Add latest changes from gitlab-org/security/gitlab@16-3-stable-ee

2023-10-30 13:01:45 +00:00 · 2023-10-30 13:01:45 +00:00 · 80fcab539b
parent 54118a15ad
commit 80fcab539b
3 changed files with 26 additions and 2 deletions
--- a/config/session_store.yml
+++ b/config/session_store.yml
@ -0,0 +1,3 @@
+development:
+  unique_cookie_key_postfix: true
+  cookie_key: "_gitlab_session"
--- a/lib/gitlab/ci/components/instance_path.rb
+++ b/lib/gitlab/ci/components/instance_path.rb
@ -5,6 +5,7 @@ module Gitlab
    module Components
      class InstancePath
        include Gitlab::Utils::StrongMemoize
+        include ::Gitlab::LoopHelpers

        LATEST_VERSION_KEYWORD = '~latest'

@ -60,9 +61,15 @@ module Gitlab
        # Given a path like "my-org/sub-group/the-project/path/to/component"
        # find the project "my-org/sub-group/the-project" by looking at all possible paths.
        def find_project_by_component_path(path)
-          possible_paths = [path]
+          return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever.
+
+          possible_paths = [path]
+          index = nil
+
+          loop_until(limit: 20) do
+            index = path.rindex('/') # find index of last `/` in a path
+            break unless index

-          while index = path.rindex('/') # find index of last `/` in a path
            possible_paths << (path = path[0..index - 1])
          end

--- a/spec/lib/gitlab/ci/components/instance_path_spec.rb
+++ b/spec/lib/gitlab/ci/components/instance_path_spec.rb
@ -48,6 +48,20 @@ RSpec.describe Gitlab::Ci::Components::InstancePath, feature_category: :pipeline
          it 'fetches the content' do
            expect(path.fetch_content!(current_user: user)).to eq(content)
          end
+
+          shared_examples 'prevents infinite loop' do |prefix|
+            context "when the project path starts with '#{prefix}'" do
+              let(:project_path) { "#{prefix}#{existing_project.full_path}" }
+
+              it 'returns nil' do
+                result = path.fetch_content!(current_user: user)
+                expect(result).to be_nil
+              end
+            end
+          end
+
+          it_behaves_like 'prevents infinite loop', '/'
+          it_behaves_like 'prevents infinite loop', '//'
        end

        context 'when user does not have permissions to download code' do