gitlab-exporter 11.19.0 → 12.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 386af9238448d41f015fd10a4ae29d4e6b42913078cb0d86cbb862909bc2b7e0
-  data.tar.gz: 98e064fe309955646d3879528743528646b1bb57122a5237660b7be772cac359
+  metadata.gz: ca354fcfa5a8bde34e45a37610546ed70135c1a9208e92f2986c1811ddf9bf26
+  data.tar.gz: fc584b756b3032c31d758271d603df84104821be727b4fce50b23f7cf5488185
 SHA512:
-  metadata.gz: 415c5e84efdc17ebd72e7bc870fba4bb0f0052992390737c8d6cc64e397185f92f4deb3ffd6809700ea308719ad00061cafd44bd7c30f224144b4a5eec0926df
-  data.tar.gz: 740a3e32681f861ad5503b7605f2de60cef9a99d8fa64b2530c0aa5599462dce67fddbb1b4312fbd316881915d207d762e1d88215cbdf7f20d7cc7d20aa56897
+  metadata.gz: 4f199b0d85a71d607023bb39e2d16d8aec6fff0506ea151b5358c1ce374d34e0ae91ad1eb70079da22ca8ba726b3f4d758517623a00bfa5bef8b72e97b5c2f2d
+  data.tar.gz: 76bcce5399be29898662aa0cb067d1285bf41c1a2286380b835924aeac0b8d3577b874ad943f080c6a93076715e1e32a7172d28e8c06e7b929766faf561cd7d6

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-exporter (11.19.0)
+    gitlab-exporter (12.0.0)
       connection_pool (= 2.2.5)
       faraday (~> 1.8.0)
       pg (= 1.2.3)

data/lib/gitlab_exporter/database/row_count.rb

@@ -125,9 +125,10 @@ module GitLab
               archived: {}
             }
           },
-          groups: {
+          namespaces: {
             select: :namespaces,
             fields: {
+              type: {},
               visibility_level: {},
               root: { definition: "(parent_id IS NULL)" }
             }

data/lib/gitlab_exporter/rack_vulndb_255039_patch.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+if Gem.loaded_specs["rack"].version >= Gem::Version.new("3.0.0")
+  fail <<~ERR
+    This patch is unnecessary in Rack versions 3.0.0 or newer.
+    Please remove this file and the associated spec.
+
+    See https://github.com/rack/rack/blob/main/CHANGELOG.md#security (issue #1733)
+  ERR
+end
+
+# Patches a cache poisoning attack vector in Rack by not allowing semicolons
+# to delimit query parameters.
+# See https://github.com/rack/rack/issues/1732.
+#
+# Solution is taken from the same issue.
+#
+# The actual patch is due for release in Rack 3.0.0.
+module Rack
+  class Request # rubocop:disable Style/Documentation
+    Helpers.module_eval do
+      # rubocop: disable Naming/MethodName
+      def GET
+        if get_header(RACK_REQUEST_QUERY_STRING) == query_string
+          get_header(RACK_REQUEST_QUERY_HASH)
+        else
+          query_hash = parse_query(query_string, "&") # only allow ampersand here
+          set_header(RACK_REQUEST_QUERY_STRING, query_string)
+          set_header(RACK_REQUEST_QUERY_HASH, query_hash)
+        end
+      end
+      # rubocop: enable Naming/MethodName
+    end
+  end
+end

data/lib/gitlab_exporter/version.rb

@@ -1,5 +1,5 @@
 module GitLab
   module Exporter
-    VERSION = "11.19.0".freeze
+    VERSION = "12.0.0".freeze
   end
 end

data/lib/gitlab_exporter/web_exporter.rb

@@ -2,6 +2,7 @@ require "sinatra/base"
 require "English"
 require "cgi"
 
+require_relative "rack_vulndb_255039_patch"
 require_relative "tls_helper"
 
 module GitLab

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-exporter
 version: !ruby/object:Gem::Version
-  version: 11.19.0
+  version: 12.0.0
 platform: ruby
 authors:
 - Pablo Carranza
@@ -202,6 +202,7 @@ files:
 - lib/gitlab_exporter/prober.rb
 - lib/gitlab_exporter/process.rb
 - lib/gitlab_exporter/prometheus.rb
+- lib/gitlab_exporter/rack_vulndb_255039_patch.rb
 - lib/gitlab_exporter/ruby.rb
 - lib/gitlab_exporter/sidekiq.rb
 - lib/gitlab_exporter/tls_helper.rb