CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 13.5.5 (2020-12-07)
+
+### Security (1 change)
+
+- Cleanup todos for confidential epics that are no longer accessible by the user.
+
+
 ## 13.5.4 (2020-11-13)
 
 ### Fixed (1 change)

CHANGELOG.md

@@ -2,6 +2,22 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.5.5 (2020-12-07)
+
+### Security (10 changes)
+
+- Validate zoom links to start with https only. !1055
+- Require at least 3 characters when searching for project in the Explore page.
+- Do not show emails of users in confirmation page.
+- Forbid setting a gitlabUserList strategy to a list from another project.
+- Fix mermaid resource consumption in GFM fields.
+- Ensure group and project memberships are not leaked via API for users with private profiles.
+- GraphQL User: do not expose email if set to private.
+- Filter search parameter to prevent data leaks.
+- Do not expose starred projects of users with private profile via API.
+- Do not show starred & contributed projects of users with private profile.
+
+
 ## 13.5.4 (2020-11-13)
 
 ### Fixed (4 changes)

GITALY_SERVER_VERSION

-13.5.4
\ No newline at end of file
+13.5.5
\ No newline at end of file

VERSION

-13.5.4-ee
\ No newline at end of file
+13.5.5-ee
\ No newline at end of file

app/assets/javascripts/behaviors/markdown/render_mermaid.js

@@ -18,7 +18,13 @@ import { __, sprintf } from '~/locale';
 //
 
 // This is an arbitrary number; Can be iterated upon when suitable.
-const MAX_CHAR_LIMIT = 5000;
+const MAX_CHAR_LIMIT = 2000;
+// Max # of mermaid blocks that can be rendered in a page.
+const MAX_MERMAID_BLOCK_LIMIT = 50;
+// Keep a map of mermaid blocks we've already rendered.
+const elsProcessingMap = new WeakMap();
+let renderedMermaidBlocks = 0;
+
 let mermaidModule = {};
 
 function importMermaidModule() {
@@ -110,13 +116,22 @@ function renderMermaids($els) {
       let renderedChars = 0;
 
       $els.each((i, el) => {
+        // Skipping all the elements which we've already queued in requestIdleCallback
+        if (elsProcessingMap.has(el)) {
+          return;
+        }
+
         const { source } = fixElementSource(el);
         /**
-         * Restrict the rendering to a certain amount of character to
-         * prevent mermaidjs from hanging up the entire thread and
-         * causing a DoS.
+         * Restrict the rendering to a certain amount of character
+         * and mermaid blocks to prevent mermaidjs from hanging
+         * up the entire thread and causing a DoS.
          */
-        if ((source && source.length > MAX_CHAR_LIMIT) || renderedChars > MAX_CHAR_LIMIT) {
+        if (
+          (source && source.length > MAX_CHAR_LIMIT) ||
+          renderedChars > MAX_CHAR_LIMIT ||
+          renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT
+        ) {
           const html = `
           <div class="alert gl-alert gl-alert-warning alert-dismissible lazy-render-mermaid-container js-lazy-render-mermaid-container fade show" role="alert">
             <div>
@@ -146,8 +161,13 @@ function renderMermaids($els) {
         }
 
         renderedChars += source.length;
+        renderedMermaidBlocks += 1;
+
+        const requestId = window.requestIdleCallback(() => {
+          renderMermaidEl(el);
+        });
 
-        renderMermaidEl(el);
+        elsProcessingMap.set(el, requestId);
       });
     })
     .catch(err => {

app/controllers/explore/projects_controller.rb

@@ -8,6 +8,8 @@ class Explore::ProjectsController < Explore::ApplicationController
   include SortingHelper
   include SortingPreference
 
+  MIN_SEARCH_LENGTH = 3
+
   before_action :set_non_archived_param
   before_action :set_sorting
 
@@ -72,7 +74,7 @@ def load_project_counts
   def load_projects
     load_project_counts
 
-    projects = ProjectsFinder.new(current_user: current_user, params: params).execute
+    projects = ProjectsFinder.new(current_user: current_user, params: params.merge(minimum_search_length: MIN_SEARCH_LENGTH)).execute
 
     projects = preload_associations(projects)
     projects = projects.page(params[:page]).without_count

app/controllers/projects/feature_flags_controller.rb

@@ -77,7 +77,7 @@ def update
       end
     else
       respond_to do |format|
-        format.json { render_error_json(result[:message]) }
+        format.json { render_error_json(result[:message], result[:http_status]) }
       end
     end
   end
@@ -167,8 +167,8 @@ def render_success_json(feature_flag)
     render json: feature_flag_json(feature_flag), status: :ok
   end
 
-  def render_error_json(messages)
+  def render_error_json(messages, status = :bad_request)
     render json: { message: messages },
-           status: :bad_request
+           status: status
   end
 end

app/controllers/search_controller.rb

@@ -128,7 +128,6 @@ def append_info_to_payload(payload)
     payload[:metadata] ||= {}
     payload[:metadata]['meta.search.group_id'] = params[:group_id]
     payload[:metadata]['meta.search.project_id'] = params[:project_id]
-    payload[:metadata]['meta.search.search'] = params[:search]
     payload[:metadata]['meta.search.scope'] = params[:scope]
   end
 

app/controllers/users_controller.rb

@@ -19,7 +19,7 @@ class UsersController < ApplicationController
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
   before_action :user, except: [:exists, :suggests]
   before_action :authorize_read_user_profile!,
-                only: [:calendar, :calendar_activities, :groups, :projects, :contributed_projects, :starred_projects, :snippets]
+                only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets]
 
   feature_category :users
 

app/finders/projects_finder.rb

@@ -18,6 +18,7 @@
 #     personal: boolean
 #     search: string
 #     search_namespaces: boolean
+#     minimum_search_length: int
 #     non_archived: boolean
 #     archived: 'only' or boolean
 #     min_access_level: integer
@@ -182,6 +183,9 @@ def by_tags(items)
 
   def by_search(items)
     params[:search] ||= params[:name]
+
+    return items.none if params[:search].present? && params[:minimum_search_length].present? && params[:search].length < params[:minimum_search_length].to_i
+
     items.optionally_search(params[:search], include_namespace: params[:search_namespaces].present?)
   end
 

app/finders/starred_projects_finder.rb

 # frozen_string_literal: true
 
 class StarredProjectsFinder < ProjectsFinder
+  include Gitlab::Allowable
+
   def initialize(user, params: {}, current_user: nil)
+    @user = user
+
     super(
       params: params,
       current_user: current_user,
       project_ids_relation: user.starred_projects.select(:id)
     )
   end
+
+  def execute
+    # Do not show starred projects if the user has a private profile.
+    return Project.none unless can?(current_user, :read_user_profile, @user)
+
+    super
+  end
 end

app/graphql/types/user_type.rb

@@ -19,7 +19,7 @@ class UserType < BaseObject
     field :state, Types::UserStateEnum, null: false,
           description: 'State of the user'
     field :email, GraphQL::STRING_TYPE, null: true,
-          description: 'User email'
+          description: 'User email', method: :public_email
     field :avatar_url, GraphQL::STRING_TYPE, null: true,
           description: "URL of the user's avatar"
     field :web_url, GraphQL::STRING_TYPE, null: false,
@@ -30,13 +30,11 @@ class UserType < BaseObject
           resolver: Resolvers::TodoResolver,
           description: 'Todos of the user'
     field :group_memberships, Types::GroupMemberType.connection_type, null: true,
-          description: 'Group memberships of the user',
-          method: :group_members
+          description: 'Group memberships of the user'
     field :status, Types::UserStatusType, null: true,
            description: 'User status'
     field :project_memberships, Types::ProjectMemberType.connection_type, null: true,
-          description: 'Project memberships of the user',
-          method: :project_members
+          description: 'Project memberships of the user'
     field :starred_projects, Types::ProjectType.connection_type, null: true,
           description: 'Projects starred by the user',
           resolver: Resolvers::UserStarredProjectsResolver

app/models/operations/feature_flags/user_list.rb

@@ -23,6 +23,11 @@ class UserList < ApplicationRecord
 
       before_destroy :ensure_no_associated_strategies
 
+      def self.belongs_to?(project_id, user_list_ids)
+        uniq_ids = user_list_ids.uniq
+        where(id: uniq_ids, project_id: project_id).count == uniq_ids.count
+      end
+
       private
 
       def ensure_no_associated_strategies

app/presenters/user_presenter.rb

@@ -2,4 +2,18 @@
 
 class UserPresenter < Gitlab::View::Presenter::Delegated
   presents :user
+
+  def group_memberships
+    should_be_private? ? GroupMember.none : user.group_members
+  end
+
+  def project_memberships
+    should_be_private? ? ProjectMember.none : user.project_members
+  end
+
+  private
+
+  def should_be_private?
+    !can?(current_user, :read_user_profile, user)
+  end
 end

app/services/feature_flags/update_service.rb

@@ -10,6 +10,7 @@ class UpdateService < FeatureFlags::BaseService
 
     def execute(feature_flag)
       return error('Access Denied', 403) unless can_update?(feature_flag)
+      return error('Not Found', 404) unless valid_user_list_ids?(feature_flag, user_list_ids(params))
 
       ActiveRecord::Base.transaction do
         feature_flag.assign_attributes(params)
@@ -83,5 +84,15 @@ def updated_scope_message(scope)
     def can_update?(feature_flag)
       Ability.allowed?(current_user, :update_feature_flag, feature_flag)
     end
+
+    def user_list_ids(params)
+      params.fetch(:strategies_attributes, [])
+        .select { |s| s[:user_list_id].present? }
+        .map { |s| s[:user_list_id] }
+    end
+
+    def valid_user_list_ids?(feature_flag, user_list_ids)
+      user_list_ids.empty? || ::Operations::FeatureFlags::UserList.belongs_to?(feature_flag.project_id, user_list_ids)
+    end
   end
 end

app/services/todos/destroy/entity_leave_service.rb

@@ -22,7 +22,7 @@ def execute
         # if at least reporter, all entities including confidential issues can be accessed
         return if user_has_reporter_access?
 
-        remove_confidential_issue_todos
+        remove_confidential_resource_todos
 
         if entity.private?
           remove_project_todos
@@ -40,7 +40,7 @@ def enqueue_private_features_worker
         end
       end
 
-      def remove_confidential_issue_todos
+      def remove_confidential_resource_todos
         Todo
           .for_target(confidential_issues.select(:id))
           .for_type(Issue.name)
@@ -133,3 +133,5 @@ def confidential_issues
     end
   end
 end
+
+Todos::Destroy::EntityLeaveService.prepend_if_ee('EE::Todos::Destroy::EntityLeaveService')

app/validators/zoom_url_validator.rb

@@ -5,8 +5,13 @@
 # Custom validator for zoom urls
 #
 class ZoomUrlValidator < ActiveModel::EachValidator
+  ALLOWED_SCHEMES = %w(https).freeze
+
   def validate_each(record, attribute, value)
-    return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1
+    links_count = Gitlab::ZoomLinkExtractor.new(value).links.size
+    valid = Gitlab::UrlSanitizer.valid?(value, allowed_schemes: ALLOWED_SCHEMES)
+
+    return if links_count == 1 && valid
 
     record.errors.add(:url, 'must contain one valid Zoom URL')
   end

app/views/devise/confirmations/new.html.haml

@@ -6,7 +6,7 @@
         = render "devise/shared/error_messages", resource: resource
       .form-group
         = f.label :email
-        = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.'
+        = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.', value: nil
       .clearfix
         = f.submit "Resend", class: 'btn btn-success'
 

app/views/explore/projects/_projects.html.haml

-- is_explore_page = defined?(explore_page) && explore_page
-= render 'shared/projects/list', projects: projects, user: current_user, explore_page: is_explore_page, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)
+- if params[:name].present? && params[:name].size < Explore::ProjectsController::MIN_SEARCH_LENGTH
+  .nothing-here-block
+    %h5= _('Enter at least three characters to search')
+- else
+  - is_explore_page = defined?(explore_page) && explore_page
+  = render 'shared/projects/list', projects: projects, user: current_user, explore_page: is_explore_page, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)

config/application.rb

@@ -137,6 +137,7 @@ class Application < Rails::Application
       encrypted_key
       import_url
       elasticsearch_url
+      search
       otp_attempt
       sentry_dsn
       trace