Skip to content
Snippets Groups Projects
Commit 1fe938e5 authored by JH_CNG_SYNC_TOKEN's avatar JH_CNG_SYNC_TOKEN
Browse files

Merge remote-tracking branch 'origin/master' into main-jh

parents 67cfae3d 5f402c57
No related merge requests found
Pipeline #2035 waiting for manual action with stages
in 1 hour, 9 minutes, and 38 seconds
<!--
# Read me first!
Create this issue under https://gitlab.com/gitlab-org/security/charts/components/images
Set the title to: `Description of the original issue`
-->
### Prior to starting the security release work
- [ ] Read the [security process for developers] if you are not familiar with it.
- [ ] Mark this [issue as related] to the Security Release tracking issue. You can find it on the topic of the `#releases` Slack channel.
- Fill out the [Links section](#links):
- [ ] Next to **Issue on GitLab Chart**, add a link to the `gitlab-org/build/CNG` issue that describes the security vulnerability.
- [ ] Next to **Security Release tracking issue**, add a link to the security release issue that will include this security issue.
### Development
- [ ] Run `support/security-harness` to prevent pushing to any remote besides `security/charts/components/images` and `dev.gitlab.org/gitlab/charts/components/images`
- [ ] Create a new branch prefixing it with `security-`
- [ ] Create a MR targeting `master` on [`security/charts/components/images`](https://gitlab.com/gitlab-org/security/charts/components/images) and use the [Security Release merge request template]
- [ ] Follow the same code review process: Assign to a reviewer, then to a maintainer.
After your merge request has been approved according to our approval guidelines, and by a team member of the AppSec team, you're ready to prepare the backports
#### Backports
- [ ] Once the MR is ready to be merged, create MRs targeting the latest 3 stable branches
* At this point, it might be easy to squash the commits from the MR into one
- [ ] Create each MR targeting the stable branch `X-Y-stable`, using the [Security Release merge request template].
* Every merge request will have its own set of TODOs, so make sure to complete those.
- [ ] On the "Related merge requests" section, ensure all MRs are linked to this issue.
* This section should only list the merge requests created for this issue: One targeting `master` and the 3 backports.
- [ ] If this issue requires less than 4 merge requests, post a message on the Security Release Tracking Issue and ping the Release Managers.
#### Documentation and final details
- [ ] Ensure the [Links section](#links) is completed.
- [ ] Find out the versions affected (the Git history of the files affected may help you with this) and add them to the [details section](#details)
- [ ] Fill in any upgrade notes that users may need to take into account in the [details section](#details)
- [ ] Add Yes/No and further details if needed to the migration and settings columns in the [details section](#details)
- [ ] Add the nickname of the external user who found the issue (and/or HackerOne profile) to the Thanks row in the [details section](#details)
### Summary
#### Links
| Description | Link |
| -------- | -------- |
| Issue on [GitLab Chart](https://gitlab.com/gitlab-org/charts/gitlab/-/issues) | #TODO |
| Security Release tracking issue | #TODO |
#### Details
| Description | Details | Further details|
| -------- | -------- | -------- |
| Versions affected | X.Y | |
| Upgrade notes | | |
| GitLab Settings updated | Yes/No| |
| Migration required | Yes/No | |
| Thanks | | |
[security process for developers]: https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md
[RM list]: https://about.gitlab.com/release-managers/
[issue as related]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#adding-a-related-issue
[security Release merge request template]: https://gitlab.com/gitlab-org/build/CNG/-/blob/master/.gitlab/merge_request_templates/Security%20Release.md
/label ~security
<!--
# README first!
This MR should be created on https://gitlab.com/gitlab-org/security/charts/components/images
See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
-->
## Related issues
<!-- Mention the GitLab Security issue this MR is related to -->
## Developer checklist
- [ ] **On "Related issues" section, write down the [Cloud Native Images Security] issue it belongs to (i.e. `Related to <issue_id>`).**
- [ ] MR targets `master`, or `X-Y-stable` for backports.
- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions].
- [ ] Title of this MR is the same as for all backports.
- [ ] A [CHANGELOG entry] has been included, with `Changelog` trailer set to `security`.
- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
- [ ] For the MR targeting `master`, ensure it's approved according to our [Approval Guidelines]
- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`.
## Reviewer checklist
- [ ] Correct milestone is applied and the title is matching across all backports
- [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines
/label ~security
[loud Native Images Security]: https://gitlab.com/gitlab-org/security/charts/components/images
[approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
[Code Review process]: https://docs.gitlab.com/ee/development/code_review.html
[quick actions]: https://docs.gitlab.com/ee/user/project/quick_actions.html#quick-actions-for-issues-merge-requests-and-epics
[CHANGELOG entry]: https://docs.gitlab.com/ee/development/changelog.html#overview
#!/usr/bin/env ruby
# frozen_string_literal: true
require 'digest'
require 'fileutils'
if ENV['NO_COLOR']
SHELL_RED = ''
SHELL_GREEN = ''
SHELL_YELLOW = ''
SHELL_CLEAR = ''
else
SHELL_RED = "\e[1;31m"
SHELL_GREEN = "\e[1;32m"
SHELL_YELLOW = "\e[1;33m"
SHELL_CLEAR = "\e[0m"
end
HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
HOOK_DATA = <<~HOOK
#!/bin/bash
set -e
url="$2"
harness=`dirname "$0"`/../security_harness
if [ -e "$harness" ]
then
if [[ ("$url" != *"dev.gitlab.org"*) && ("$url" != *"gitlab-org/security/"*) ]]
then
echo "Pushing to remotes other than dev.gitlab.org and gitlab.com/gitlab-org/security has been disabled!"
echo "Run scripts/security-harness to disable this check."
echo
exit 1
fi
fi
HOOK
def write_hook
FileUtils.mkdir_p(File.dirname(HOOK_PATH))
File.open(HOOK_PATH, 'w') do |file|
file.write(HOOK_DATA)
end
File.chmod(0755, HOOK_PATH)
end
# Toggle the harness on or off
def toggle
harness_path = File.expand_path('../.git/security_harness', __dir__)
if File.exist?(harness_path)
FileUtils.rm(harness_path)
puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
else
FileUtils.touch(harness_path)
puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to dev.gitlab.org or gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
end
end
# If we were to change the script and then check for a pre-existing hook before
# writing, the check would fail even if the user had an unmodified version of
# the old hook. Checking previous version hashes allows us to safely overwrite a
# script that differs from the current version, as long as it's an old one and
# not custom.
def previous_version?(dest_sum)
# SHA256 hashes of previous iterations of the script contained in `DATA`
%w[
010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
].include?(dest_sum)
end
if !File.exist?(HOOK_PATH)
write_hook
toggle
else
# Deal with a pre-existing hook
source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
dest_sum = Digest::SHA256.file(HOOK_PATH).hexdigest
if previous_version?(dest_sum)
# Upgrading from a previous version, update in-place
write_hook
toggle
elsif source_sum != dest_sum
# Pre-existing hook we didn't create; do nothing
puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
exit 1
else
# No hook update needed, just toggle
toggle
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment