Merge remote-tracking branch 'origin/master' into main-jh

1fe938e5 · JH_CNG_SYNC_TOKEN · 67cfae3d · 5f402c57 · 1fe938e5 · 1fe938e5
Commit 1fe938e5 authored 3 years ago by JH_CNG_SYNC_TOKEN
--- a/.gitlab/issue_templates/Security developer workflow.md
+++ b/.gitlab/issue_templates/Security developer workflow.md
+<!--
+# Read me first!
+
+Create this issue under https://gitlab.com/gitlab-org/security/charts/components/images
+
+Set the title to: `Description of the original issue`
+-->
+
+### Prior to starting the security release work
+
+- [ ] Read the [security process for developers] if you are not familiar with it.
+- [ ] Mark this [issue as related] to the Security Release tracking issue. You can find it on the topic of the `#releases` Slack channel.
+- Fill out the [Links section](#links):
+  - [ ] Next to **Issue on GitLab Chart**, add a link to the `gitlab-org/build/CNG` issue that describes the security vulnerability.
+  - [ ] Next to **Security Release tracking issue**, add a link to the security release issue that will include this security issue.
+
+### Development
+
+- [ ] Run `support/security-harness` to prevent pushing to any remote besides `security/charts/components/images` and `dev.gitlab.org/gitlab/charts/components/images`
+- [ ] Create a new branch prefixing it with `security-`
+- [ ] Create a MR targeting `master` on [`security/charts/components/images`](https://gitlab.com/gitlab-org/security/charts/components/images) and use the [Security Release merge request template]
+- [ ] Follow the same code review process: Assign to a reviewer, then to a maintainer.
+
+After your merge request has been approved according to our approval guidelines, and by a team member of the AppSec team, you're ready to prepare the backports
+
+#### Backports
+
+- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
+   * At this point, it might be easy to squash the commits from the MR into one
+- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template].
+   * Every merge request will have its own set of TODOs, so make sure to complete those.
+- [ ] On the "Related merge requests" section, ensure all MRs are linked to this issue.
+   * This section should only list the merge requests created for this issue: One targeting `master` and the 3 backports.
+- [ ] If this issue requires less than 4 merge requests, post a message on the Security Release Tracking Issue and ping the Release Managers.
+
+#### Documentation and final details
+
+- [ ] Ensure the [Links section](#links) is completed.
+- [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details)
+- [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
+- [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
+- [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details)
+
+### Summary
+
+#### Links
+
+| Description | Link |
+| -------- | -------- |
+| Issue on [GitLab Chart](https://gitlab.com/gitlab-org/charts/gitlab/-/issues) | #TODO  |
+| Security Release tracking issue | #TODO  |
+
+#### Details
+
+| Description | Details | Further details|
+| -------- | -------- | -------- |
+| Versions affected | X.Y  | |
+| Upgrade notes | | |
+| GitLab Settings updated | Yes/No| |
+| Migration required | Yes/No | |
+| Thanks | | |
+
+[security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md
+[RM list]:  https://about.gitlab.com/release-managers/
+[issue as related]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#adding-a-related-issue
+[security Release merge request template]: https://gitlab.com/gitlab-org/build/CNG/-/blob/master/.gitlab/merge_request_templates/Security%20Release.md
+
+/label ~security
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
+<!--
+# README first!
+This MR should be created on https://gitlab.com/gitlab-org/security/charts/components/images
+
+See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
+-->
+
+## Related issues
+
+<!-- Mention the GitLab Security issue this MR is related to -->
+
+## Developer checklist
+
+- [ ] **On "Related issues" section, write down the [Cloud Native Images Security] issue it belongs to (i.e. `Related to <issue_id>`).**
+- [ ] MR targets `master`, or `X-Y-stable` for backports.
+- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions].
+- [ ] Title of this MR is the same as for all backports.
+- [ ] A [CHANGELOG entry] has been included, with `Changelog` trailer set to `security`.
+- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
+- [ ] For the MR targeting `master`, ensure it's approved according to our [Approval Guidelines]
+- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`.
+
+## Reviewer checklist
+
+- [ ] Correct milestone is applied and the title is matching across all backports
+- [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines
+
+/label ~security
+
+[loud Native Images Security]: https://gitlab.com/gitlab-org/security/charts/components/images
+[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
+[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html
+[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics
+[CHANGELOG entry]: https://docs.gitlab.com/ee/development/changelog.html#overview
--- a/support/security-harness
+++ b/support/security-harness
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'digest'
+require 'fileutils'
+
+if ENV['NO_COLOR']
+  SHELL_RED    = ''
+  SHELL_GREEN  = ''
+  SHELL_YELLOW = ''
+  SHELL_CLEAR  = ''
+else
+  SHELL_RED    = "\e[1;31m"
+  SHELL_GREEN  = "\e[1;32m"
+  SHELL_YELLOW = "\e[1;33m"
+  SHELL_CLEAR  = "\e[0m"
+end
+
+HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
+HOOK_DATA = <<~HOOK
+  #!/bin/bash
+
+  set -e
+
+  url="$2"
+  harness=`dirname "$0"`/../security_harness
+
+  if [ -e "$harness" ]
+  then
+    if [[ ("$url" != *"dev.gitlab.org"*) && ("$url" != *"gitlab-org/security/"*) ]]
+    then
+      echo "Pushing to remotes other than dev.gitlab.org and gitlab.com/gitlab-org/security has been disabled!"
+      echo "Run scripts/security-harness to disable this check."
+      echo
+
+      exit 1
+    fi
+  fi
+HOOK
+
+def write_hook
+  FileUtils.mkdir_p(File.dirname(HOOK_PATH))
+  File.open(HOOK_PATH, 'w') do |file|
+    file.write(HOOK_DATA)
+  end
+  File.chmod(0755, HOOK_PATH)
+end
+
+# Toggle the harness on or off
+def toggle
+  harness_path = File.expand_path('../.git/security_harness', __dir__)
+
+  if File.exist?(harness_path)
+    FileUtils.rm(harness_path)
+
+    puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
+  else
+    FileUtils.touch(harness_path)
+
+    puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to dev.gitlab.org or gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
+  end
+end
+
+# If we were to change the script and then check for a pre-existing hook before
+# writing, the check would fail even if the user had an unmodified version of
+# the old hook. Checking previous version hashes allows us to safely overwrite a
+# script that differs from the current version, as long as it's an old one and
+# not custom.
+def previous_version?(dest_sum)
+  # SHA256 hashes of previous iterations of the script contained in `DATA`
+  %w[
+    010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
+  ].include?(dest_sum)
+end
+
+if !File.exist?(HOOK_PATH)
+  write_hook
+  toggle
+else
+  # Deal with a pre-existing hook
+  source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
+  dest_sum   = Digest::SHA256.file(HOOK_PATH).hexdigest
+
+  if previous_version?(dest_sum)
+    # Upgrading from a previous version, update in-place
+    write_hook
+    toggle
+  elsif source_sum != dest_sum
+    # Pre-existing hook we didn't create; do nothing
+    puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
+    puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
+
+    exit 1
+  else
+    # No hook update needed, just toggle
+    toggle
+  end
+end