From 0642bc906dc702ba23035e5d8c99f71d6efc65c2 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Thu, 22 Aug 2024 03:08:19 -0500
Subject: [PATCH] Update @gitlab/web-ide package version
- Updates built-in GitLab Workflow Extension version
from 5.4.0 to 5.10.0 See changes:
- https://gitlab.com/gitlab-org/gitlab-vscode-extension/-/compare/v5.4.0...v5.10.0?from_project_id=5261717&straight=false
- Also adds message for disabled marketplace in enterprise users
Changelog: changed
---
package.json | 2 +-
...ab+web-ide+0.0.1-dev-20240909013227.patch} | 2 +-
spec/frontend/ide/web_ide_assets_spec.js | 21 ++++++++++
yarn.lock | 39 ++++---------------
4 files changed, 30 insertions(+), 34 deletions(-)
rename patches/{@gitlab+web-ide+0.0.1-dev-20240816130114.patch => @gitlab+web-ide+0.0.1-dev-20240909013227.patch} (99%)
diff --git a/package.json b/package.json
index 7d741b4bc93cc..542a9a878f921 100644
--- a/package.json
+++ b/package.json
@@ -75,7 +75,7 @@
"@gitlab/query-language": "^0.0.5-a-20240903",
"@gitlab/svgs": "3.112.0",
"@gitlab/ui": "91.1.2",
- "@gitlab/web-ide": "^0.0.1-dev-20240816130114",
+ "@gitlab/web-ide": "^0.0.1-dev-20240909013227",
"@mattiasbuelens/web-streams-adapter": "^0.1.0",
"@rails/actioncable": "7.0.8-4",
"@rails/ujs": "7.0.8-4",
diff --git a/patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch b/patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
similarity index 99%
rename from patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch
rename to patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
index 0b40e9ec7d401..815bfb36eebc2 100644
--- a/patches/@gitlab+web-ide+0.0.1-dev-20240816130114.patch
+++ b/patches/@gitlab+web-ide+0.0.1-dev-20240909013227.patch
@@ -2950,5 +2950,5 @@ index 6a16dd1..99b1df4 100644
- const parentOrigin = searchParams.get('parentOrigin') || window.origin;
+ const parentOrigin = window.origin;
const salt = searchParams.get('salt');
-
+
(async function () {
diff --git a/spec/frontend/ide/web_ide_assets_spec.js b/spec/frontend/ide/web_ide_assets_spec.js
index d59b09f4cbc5f..692c7f9853c1c 100644
--- a/spec/frontend/ide/web_ide_assets_spec.js
+++ b/spec/frontend/ide/web_ide_assets_spec.js
@@ -25,6 +25,24 @@ describe('asset patching in @gitlab/web-ide', () => {
});
const htmlChildren = allChildren.filter((x) => x.endsWith('.html'));
+ /**
+ * ## What in the world is this test doing!?
+ *
+ * This test was introduced when we were fixing a [security vulnerability][1] related to GitLab self-hosting
+ * problematic `.html` files. These files could be exploited through an `iframe` on an `evil.com` and will
+ * assume the user's cookie authentication. Boom!
+ *
+ * ## How do I know if an `.html` file is vulnerable?
+ *
+ * - The `.html` file used the `postMessage` API and allowed any `origin` which enabled any external site to
+ * open it in an `iframe` and communicate to it.
+ * - The `iframe` exposed some internal VSCode message bus that could allow arbitrary requests. So watch out for
+ * `fetch`.
+ *
+ * [1]: https://gitlab.com/gitlab-org/security/gitlab-web-ide-vscode-fork/-/issues/1#note_1905417620
+ *
+ * ========== If expectation fails and you can't see the full comment... LOOK UP! ==============
+ */
expect(htmlChildren).toEqual([
// This is the only HTML file we expect and it's protected by the other test.
'out/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html',
@@ -33,6 +51,9 @@ describe('asset patching in @gitlab/web-ide', () => {
'extensions/microsoft-authentication/media/index.html',
'extensions/gitlab-vscode-extension/webviews/security_finding/index.html',
'extensions/gitlab-vscode-extension/webviews/gitlab_duo_chat/index.html',
+ 'extensions/gitlab-vscode-extension/assets/language-server/webviews/duo-workflow/index.html',
+ 'extensions/gitlab-vscode-extension/assets/language-server/webviews/duo-chat/index.html',
+ 'extensions/gitlab-vscode-extension/assets/language-server/webviews/chat/index.html',
'extensions/github-authentication/media/index.html',
]);
});
diff --git a/yarn.lock b/yarn.lock
index 471bef114f229..b4401ebf43ec2 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1378,10 +1378,10 @@
vue-functional-data-merge "^3.1.0"
vue-runtime-helpers "^1.1.2"
-"@gitlab/web-ide@^0.0.1-dev-20240816130114":
- version "0.0.1-dev-20240816130114"
- resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20240816130114.tgz#25a88d945095ea10bab9fbed5de1daea205b0bf1"
- integrity sha512-Uv3n+l3oS5ywBWxzXhriFvxYUYw4KBHxlQJEIN3w0gzEiFgV7sYwQmJjCjhukN0PNCIX0akHZYwMm+ow/vD9IA==
+"@gitlab/web-ide@^0.0.1-dev-20240909013227":
+ version "0.0.1-dev-20240909013227"
+ resolved "https://registry.yarnpkg.com/@gitlab/web-ide/-/web-ide-0.0.1-dev-20240909013227.tgz#6ba20cabe4b3dee8eacbb0e3aa4d71b49b30fecc"
+ integrity sha512-fWkkQ3Vm03NmDrJVmEO7nteRzXHj2J4GGfKifILpMeWjKp2X7nPjatHsbOWS8TqEVQUTrL5SB6yV+p6242fAtA==
"@graphql-eslint/eslint-plugin@3.20.1":
version "3.20.1"
@@ -13104,16 +13104,7 @@ string-length@^4.0.1:
char-regex "^1.0.2"
strip-ansi "^6.0.0"
-"string-width-cjs@npm:string-width@^4.2.0":
- version "4.2.3"
- resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
- integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
- dependencies:
- emoji-regex "^8.0.0"
- is-fullwidth-code-point "^3.0.0"
- strip-ansi "^6.0.1"
-
-"string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+"string-width-cjs@npm:string-width@^4.2.0", "string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
version "4.2.3"
resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -13166,7 +13157,7 @@ string_decoder@^1.0.0, string_decoder@^1.1.1, string_decoder@~1.1.1:
dependencies:
safe-buffer "~5.1.0"
-"strip-ansi-cjs@npm:strip-ansi@^6.0.1":
+"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
version "6.0.1"
resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -13180,13 +13171,6 @@ strip-ansi@^5.2.0:
dependencies:
ansi-regex "^4.1.0"
-strip-ansi@^6.0.0, strip-ansi@^6.0.1:
- version "6.0.1"
- resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
- integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
- dependencies:
- ansi-regex "^5.0.1"
-
strip-ansi@^7.0.1, strip-ansi@^7.1.0:
version "7.1.0"
resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-7.1.0.tgz#d5b6568ca689d8561370b0707685d22434faff45"
@@ -14878,7 +14862,7 @@ worker-loader@^3.0.8:
loader-utils "^2.0.0"
schema-utils "^3.0.0"
-"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0":
+"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
version "7.0.0"
resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
@@ -14896,15 +14880,6 @@ wrap-ansi@^6.2.0:
string-width "^4.1.0"
strip-ansi "^6.0.0"
-wrap-ansi@^7.0.0:
- version "7.0.0"
- resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
- integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
- dependencies:
- ansi-styles "^4.0.0"
- string-width "^4.1.0"
- strip-ansi "^6.0.0"
-
wrap-ansi@^8.1.0:
version "8.1.0"
resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"
--
GitLab