Skip to content

Merge branch '387719_01-disable-critical-security-alert' into 'master'

John Skarbek requested to merge cherry-pick-0fb9e49c-2 into 15-7-stable-ee

What does this MR do and why?

Related to #387719 (closed)

This change pulls back a new feature that was not well received due to there not being a solid separation between Critical Security Releases and Regular Security Releases in our GitLab Version Application https://gitlab.com/gitlab-services/version-gitlab-com.

Rather than remove the code and hard work from the team, we are adding a Feature Flag that is disabled by default. We then have a strategy to expand the GitLab Version Application and then plan to remove this Feature Flag. Ideally this will be a very short-lived Feature Flag.

Screenshots or screen recordings

FF Disabled FF Enabled
Screenshot_2023-01-11_at_1.50.19_PM Screenshot_2023-01-11_at_1.51.16_PM

How to set up and validate locally

  1. Apply patch for a Critical Security Alert
Patch 
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 0bb92dfd118..115e8df703b 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -13,7 +13,8 @@ def show_version_check?
   end
 
   def gitlab_version_check
-    VersionCheck.new.response
+    # VersionCheck.new.response
+    { "severity" => SECURITY_ALERT_SEVERITY, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['15.8.1', '15.9.0', '16.0.0'] }
   end
   strong_memoize_attr :gitlab_version_check
  1. Disable Feature Flag
    • rails c
    • Feature.disable(:critical_security_alert)
  2. Refresh the page (it may take a second for the GDK to see the FF flip)
  3. Ensure Modal and Alert do not appear
  4. Enable Feature Flag
    • rails c
    • Feature.enable(:critical_security_alert)
  5. Refresh the page (it may take a second for the GDK to see the FF flip)
  6. Ensure Modal and Alert do appear

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports