnippetsFinder.new.execute(@current_user, filter: :by_project, project: @project)
+      SnippetsFinder.new(@current_user, project: @project).execute
    when "personal_snippet"
      PersonalSnippet.all
    else

--- a/app/finders/snippets_finder.rb
+++ b/app/finders/snippets_finder.rb
-class SnippetsFinder
-  def execute(current_user, params = {})
-    filter = params[:filter]
-    user = params.fetch(:user, current_user)
-
-    case filter
-    when :all then
-      snippets(current_user).fresh
-    when :public then
-      Snippet.are_public.fresh
-    when :by_user then
-      by_user(current_user, user, params[:scope])
-    when :by_project
-      by_project(current_user, params[:project], params[:scope])
-    end
+class SnippetsFinder < UnionFinder
+  attr_accessor :current_user, :params
+
+  def initialize(current_user, params = {})
+    @current_user = current_user
+    @params = params
+  end
+
+  def execute
+    items = init_collection
+    items = by_project(items)
+    items = by_author(items)
+    items = by_visibility(items)
+
+    items.fresh
  end

  private

-  def snippets(current_user)
-    if current_user
-      Snippet.public_and_internal
-    else
-      # Not authenticated
-      #
-      # Return only:
-      #   public snippets
-      Snippet.are_public
-    end
+  def init_collection
+    items = Snippet.all
+
+    accessible(items)
  end

-  def by_user(current_user, user, scope)
-    snippets = user.snippets.fresh
+  def accessible(items)
+    segments = []
+    segments << items.public_to_user(current_user)
+    segments << authorized_to_user(items)  if current_user

-    if current_user
-      include_private = user == current_user
-      by_scope(snippets, scope, include_private)
-    else
-      snippets.are_public
-    end
+    find_union(segments, Snippet)
  end

-  def by_project(current_user, project, scope)
-    snippets = project.snippets.fresh
+  def authorized_to_user(items)
+    items.where(
+      'author_id = :author_id
+       OR project_id IN (:project_ids)',
+       author_id: current_user.id,
+       project_ids: current_user.authorized_projects.select(:id))
+  end

-    if current_user
-      include_private = project.team.member?(current_user) || current_user.admin?
-      by_scope(snippets, scope, include_private)
-    else
-      snippets.are_public
-    end
+  def by_visibility(items)
+    visibility = params[:visibility] || visibility_from_scope
+
+    return items unless visibility
+
+    items.where(visibility_level: visibility)
+  end
+
+  def by_author(items)
+    return items unless params[:author]
+
+    items.where(author_id: params[:author].id)
+  end
+
+  def by_project(items)
+    return items unless params[:project]
+
+    items.where(project_id: params[:project].id)
  end

-  def by_scope(snippets, scope = nil, include_private = false)
-    case scope.to_s
+  def visibility_from_scope
+    case params[:scope].to_s
    when 'are_private'
-      include_private ? snippets.are_private : Snippet.none
+      Snippet::PRIVATE
    when 'are_internal'
-      snippets.are_internal
+      Snippet::INTERNAL
    when 'are_public'
-      snippets.are_public
+      Snippet::PUBLIC
    else
-      include_private ? snippets : snippets.public_and_internal
+      nil
    end
  end
 end
--- a/app/helpers/markup_helper.rb
+++ b/app/helpers/markup_helper.rb
@@ -116,13 +116,13 @@ def markup_unsafe(file_name, text, context = {})
    if gitlab_markdown?(file_name)
      markdown_unsafe(text, context)
    elsif asciidoc?(file_name)
-      asciidoc_unsafe(text)
+      asciidoc_unsafe(text, context)
    elsif plain?(file_name)
      content_tag :pre, class: 'plain-readme' do
        text
      end
    else
-      other_markup_unsafe(file_name, text)
+      other_markup_unsafe(file_name, text, context)
    end
  rescue RuntimeError
    simple_format(text)
@@ -217,12 +217,12 @@ def markdown_unsafe(text, context = {})
    Banzai.render(text, context)
  end

-  def asciidoc_unsafe(text)
-    Gitlab::Asciidoc.render(text)
+  def asciidoc_unsafe(text, context = {})
+    Gitlab::Asciidoc.render(text, context)
  end

-  def other_markup_unsafe(file_name, text)
-    Gitlab::OtherMarkup.render(file_name, text)
+  def other_markup_unsafe(file_name, text, context = {})
+    Gitlab::OtherMarkup.render(file_name, text, context)
  end

  def prepare_for_rendering(html, context = {})

--- a/app/helpers/submodule_helper.rb
+++ b/app/helpers/submodule_helper.rb
 module SubmoduleHelper
  include Gitlab::ShellAdapter

+  VALID_SUBMODULE_PROTOCOLS = %w[http https git ssh].freeze
+
  # links to files listing for submodule if submodule is a project on this server
  def submodule_links(submodule_item, ref = nil, repository = @repository)
    url = repository.submodule_url_for(ref, submodule_item.path)

-    return url, nil unless url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/
-
-    namespace = $1
-    project = $2
-    project.chomp!('.git')
+    if url =~ /([^\/:]+)\/([^\/]+(?:\.git)?)\Z/
+      namespace, project = $1, $2
+      project.sub!(/\.git\z/, '')

-    if self_url?(url, namespace, project)
-      return namespace_project_path(namespace, project),
-        namespace_project_tree_path(namespace, project,
-                                    submodule_item.id)
-    elsif relative_self_url?(url)
-      relative_self_links(url, submodule_item.id)
-    elsif github_dot_com_url?(url)
-      standard_links('github.com', namespace, project, submodule_item.id)
-    elsif gitlab_dot_com_url?(url)
-      standard_links('gitlab.com', namespace, project, submodule_item.id)
+      if self_url?(url, namespace, project)
+        [namespace_project_path(namespace, project),
+         namespace_project_tree_path(namespace, project, submodule_item.id)]
+      elsif relative_self_url?(url)
+        relative_self_links(url, submodule_item.id)
+      elsif github_dot_com_url?(url)
+        standard_links('github.com', namespace, project, submodule_item.id)
+      elsif gitlab_dot_com_url?(url)
+        standard_links('gitlab.com', namespace, project, submodule_item.id)
+      else
+        [sanitize_submodule_url(url), nil]
+      end
    else
-      return url, nil
+      [sanitize_submodule_url(url), nil]
    end
  end

@@ -73,4 +75,16 @@ def relative_self_links(url, commit)
      namespace_project_tree_path(namespace, base, commit)
    ]
  end
+
+  def sanitize_submodule_url(url)
+    uri = URI.parse(url)
+
+    if uri.scheme.in?(VALID_SUBMODULE_PROTOCOLS)
+      uri.to_s
+    else
+      nil
+    end
+  rescue URI::InvalidURIError
+    nil
+  end
 end
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -152,18 +152,5 @@ def search_code(query)

      where(table[:content].matches(pattern))
    end
-
-    def accessible_to(user)
-      return are_public unless user.present?
-      return all if user.admin?
-
-      where(
-        'visibility_level IN (:visibility_levels)
-         OR author_id = :author_id
-         OR project_id IN (:project_ids)',
-         visibility_levels: [Snippet::PUBLIC, Snippet::INTERNAL],
-         author_id: user.id,
-         project_ids: user.authorized_projects.select(:id))
-    end
  end
 end
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -13,7 +13,7 @@ def rules
      can! :read_project_snippet
    end

-    if @subject.private? && @subject.project.team.member?(@user)
+    if @subject.project.team.member?(@user)
      can! :read_project_snippet
    end
  end

--- a/app/services/search/snippet_service.rb
+++ b/app/services/search/snippet_service.rb
@@ -7,7 +7,7 @@ def initialize(user, params)
    end

    def execute
-      snippets = Snippet.accessible_to(current_user)
+      snippets = SnippetsFinder.new(current_user).execute

      Gitlab::SnippetSearchResults.new(snippets, params[:search])
    end

--- a/app/views/import/base/create.js.haml
+++ b/app/views/import/base/create.js.haml
@@ -10,4 +10,4 @@
 - else
  :plain
    job = $("tr#repo_#{@repo_id}")
-    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(@project.errors.full_messages.join(','))}")
+    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(h(@project.errors.full_messages.join(',')))}")
--- a/app/views/projects/imports/new.html.haml
+++ b/app/views/projects/imports/new.html.haml
@@ -10,7 +10,7 @@
    .panel-body
      %pre
        :preserve
-          #{sanitize_repo_path(@project, @project.import_error)}
+          #{h(sanitize_repo_path(@project, @project.import_error))}

 = form_for @project, url: namespace_project_import_path(@project.namespace, @project), method: :post, html: { class: 'form-horizontal' } do |f|
  = render "shared/import_form", f: f

--- a/app/views/projects/wikis/git_access.html.haml
+++ b/app/views/projects/wikis/git_access.html.haml
@@ -28,7 +28,7 @@
    %h3 Clone your wiki
    %pre.dark
      :preserve
-        git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
+        git clone #{ content_tag(:span, h(default_url_to_repo(@project_wiki)), class: 'clone')}
        cd #{h @project_wiki.path}

    %h3 Start Gollum and edit locally

--- a/changelogs/unreleased/31157-respect-project-features-in-wiki-search.yml
+++ b/changelogs/unreleased/31157-respect-project-features-in-wiki-search.yml
+---
+title: Enforce project features when searching blobs and wikis
+merge_request:
+author:
--- a/changelogs/unreleased/branch-name-escape.yml
+++ b/changelogs/unreleased/branch-name-escape.yml
+---
+title: Fixed branches dropdown rendering branch names as HTML
+merge_request:
+author: