From 04b07c4949e2b21759e318267a0001e3c141672a Mon Sep 17 00:00:00 2001
From: Sasi Olin <hellcp@opensuse.org>
Date: Tue, 4 Jan 2022 14:35:34 +0100
Subject: [PATCH 1/3] Add constraints to user requests endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #10951:

    When I visit the Task page to look up my open tasks in our
    private instance, I get the followowing errors…

See https://github.com/openSUSE/open-build-service/issues/10951
Cherry-picked from d0b9bb6f524e73ed0b657b294d5c3ba0a61d0da2
---
 src/api/config/routes.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/config/routes.rb b/src/api/config/routes.rb
index df6ec8218d..de51733dbb 100644
--- a/src/api/config/routes.rb
+++ b/src/api/config/routes.rb
@@ -435,7 +435,7 @@ OBSApi::Application.routes.draw do
     # in check_display_user before filter. Overwriting of the parameter is not
     # possible for nested resources atm.
     controller 'webui/users/bs_requests' do
-      get 'users/(:user)/requests' => :index, as: 'user_requests'
+      get 'users/(:user)/requests' => :index, constraints: cons, as: 'user_requests'
     end
 
     controller 'webui/groups/bs_requests' do
-- 
GitLab


From de62ee6e70075cfc731b9fbdb26975522f7d34a2 Mon Sep 17 00:00:00 2001
From: Henne Vogelsang <hvogel@opensuse.org>
Date: Wed, 6 Apr 2022 19:37:23 +0200
Subject: [PATCH 2/3] Add user_login to route constraints

Missing from #10951

Cherry-picked from 531160be9f3be444bf8ff63f0bebe3643b65788b
---
 src/api/config/routes.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/api/config/routes.rb b/src/api/config/routes.rb
index de51733dbb..d1b40af86d 100644
--- a/src/api/config/routes.rb
+++ b/src/api/config/routes.rb
@@ -40,6 +40,7 @@ OBSApi::Application.routes.draw do
     service: %r{\w[^\/]*},
     title: %r{[^\/]*},
     user: %r{[^\/]*},
+    user_login: %r{[^\/]*},
     repository_publish_build_id: %r{[^\/]*}
   }
 
-- 
GitLab


From d0319ab2526712c5c7d44e6dc7005dda062ac57b Mon Sep 17 00:00:00 2001
From: Eduardo Navarro <enavarro@suse.com>
Date: Mon, 14 Feb 2022 16:10:00 +0100
Subject: [PATCH 3/3] Fix Action Pack vulnerability

CVE-2022-23633: Possible exposure of information vulnerability in Action
Pack.

Update Rails to 5.2.6.2 with `bundle update rails --strict --patch`.

Cherry-picked from 65292f48a504918aac61d35934e35c8b3d5c5bb1
---
 src/api/Gemfile.lock | 94 ++++++++++++++++++++++----------------------
 1 file changed, 47 insertions(+), 47 deletions(-)

diff --git a/src/api/Gemfile.lock b/src/api/Gemfile.lock
index 4cc55f2e60..90e9c5b421 100644
--- a/src/api/Gemfile.lock
+++ b/src/api/Gemfile.lock
@@ -1,47 +1,47 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.5)
-      actionpack (= 5.2.5)
+    actioncable (5.2.6.2)
+      actionpack (= 5.2.6.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.5)
-      actionpack (= 5.2.5)
-      actionview (= 5.2.5)
-      activejob (= 5.2.5)
+    actionmailer (5.2.6.2)
+      actionpack (= 5.2.6.2)
+      actionview (= 5.2.6.2)
+      activejob (= 5.2.6.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.5)
-      actionview (= 5.2.5)
-      activesupport (= 5.2.5)
+    actionpack (5.2.6.2)
+      actionview (= 5.2.6.2)
+      activesupport (= 5.2.6.2)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.5)
-      activesupport (= 5.2.5)
+    actionview (5.2.6.2)
+      activesupport (= 5.2.6.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.5)
-      activesupport (= 5.2.5)
+    activejob (5.2.6.2)
+      activesupport (= 5.2.6.2)
       globalid (>= 0.3.6)
-    activemodel (5.2.5)
-      activesupport (= 5.2.5)
+    activemodel (5.2.6.2)
+      activesupport (= 5.2.6.2)
     activemodel-serializers-xml (1.0.2)
       activemodel (> 5.x)
       activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (5.2.5)
-      activemodel (= 5.2.5)
-      activesupport (= 5.2.5)
+    activerecord (5.2.6.2)
+      activemodel (= 5.2.6.2)
+      activesupport (= 5.2.6.2)
       arel (>= 9.0)
-    activestorage (5.2.5)
-      actionpack (= 5.2.5)
-      activerecord (= 5.2.5)
+    activestorage (5.2.6.2)
+      actionpack (= 5.2.6.2)
+      activerecord (= 5.2.6.2)
       marcel (~> 1.0.0)
-    activesupport (5.2.5)
+    activesupport (5.2.6.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -160,8 +160,8 @@ GEM
       jquery-rails
     font-awesome-sass (5.8.1)
       sassc (>= 1.11)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
     gssapi (1.3.0)
       ffi (>= 1.0.1)
     haml (5.1.1)
@@ -185,7 +185,7 @@ GEM
       haml (>= 4.0, < 6)
       nokogiri (>= 1.6.0)
       ruby_parser (~> 3.5)
-    i18n (1.8.10)
+    i18n (1.8.11)
       concurrent-ruby (~> 1.0)
     influxdb (0.7.0)
     innertube (1.1.0)
@@ -219,17 +219,17 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.9.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (1.0.1)
+    marcel (1.0.2)
     metaclass (0.0.4)
     method_source (0.9.2)
     middleware (0.1.0)
-    mini_mime (1.1.0)
-    mini_portile2 (2.5.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.5.3)
     minitest (5.14.4)
     minitest-ci (3.4.0)
       minitest (>= 5.0.6)
@@ -246,8 +246,8 @@ GEM
       railties (>= 3.1)
     mousetrap-rails (1.4.6)
     mysql2 (0.5.2)
-    nio4r (2.5.7)
-    nokogiri (1.11.2)
+    nio4r (2.5.8)
+    nokogiri (1.11.7)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
     nokogumbo (2.0.1)
@@ -292,18 +292,18 @@ GEM
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.5)
-      actioncable (= 5.2.5)
-      actionmailer (= 5.2.5)
-      actionpack (= 5.2.5)
-      actionview (= 5.2.5)
-      activejob (= 5.2.5)
-      activemodel (= 5.2.5)
-      activerecord (= 5.2.5)
-      activestorage (= 5.2.5)
-      activesupport (= 5.2.5)
+    rails (5.2.6.2)
+      actioncable (= 5.2.6.2)
+      actionmailer (= 5.2.6.2)
+      actionpack (= 5.2.6.2)
+      actionview (= 5.2.6.2)
+      activejob (= 5.2.6.2)
+      activemodel (= 5.2.6.2)
+      activerecord (= 5.2.6.2)
+      activestorage (= 5.2.6.2)
+      activesupport (= 5.2.6.2)
       bundler (>= 1.3.0)
-      railties (= 5.2.5)
+      railties (= 5.2.6.2)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -319,9 +319,9 @@ GEM
       activesupport (>= 3.1)
     rails_tokeninput (1.7.0)
       railties (>= 3.1.0)
-    railties (5.2.5)
-      actionpack (= 5.2.5)
-      activesupport (= 5.2.5)
+    railties (5.2.6.2)
+      actionpack (= 5.2.6.2)
+      activesupport (= 5.2.6.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
@@ -462,7 +462,7 @@ GEM
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xmlhash (1.3.7)
@@ -576,4 +576,4 @@ DEPENDENCIES
   yajl-ruby
 
 BUNDLED WITH
-   1.17.1
+   1.17.3
-- 
GitLab