Merge branch '387719_01-disable-critical-security-alert' into 'master'
What does this MR do and why?
Related to #387719 (closed)
This change pulls back a new feature that was not well received due to there not being a solid separation between Critical Security Releases and Regular Security Releases in our GitLab Version Application https://gitlab.com/gitlab-services/version-gitlab-com.
Rather than remove the code and hard work from the team, we are adding a Feature Flag that is disabled by default. We then have a strategy to expand the GitLab Version Application and then plan to remove this Feature Flag. Ideally this will be a very short-lived Feature Flag.
Screenshots or screen recordings
FF Disabled | FF Enabled |
---|---|
How to set up and validate locally
- Apply patch for a Critical Security Alert
Patch
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 0bb92dfd118..115e8df703b 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
end
def gitlab_version_check
- VersionCheck.new.response
+ # VersionCheck.new.response
+ { "severity" => SECURITY_ALERT_SEVERITY, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['15.8.1', '15.9.0', '16.0.0'] }
end
strong_memoize_attr :gitlab_version_check
- Disable Feature Flag
rails c
Feature.disable(:critical_security_alert)
- Refresh the page (it may take a second for the GDK to see the FF flip)
- Ensure Modal and Alert do not appear
- Enable Feature Flag
rails c
Feature.enable(:critical_security_alert)
- Refresh the page (it may take a second for the GDK to see the FF flip)
- Ensure Modal and Alert do appear
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.