summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 12.2.12v12.2.1212-2-stableGitLab Release Tools Bot2019-12-131-1/+1
|
* Update CHANGELOG.md for 12.2.12GitLab Release Tools Bot2019-12-131-0/+4
| | | [ci skip]
* Merge branch 'backport-21510-12-2' into '12-2-stable'John Skarbek2019-12-131-1/+1
|\ | | | | | | | | Install lsb-release for repo URL construction See merge request gitlab/gitlabhq!3592
| * Install lsb-release for repo URL constructionKyle Wiebers2019-12-131-1/+1
|/
* Adds message to indicate we are skipping release 12.2.11John T Skarbek2019-12-131-0/+4
|
* Revert "Update CHANGELOG.md for 12.2.11"John T Skarbek2019-12-131-4/+0
| | | | This reverts commit e29a2ba5402c20341af02399b1631405e137f344.
* Revert "Update VERSION to 12.2.11"John T Skarbek2019-12-131-1/+1
| | | | This reverts commit dda1b34cd24fb1b53521dc4949bb4146ac7c6f18.
* Update VERSION to 12.2.11v12.2.11GitLab Release Tools Bot2019-12-121-1/+1
|
* Update CHANGELOG.md for 12.2.11GitLab Release Tools Bot2019-12-121-0/+4
| | | [ci skip]
* Adds message to indicate we are skipping release 12.2.10John T Skarbek2019-12-121-0/+4
|
* Revert "Update VERSION to 12.2.10"John T Skarbek2019-12-121-1/+1
| | | | This reverts commit 426287d282d2f9bb5af1dd5d68cec48f2cdc8823.
* Revert "Update CHANGELOG.md for 12.2.10"John T Skarbek2019-12-121-4/+0
| | | | This reverts commit fb3833cda0e13644bddac51fe36aa59860dc6290.
* Update VERSION to 12.2.10v12.2.10GitLab Release Tools Bot2019-12-111-1/+1
|
* Update CHANGELOG.md for 12.2.10GitLab Release Tools Bot2019-12-111-0/+4
| | | [ci skip]
* Merge branch '12-2-stable-reliable-fetcher' into '12-2-stable'John Skarbek2019-12-1012-46/+47
|\ | | | | | | | | Backport reliable fetcher to 12.2 See merge request gitlab/gitlabhq!3585
| * Fix spec, backportingValery Sizov2019-12-0910-43/+44
| | | | | | | | | | | | backport https://gitlab.com/gitlab-org/gitlab/commit/2be136b6cdf59f4664d9fbbe91e16498a47ba227 see https://gitlab.com/gitlab-org/gitlab/commit/3baeb0c7fd6829b8c083a43370163d16f7700263 see https://gitlab.com/gitlab-org/gitlab/merge_requests/21161
| * Backport reliable fetcherValery Sizov2019-12-092-3/+3
|/
* Merge remote-tracking branch 'dev/12-2-stable' into 12-2-stableGitLab Release Tools Bot2019-10-3083-167/+1382
|\
| * Update VERSION to 12.2.9v12.2.9GitLab Release Tools Bot2019-10-281-1/+1
| |
| * Update CHANGELOG.md for 12.2.9GitLab Release Tools Bot2019-10-2815-68/+20
| | | | | | [ci skip]
| * Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-2' into ↵GitLab Release Tools Bot2019-10-253-1/+48
| |\ | | | | | | | | | | | | | | | | | | '12-2-stable' Return 404 on LFS request if project doesn't exist See merge request gitlab/gitlabhq!3508
| | * Return 404 on LFS request if project doesn't existIgor Drozdov2019-10-253-1/+48
| |/
| * Merge branch 'security-bvl-validate-force-remove-branch-on-mrs-12-2-ce' into ↵GitLab Release Tools Bot2019-10-2414-15/+191
| |\ | | | | | | | | | | | | | | | | | | '12-2-stable' Only assign merge params when allowed See merge request gitlab/gitlabhq!3460
| | * Only assign merge params when allowedBob Van Landuyt2019-10-2414-15/+191
| |/ |/| | | | | | | | | | | | | | | When a user updates a merge request coming from a fork, they should not be able to set `force_remove_source_branch` if they cannot push code to the source project. Otherwise developers of the target project could remove the source branch of the source project by setting this flag through the API.
| * Merge branch 'security-64519-circular-graphql-queries-12-2' into '12-2-stable'GitLab Release Tools Bot2019-10-248-12/+254
| |\ | | | | | | | | | | | | Nested GraphQL query with circular relationship can cause Denial of Service See merge request gitlab/gitlabhq!3385
| | * Tweak test to insulate against magic number changescharlieablett2019-10-231-0/+1
| | |
| | * Allow tests to ignore recursioncharlieablett2019-10-082-1/+10
| | |
| | * Check for recursion and fail if too recursivecharlieablett2019-10-088-12/+244
| |/ |/| | | | | | | | | | | | | | | | | - List all overly-recursive fields - Reduce recursion threshold to 2 - Add test for not-recursive-enough query - Use reusable methods in tests - Add changelog - Set changeable acceptable recursion level - Add error check test helpers
| * Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internal-12-2' ↵GitLab Release Tools Bot2019-10-243-12/+42
| |\ | | | | | | | | | | | | | | | | | | into '12-2-stable' Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3392
| | * Improper access control allows the attacker to comment in internal commit ↵Charlie Ablett2019-10-243-12/+42
| |/ | | | | | | after they are no longer admin
| * Merge branch ↵GitLab Release Tools Bot2019-10-246-8/+101
| |\ | | | | | | | | | | | | | | | | | | 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-2' into '12-2-stable' Labels visible despite no access to issues & repositories See merge request gitlab/gitlabhq!3431
| | * Backport for CE MREugenia Grieff2019-10-226-8/+101
| |/ |/| | | | | https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/3409
| * Merge branch 'security-2920-fix-notes-with-label-cross-reference-12-2' into ↵GitLab Release Tools Bot2019-10-244-1/+66
| |\ | | | | | | | | | | | | | | | | | | '12-2-stable' Project path reveals labels from Private project if the issue is moved to public project See merge request gitlab/gitlabhq!3445
| | * 12.2 Backport for CE MREugenia Grieff2019-10-014-1/+66
| | | | | | | | | | | | https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/3419
| * | Merge branch ↵GitLab Release Tools Bot2019-10-246-18/+186
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | 'security-ag-hide-private-members-in-project-member-autocomplete-12-2' into '12-2-stable' Hide private members in project member autocomplete See merge request gitlab/gitlabhq!3448
| | * | Pick only those groups that the viewing user has access to,Aakriti Gupta2019-10-026-18/+186
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | in a project members' list. Add tests for possible scenarios Re-factor and remove N + 1 queries Remove author from changelog Don't use memoisation when not needed Include users part of parents of project's group Re-factor tests Create and add users according to roles Re-use group created earlier Add incomplete test for ancestoral groups Rename method to clarify category of groups Skip pending test, remove comments not needed Remove extra line Include ancestors from invited groups as well Add specs for participants service Add more specs Add more specs use instead of Use public group owner instead of project maintainer to test owner acess Remove tests that have now been moved into participants_service_spec Use :context instead of :all Create nested group instead of creating an ancestor separately Add comment explaining doubt on the failing spec Imrpove test setup Optimize sql queries Refactor specs file Add rubocop disablement Add special case for project owners Add small refactor Add explanation to the docs Fix wording Refactor group check Add small changes in specs Add cr remarks Add cr remarks Add specs Add small refactor Add code review remarks Refactor for better database usage Fix failing spec Remove rubocop offences Add cr remarks
| * | | Merge branch 'security-remove-leaky-401-responses-12.2' into '12-2-stable'GitLab Release Tools Bot2019-10-2412-22/+40
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Private/internal repository enumeration via bruteforce on a vulnerable URL See merge request gitlab/gitlabhq!3456
| | * | | Avoid #authenticate_user! in #route_not_foundKerri Miller2019-10-0912-22/+40
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This method, #route_not_found, is executed as the final fallback for unrecognized routes (as the name might imply.) We want to avoid `#authenticate_user!` when calling `#route_not_found`; `#authenticate_user!` can, depending on the request format, return a 401 instead of redirecting to a login page. This opens a subtle security exploit where anonymous users will receive a 401 response when attempting to access a private repo, while a recognized user will receive a 404, exposing the existence of the private, hidden repo.
| * | | Merge branch 'security-mask-sentry-token-12-2-ce' into '12-2-stable'GitLab Release Tools Bot2019-10-246-4/+51
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Mask sentry auth token See merge request gitlab/gitlabhq!3464
| | * | | Mask Sentry auth tokenRyan Cobb2019-10-166-4/+51
| |/ / / |/| | | | | | | | | | | | | | | This makes it so we mask Sentry's auth token. This mask only occurs in the UI.
| * | | Merge branch 'security-stored-xss-using-find-file-12-2' into '12-2-stable'GitLab Release Tools Bot2019-10-242-1/+7
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Sanitize search text to prevent XSS See merge request gitlab/gitlabhq!3470
| | * | | Sanitize search text to prevent XSSSamantha Ming2019-10-102-1/+7
| |/ / / |/| | |
| * | | Merge branch 'security-developer-transfer-project-12-2' into '12-2-stable'GitLab Release Tools Bot2019-10-248-2/+128
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Require Maintainer permission on group where project is transferred to See merge request gitlab/gitlabhq!3473
| | * | | Require maintainer permission to transfer projectsmanojmj2019-10-118-2/+128
| |/ / / |/| | |
| * | | Merge branch 'security-open-redirect-internalredirect-12-2' into '12-2-stable'GitLab Release Tools Bot2019-10-243-2/+8
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue. See merge request gitlab/gitlabhq!3476
| | * | | Add changelog entryJoern Schneeweisz2019-10-141-0/+5
| | | | |
| | * | | Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an ↵Joern Schneeweisz2019-10-142-2/+3
| |/ / / |/| | | | | | | | | | | | | | | | | | | Open Redirect issue. Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569
| * | | Merge branch 'security-wiki-rdoc-content-12-2-ce' into '12-2-stable'GitLab Release Tools Bot2019-10-246-44/+74
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Pass all wiki markup formats through our Banzai pipeline filters See merge request gitlab/gitlabhq!3479
| | * | | Pass all wiki markup formats through pipelinesLuke Duncalfe2019-10-176-44/+74
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when the wiki page format was anything other than `markdown` or `asciidoc` the formatted content would be returned though a Gitaly call. Gitaly in turn would delegate formatting to the gitlab-gollum-lib gem, which in turn would delegate that to various gems (like RDoc for `rdoc`) and then apply some very liberal sanitization. It was too liberal! This change brings our wiki content formatting in line with how we format other markdown at GitLab, so we have a SSOT for sanitization. https://gitlab.com/gitlab-org/gitlab/issues/30540
| * | | Merge branch 'security-xss-grafana-url-12-2' into '12-2-stable'GitLab Release Tools Bot2019-10-248-15/+189
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Handle Stored XSS for Grafana URL in settings See merge request gitlab/gitlabhq!3481
View Lorry Controller Status