GitLab Upgrade Alert - Security Upgrade Alert Modal
What does this MR do and why?
Work towards #344682 (closed)
Closes #379132 (closed)
This change adds a Temporarily Dismissible Modal for instance admins to upgrade when their instance is behind a Security Release. We use the existing Version Check application to determine the severity of an upgrade and only render the alert when the severity is danger.
There is a lot of discussion and context about this initiative on this issue: #344682 (closed)
This change uses a Cookie that expires in 3 days to temporarily hide the modal whenever the user clicks one of the actions available to them.
Additionally some snowplow tracking has been added to the rendering of this component and its links/buttons.
Screenshots or screen recordings
| Description | Screenshot |
|---|---|
| No Stable Versions or Details |  |
| Stable Versions but no Details |  |
| Both Stable Versions and Details |  |
How to set up and validate locally
Important
- Ensure
Gitlab::CurrentSettings.version_check_enabledis set to true (it defaults to true) - We have to "spoof" a security upgrade so you will have to apply a patch to see the modal (GDK is always up to date)
How to test
- Apply patch for a full Security Alert (No Stable Versions or Details, Screenshot 3)
Patch
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 0bb92dfd118..115e8df703b 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ # VersionCheck.new.response
+ { "severity" => SECURITY_ALERT_SEVERITY, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['15.8.1', '15.9.0', '16.0.0'] }
end
strong_memoize_attr :gitlab_version_check
- Refresh page and ensure a modal pops up similar to Screenshot 3
- Important: Clicking Upgrade now or Remind me will hide the modal for 3 days (stored in Cookie)
- Test Learn more takes you to Release posts and fires Snowplow event
- Test Close button hides modal and fires snowplow event. Refresh and modal re-appears
- Click Upgrade now, ensure it navigates to Upgrade docs, fires snowplow event, and modal doesn't pop back up after navigation
- Clear Cookies (Chrome -> Dev Tools -> Application Tab -> Storage (Cookies))
- Refresh and modal re-appears
- Click Remind me in 3 days, ensure modal hides, snowplow event fires, and on refresh it doesn't reappear
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #379131 (closed)