Critical Security Alert - Latest stable patch text
What does this MR do and why?
Closes #438447 (closed)
Implements API changes in gitlab-org/gitlab-services/version.gitlab.com!76 (merged)
When a customer is more than 3 minor versions behind the latest release and a critical vulnerability is patched and back-ported the alert modal only shows the latest 3 minor versions. This can cause the customer to believe they need to do a minor upgrade when there is also a less intrusive patch available on their current minor version. This confusion can cause a customer to stay in a vulnerable state longer than they need to be.
With the new data exposed by gitlab-org/gitlab-services/version.gitlab.com!76 (merged) we can expose this information to the customer when there is a 4th option for them to upgrade. This will conditionally show in the alert modal if the 4th option isn't included int he initial 3 latest minor versions.
Screenshots or screen recordings
| Before | After | |
|---|---|---|
| Customer is 4 versions behind and a patch is available (main concern) |  |
 |
| Customer is 3 versions behind and a patch is available (no change) |  |
 |
| Customer is 4 versions behind but a patch is not available (no change) |  |
 |
How to set up and validate locally
Important: You will need to provide "spoofs" to make your GDK think its behind a version. Below are patches to achieve each type of scenario.
Important: You need to reset any changes between adding different patches.
Customer is 4 versions behind and a patch is available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 895155e00d1..328cd028d78 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -12,7 +12,8 @@ def show_version_check?
def gitlab_version_check
return unless show_version_check?
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'danger', "critical_vulnerability" => true, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['16.12.3', '16.11.5', '16.10.7'], "latest_stable_version_of_minor" => '16.9.2' }
end
strong_memoize_attr :gitlab_version_check
Customer is 3 versions behind and a patch is available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 895155e00d1..ad79386ab4a 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -12,7 +12,8 @@ def show_version_check?
def gitlab_version_check
return unless show_version_check?
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'danger', "critical_vulnerability" => true, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['16.11.3', '16.10.5', '16.9.2'], "latest_stable_version_of_minor" => '16.9.2' }
end
strong_memoize_attr :gitlab_version_check
Customer is 4 versions behind but a patch is not available
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 895155e00d1..b14070e8fc0 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -12,7 +12,8 @@ def show_version_check?
def gitlab_version_check
return unless show_version_check?
- VersionCheck.new.response
+ #VersionCheck.new.response
+ { "severity" => 'danger', "critical_vulnerability" => true, "details" => 'There is a runner token vulnerability on this version. Please upgrade to prevent an attacker executing code on your instance', "latest_stable_versions" => ['16.12.3', '16.11.5', '16.10.7'], "latest_stable_version_of_minor" => nil }
end
strong_memoize_attr :gitlab_version_check
- Login as an Admin (root is admin by default)
- Apply your selected patch
- Refresh any page
- Ensure alert modal appears and matches what is expected in the Before/After screenshots
Related to #438447 (closed)