From fcb04bcd04e4694c845b8b5e649a2a374f4c2bd9 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 16 Mar 2021 10:24:23 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee --- changelogs/unreleased/security-patch-kramdown.yml | 5 +++ config/initializers/kramdown_patch.rb | 25 +++++++++++++++ spec/initializers/kramdown_patch_spec.rb | 38 +++++++++++++++++++++++ vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 5 files changed, 68 insertions(+) create mode 100644 changelogs/unreleased/security-patch-kramdown.yml create mode 100644 config/initializers/kramdown_patch.rb create mode 100644 spec/initializers/kramdown_patch_spec.rb mode change 100644 => 100755 vendor/gitignore/C++.gitignore mode change 100644 => 100755 vendor/gitignore/Java.gitignore diff --git a/changelogs/unreleased/security-patch-kramdown.yml b/changelogs/unreleased/security-patch-kramdown.yml new file mode 100644 index 00000000000..792619327fe --- /dev/null +++ b/changelogs/unreleased/security-patch-kramdown.yml @@ -0,0 +1,5 @@ +--- +title: Patch Kramdown syntax highlighter gem +merge_request: +author: +type: security diff --git a/config/initializers/kramdown_patch.rb b/config/initializers/kramdown_patch.rb new file mode 100644 index 00000000000..5cb769cec24 --- /dev/null +++ b/config/initializers/kramdown_patch.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true +# +# This pulls in https://github.com/gettalong/kramdown/pull/708 for kramdown v2.3.0. +# Remove this file when that pull request is merged and released. +require 'kramdown/converter' +require 'kramdown/converter/syntax_highlighter/rouge' + +module Kramdown::Converter::SyntaxHighlighter + module Rouge + def self.formatter_class(opts = {}) + case formatter = opts[:formatter] + when Class + formatter + when /\A[[:upper:]][[:alnum:]_]*\z/ + ::Rouge::Formatters.const_get(formatter, false) + else + # Available in Rouge 2.0 or later + ::Rouge::Formatters::HTMLLegacy + end + rescue NameError + # Fallback to Rouge 1.x + ::Rouge::Formatters::HTML + end + end +end diff --git a/spec/initializers/kramdown_patch_spec.rb b/spec/initializers/kramdown_patch_spec.rb new file mode 100644 index 00000000000..49dda9252bb --- /dev/null +++ b/spec/initializers/kramdown_patch_spec.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'Kramdown patch for syntax highlighting formatters' do + subject { Kramdown::Document.new(options + "\n" + code).to_html } + + let(:code) do + <<-RUBY +~~~ ruby + def what? + 42 + end +~~~ + RUBY + end + + context 'with invalid formatter' do + let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: CSV, line_numbers: true\\}" /}) } + + it 'falls back to standard HTML and disallows CSV' do + expect(CSV).not_to receive(:new) + expect(::Rouge::Formatters::HTML).to receive(:new).and_call_original + + expect(subject).to be_present + end + end + + context 'with valid formatter' do + let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: HTMLLegacy\\}" /}) } + + it 'allows formatter' do + expect(::Rouge::Formatters::HTMLLegacy).to receive(:new).and_call_original + + expect(subject).to be_present + end + end +end diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100644 new mode 100755 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100644 new mode 100755 -- cgit v1.2.1 From 4c2957df86315bb387882721a6dfacb18b15eb2c Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Wed, 17 Mar 2021 11:17:48 +0000 Subject: Update VERSION files [ci skip] --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 9255caa9bd7..470e34e1d71 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -13.7.8 \ No newline at end of file +13.7.9 \ No newline at end of file -- cgit v1.2.1 From 4cc568a54bf02be71113624cd9003350f582d623 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 17 Mar 2021 11:23:26 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-7-stable-ee --- CHANGELOG.md | 7 +++++++ GITALY_SERVER_VERSION | 2 +- changelogs/unreleased/security-patch-kramdown.yml | 5 ----- vendor/gitignore/C++.gitignore | 0 vendor/gitignore/Java.gitignore | 0 5 files changed, 8 insertions(+), 6 deletions(-) delete mode 100644 changelogs/unreleased/security-patch-kramdown.yml mode change 100755 => 100644 vendor/gitignore/C++.gitignore mode change 100755 => 100644 vendor/gitignore/Java.gitignore diff --git a/CHANGELOG.md b/CHANGELOG.md index 5de844c88a6..29f238a162e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.7.9 (2021-03-17) + +### Security (1 change) + +- Patch Kramdown syntax highlighter gem. + + ## 13.7.8 (2021-03-04) ### Security (5 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 9255caa9bd7..470e34e1d71 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.7.8 \ No newline at end of file +13.7.9 \ No newline at end of file diff --git a/changelogs/unreleased/security-patch-kramdown.yml b/changelogs/unreleased/security-patch-kramdown.yml deleted file mode 100644 index 792619327fe..00000000000 --- a/changelogs/unreleased/security-patch-kramdown.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Patch Kramdown syntax highlighter gem -merge_request: -author: -type: security diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore old mode 100755 new mode 100644 diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore old mode 100755 new mode 100644 -- cgit v1.2.1