Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-02-01 06:17:35 +00:00
parent 7be0c0133d
commit 43e37da842
8 changed files with 121 additions and 44 deletions

View file

@ -6,43 +6,44 @@
.gl-alert-body
= render 'shared/registration_features_discovery_message', feature_title: s_('RegistrationFeatures|send emails to users')
.top-area.scrolling-tabs-container.inner-page-scroll-tabs
.fade-left
= sprite_icon('chevron-lg-left', size: 12)
.fade-right
= sprite_icon('chevron-lg-right', size: 12)
= gl_tabs_nav({ class: 'scrolling-tabs nav-links gl-display-flex gl-flex-grow-1' }) do
= gl_tab_link_to admin_users_path, { item_active: active_when(params[:filter].nil?), class: 'gl-border-0!' } do
= s_('AdminUsers|Active')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.active_without_ghosts))
= gl_tab_link_to admin_users_path(filter: "admins"), { item_active: active_when(params[:filter] == 'admins'), class: 'gl-border-0!' } do
= s_('AdminUsers|Admins')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.admins))
= gl_tab_link_to admin_users_path(filter: 'two_factor_enabled'), { item_active: active_when(params[:filter] == 'two_factor_enabled'), class: 'filter-two-factor-enabled gl-border-0!' } do
= s_('AdminUsers|2FA Enabled')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.with_two_factor))
= gl_tab_link_to admin_users_path(filter: 'two_factor_disabled'), { item_active: active_when(params[:filter] == 'two_factor_disabled'), class: 'filter-two-factor-disabled gl-border-0!' } do
= s_('AdminUsers|2FA Disabled')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.without_two_factor))
= gl_tab_link_to admin_users_path(filter: 'external'), { item_active: active_when(params[:filter] == 'external'), class: 'gl-border-0!' } do
= s_('AdminUsers|External')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.external))
= gl_tab_link_to admin_users_path(filter: "blocked"), { item_active: active_when(params[:filter] == 'blocked'), class: 'gl-border-0!' } do
= s_('AdminUsers|Blocked')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.blocked))
- if ban_feature_available?
= gl_tab_link_to admin_users_path(filter: "banned"), { item_active: active_when(params[:filter] == 'banned'), class: 'gl-border-0!' } do
= s_('AdminUsers|Banned')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.banned))
= gl_tab_link_to admin_users_path(filter: "blocked_pending_approval"), { item_active: active_when(params[:filter] == 'blocked_pending_approval'), class: 'filter-blocked-pending-approval gl-border-0!', data: { qa_selector: 'pending_approval_tab' } } do
= s_('AdminUsers|Pending approval')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.blocked_pending_approval))
= gl_tab_link_to admin_users_path(filter: "deactivated"), { item_active: active_when(params[:filter] == 'deactivated'), class: 'gl-border-0!' } do
= s_('AdminUsers|Deactivated')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.deactivated))
= gl_tab_link_to admin_users_path(filter: "wop"), { item_active: active_when(params[:filter] == 'wop'), class: 'gl-border-0!' } do
= s_('AdminUsers|Without projects')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.without_projects))
.top-area
.scrolling-tabs-container.inner-page-scroll-tabs.gl-flex-grow-1.gl-min-w-0.gl-w-full
.fade-left
= sprite_icon('chevron-lg-left', size: 12)
.fade-right
= sprite_icon('chevron-lg-right', size: 12)
= gl_tabs_nav({ class: 'scrolling-tabs nav-links gl-display-flex gl-flex-grow-1 gl-w-full' }) do
= gl_tab_link_to admin_users_path, { item_active: active_when(params[:filter].nil?), class: 'gl-border-0!' } do
= s_('AdminUsers|Active')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.active_without_ghosts))
= gl_tab_link_to admin_users_path(filter: "admins"), { item_active: active_when(params[:filter] == 'admins'), class: 'gl-border-0!' } do
= s_('AdminUsers|Admins')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.admins))
= gl_tab_link_to admin_users_path(filter: 'two_factor_enabled'), { item_active: active_when(params[:filter] == 'two_factor_enabled'), class: 'filter-two-factor-enabled gl-border-0!' } do
= s_('AdminUsers|2FA Enabled')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.with_two_factor))
= gl_tab_link_to admin_users_path(filter: 'two_factor_disabled'), { item_active: active_when(params[:filter] == 'two_factor_disabled'), class: 'filter-two-factor-disabled gl-border-0!' } do
= s_('AdminUsers|2FA Disabled')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.without_two_factor))
= gl_tab_link_to admin_users_path(filter: 'external'), { item_active: active_when(params[:filter] == 'external'), class: 'gl-border-0!' } do
= s_('AdminUsers|External')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.external))
= gl_tab_link_to admin_users_path(filter: "blocked"), { item_active: active_when(params[:filter] == 'blocked'), class: 'gl-border-0!' } do
= s_('AdminUsers|Blocked')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.blocked))
- if ban_feature_available?
= gl_tab_link_to admin_users_path(filter: "banned"), { item_active: active_when(params[:filter] == 'banned'), class: 'gl-border-0!' } do
= s_('AdminUsers|Banned')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.banned))
= gl_tab_link_to admin_users_path(filter: "blocked_pending_approval"), { item_active: active_when(params[:filter] == 'blocked_pending_approval'), class: 'filter-blocked-pending-approval gl-border-0!', data: { qa_selector: 'pending_approval_tab' } } do
= s_('AdminUsers|Pending approval')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.blocked_pending_approval))
= gl_tab_link_to admin_users_path(filter: "deactivated"), { item_active: active_when(params[:filter] == 'deactivated'), class: 'gl-border-0!' } do
= s_('AdminUsers|Deactivated')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.deactivated))
= gl_tab_link_to admin_users_path(filter: "wop"), { item_active: active_when(params[:filter] == 'wop'), class: 'gl-border-0!' } do
= s_('AdminUsers|Without projects')
= gl_tab_counter_badge(limited_counter_with_delimiter(User.without_projects))
.nav-controls
= render_if_exists 'admin/users/admin_email_users'
= render_if_exists 'admin/users/admin_export_user_permissions'

View file

@ -4,7 +4,7 @@ group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Sensitive cookie without `HttpOnly` attribute
# Sensitive cookie without HttpOnly attribute
## Description

View file

@ -38,7 +38,7 @@ the `Server` header.
## Links
- [cwe](https://cwe.mitre.org/data/definitions/16.html)
- [CWE](https://cwe.mitre.org/data/definitions/16.html)
- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)

View file

@ -32,4 +32,4 @@ information from the `X-Powered-By` header.
## Links
- [CWE](https://cwe.mitre.org/data/definitions/16.html)
- [PHP `expose_php`](https://www.php.net/manual/en/ini.core.php#ini.expose-php)
- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php)

View file

@ -0,0 +1,29 @@
---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Exposure of sensitive information to an unauthorized actor (private IP address)
## Description
A private RFC 1918 was identified in the target application. Public facing websites should not be issuing
requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side
Request Forgery (SSRF), may be able to use this information to identify additional internal targets.
## Remediation
Identify the resource that is incorrectly specifying an internal IP address and replace it with it's public
facing version, or remove the reference from the target application.
## Details
| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 200.1 | true | 200 | Passive | Low |
## Links
- [CWE](https://cwe.mitre.org/data/definitions/200.html)
- [RFC](https://datatracker.ietf.org/doc/html/rfc1918)

View file

@ -0,0 +1,45 @@
---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Exposure of information through directory listing
## Description
The target web server is configured to list the contents of directories that do not contain an index file
such as `index.html`. This could lead to accidental exposure of sensitive information, or give an attacker
details on how filenames and directories are structured and stored.
## Remediation
Directory indexing should be disabled.
Apache:
For Apache based web sites, ensure all `<Directory>` definitions have `Options -Indexes` configured in the
`apache2.conf` or `httpd.conf` configuration file.
NGINX:
For NGINX based websites, ensure all `location` definitions have the `autoindex off` directive set in the
`nginx.conf` file.
IIS:
For IIS based websites version 7.0 and above you can use the `<directoryBrowse enabled="false" />` element
in the `applicationHost.config` or `Web.config` files.
For all other server types, please consult your product's documentation on how to disable directory
indexing.
## Details
| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 548.1 | false | 548 | Passive | Low |
## Links
- [CWE](https://cwe.mitre.org/data/definitions/598.html)
- [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options)
- [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html)
- [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)

View file

@ -4,7 +4,7 @@ group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Sensitive cookie without `Secure` attribute
# Sensitive cookie without Secure attribute
## Description
@ -35,6 +35,6 @@ Set-Cookie: {cookie_name}=<random secure value>; Secure
## Links
- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute)
- [OWASP](https://owasp.org/www-community/controls/SecureCookieAttribute)
- [CWE](https://cwe.mitre.org/data/definitions/614.html)
- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)

View file

@ -10,12 +10,14 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne
| ID | Check | Severity | Type |
|:---|:------|:---------|:-----|
| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive |
| [1004.1](1004.1.md) | Sensitive cookie without HttpOnly attribute | Low | Passive |
| [16.1](16.1.md) | Missing Content-Type header | Low | Passive |
| [16.2](16.2.md) | Server header exposes version information | Low | Passive |
| [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive |
| [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive |
| [16.5](16.5.md) | AspNet header exposes version information | Low | Passive |
| [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive |
| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive |
| [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
| [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive |
| [614.1](614.1.md) | Sensitive cookie without Secure attribute | Low | Passive |
| [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive |