summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch '66803-fix-uploads-relative-link-filter' into 'master'12-2-stable-patch-4Grzegorz Bizon2019-09-024-101/+44
| | | | | Fix permissions check in `RelativeLinkFilter` See merge request gitlab-org/gitlab-ce!32448
* Merge branch 'ashmckenzie/12-2-stable-patch-4-add-stub-config' into ↵John Jarvis2019-09-021-0/+4
|\ | | | | | | | | | | | | '12-2-stable-patch-4' Add StubConfiguration.stub_config method See merge request gitlab-org/gitlab-ce!32530
| * Add StubConfiguration.stub_config methodAsh McKenzie2019-09-021-0/+4
|/
* Merge branch 'sh-mermaid-8.2.6' into 'master'Filipa Lacerda2019-09-023-5/+10
| | | | | Update Mermaid to v8.2.6 See merge request gitlab-org/gitlab-ce!32502
* Merge branch 'revert-79fa2cd9' into 'master'Evan Read2019-08-301-5/+5
| | | | | | | | | | | Revert "Merge branch 'nik-api-snippets-fix' into 'master'" Closes #66673 See merge request gitlab-org/gitlab-ce!32295 (cherry picked from commit 98f2ab296a9b53b7e6fe467b50a9bcf9b75c6957) 5e0378b3 Revert "Merge branch 'nik-api-snippets-fix' into 'master'"
* Merge branch 'sh-fix-snippet-visibility-api' into 'master'Rémy Coutable2019-08-309-25/+108
| | | | | | | | | | | Fix snippets API not working with visibility level Closes #66050 See merge request gitlab-org/gitlab-ce!32286 (cherry picked from commit 1843502ff4d9841f9abf635ffb57d72068ec90c9) 680f4377 Fix snippets API not working with visibility level
* Merge branch 'sh-fix-piwik-template' into 'master'Ash McKenzie2019-08-303-2/+27
| | | | | | | | | | | Fix Piwik not working Closes #66627 See merge request gitlab-org/gitlab-ce!32234 (cherry picked from commit 0c639b2463a4d70bb275e4f139a88594e674a240) f6058981 Fix Piwik not working
* Merge branch 'sh-upgrade-mermaid-8.2.4' into 'master'Filipa Lacerda2019-08-304-63/+12
| | | | | | | | | Upgrade Mermaid to v8.2.4 See merge request gitlab-org/gitlab-ce!32186 (cherry picked from commit f90759bbf31853e0e69db98588f2416cdef6e2f6) c2541b64 Upgrade Mermaid to v8.2.4
* Merge branch 'fix-migration-helper' into 'master'Stan Hu2019-08-304-3/+148
| | | | | | | | | | | Add helpers to exactly undo cleanup_concurrent_column_rename See merge request gitlab-org/gitlab-ce!32183 (cherry picked from commit fc08d48cf0a596dc151cb7bc7ab0f7d2721f3333) 9b592a59 Add helper to exactly undo cleanup_concurrent_column_rename 61777843 Add spec for undo_rename_column_concurrently d28ad870 Add spec for when default is false
* Merge branch 'patch-74' into 'master'Mike Greiling2019-08-302-2/+2
| | | | | | | | | fix: remove double % See merge request gitlab-org/gitlab-ce!32178 (cherry picked from commit bf2b4c526955829e8eb99fe8557563b2cb8f775f) 22e2a601 fix: remove double % from layout width description
* Merge branch 'sh-fix-nplusone-issues' into 'master'Mayra Cabrera2019-08-304-2/+15
| | | | | | | | | Fix N+1 Gitaly calls in /api/v4/projects/:id/issues See merge request gitlab-org/gitlab-ce!32171 (cherry picked from commit bbd39021c39b66ecb954a7fb8276320556b65a3b) 44063501 Fix N+1 Gitaly calls in /api/v4/projects/:id/issues
* Merge branch 'fe-fix-issuable-sidebar-icon-of-notification-disabled' into ↵Mike Greiling2019-08-303-3/+10
| | | | | | | | | | | 'master' Fix issuable sidebar icon of notification disabled See merge request gitlab-org/gitlab-ce!32134 (cherry picked from commit a93612aa5fab7d70f0b6165856402ac53ab18faf) 9ad0a8ad Fix issuable sidebar icon of notification disabled
* Merge branch '66066-dark-theme-style-for-expansion-on-mr-diffs' into 'master'Mike Greiling2019-08-309-21/+42
| | | | | | | | | | | Match syntax highlighting theme for line expansion rows Closes #66066 See merge request gitlab-org/gitlab-ce!31821 (cherry picked from commit 1349a3d5b3b6d6bc151429a969b4cc78fd91c355) 9013ab1f Add syntax highlighting for line expansion
* Update VERSION to 12.2.3v12.2.312-2-stable-patch-2GitLab Release Tools Bot2019-08-281-1/+1
|
* Update CHANGELOG.md for 12.2.3GitLab Release Tools Bot2019-08-2823-110/+28
| | | [ci skip]
* Merge branch ↵Jan Provaznik2019-08-283-16/+24
| | | | | | | | | '66641-broken-master-real-http-connections-are-disabled-unregistered-request' into 'master' Use `stub_full_request` to fix spec failure Closes #66641 See merge request gitlab-org/gitlab-ce!32259
* Revert "Update CHANGELOG.md for 12.2.2"John Jarvis2019-08-2823-25/+111
| | | | This reverts commit cec9310c4ad641a760daa0394b6a8945d134dbb8.
* Merge branch ↵GitLab Release Tools Bot2019-08-281-0/+2
|\ | | | | | | | | | | | | 'security-fix-something-went-wrong-on-when-not-logged-in-ce-12-2' into '12-2-stable' Return NO_ACCESS if user is nil See merge request gitlab/gitlabhq!3390
| * Return NO_ACCESS if user is nilPatrick Derichs2019-08-281-0/+2
|/
* Update VERSION to 12.2.2v12.2.2GitLab Release Tools Bot2019-08-271-1/+1
|
* Update CHANGELOG.md for 12.2.2GitLab Release Tools Bot2019-08-2723-110/+28
| | | [ci skip]
* Merge branch 'security-exposed-default-branch-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-264-2/+97
|\ | | | | | | | | Avoid exposing unaccessible repo data upon GFM post processing See merge request gitlab/gitlabhq!3382
| * Avoid exposing unaccessible repo data upon GFM processingOswaldo Ferreira2019-08-264-2/+97
|/ | | | | | | | | | | | | | | | | | When post-processing relative links to absolute links RelativeLinkFilter didn't take into consideration that internal repository data could be exposed for users that do not have repository access to the project. This commit solves that by checking whether the user can `download_code` at this repository, avoiding any processing of this filter if the user can't. Additionally, if we're processing for a group ( no project was given), we check if the user can read it in order to expand the href as an extra. That doesn't seem necessarily a breach now, but an extra check doesn't hurt as after all the user needs to be able to `read_group`.
* Merge branch 'security-2853-prevent-comments-on-private-mrs-12-2' into ↵GitLab Release Tools Bot2019-08-266-75/+371
|\ | | | | | | | | | | | | '12-2-stable' Ensure only authorised users can create notes on merge requests and issues See merge request gitlab/gitlabhq!3324
| * Prevent unauthorised comments on merge requestsAlex Kalderimis2019-08-266-75/+371
|/ | | | | | | | | | | | | | | | | * Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry
* Merge branch 'security-hide_merge_request_ids_on_emails-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-265-18/+89
|\ | | | | | | | | Prevent disclosure of merge request id via email See merge request gitlab/gitlabhq!3350
| * Prevent disclosure of merge request id via emailFelipe Artur2019-08-215-18/+89
| | | | | | | | | | Do not disclosure merge request id via email for unauthorized users when closing issues.
* | Merge branch 'security-64711-fix-commit-todos-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-263-20/+112
|\ \ | | | | | | | | | | | | Send TODOs for comments on commits correctly See merge request gitlab/gitlabhq!3365
| * | Send TODOs for comments on commits correctlyNick Thomas2019-08-233-20/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At present, the TodoService uses the `:read_project` ability to decide whether a user can read a note on a commit. However, commits can have a visibility level that is more restricted than the project, so this is a security issue. This commit changes the code to use the `:read_commit` ability in this case instead, which ensures TODOs are only generated for commit notes if the users can see the commit.
* | | Merge branch 'security-12-2-stable-gitaly-1.59.2' into '12-2-stable'GitLab Release Tools Bot2019-08-262-1/+6
|\ \ \ | | | | | | | | | | | | | | | | Gitaly: ignore git redirects See merge request gitlab/gitlabhq!3374
| * | | Use Gitaly 1.59.2Jacob Vosmaer2019-08-262-1/+6
| | | |
* | | | Merge branch 'security-project-import-bypass-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-265-26/+244
|\ \ \ \ | |/ / / |/| | | | | | | | | | | Project visibility restriction bypass See merge request gitlab/gitlabhq!3330
| * | | Fix project import restricted visibility bypassGeorge Koltsov2019-08-265-26/+244
|/ / / | | | | | | | | | | | | | | | Add Gitlab::VisibilityLevelChecker that verifies selected project visibility level (or overridden param) is not restricted when creating or importing a project
* | | Merge branch 'security-ssrf-kubernetes-dns' into '12-2-stable'GitLab Release Tools Bot2019-08-265-18/+269
|\ \ \ | | | | | | | | | | | | | | | | DNS Rebind SSRF in Kubernetes Integration See merge request gitlab/gitlabhq!3268
| * | | Column was renamed in 12.2Thong Kuah2019-08-212-2/+2
| | | |
| * | | Override hostname when connecting via KubeclientThong Kuah2019-08-215-18/+269
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kubeclient uses rest-client. We hack into to access the net/http object so that we can patch to connect to the resolved IP + set hostname_override. Add specs for discord. The discord integration also uses rest-client, so since we patched rest-client, spec that the DNS rebinding protection works
* | | | Merge branch 'security-epic-notes-api-reveals-historical-info-ce-12-2' into ↵GitLab Release Tools Bot2019-08-267-7/+16
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '12-2-stable' Filter out old system notes for epics in notes api endpoint response See merge request gitlab/gitlabhq!3314
| * | | | Filter out old system notes for epicsPatrick Derichs2019-08-197-7/+16
| | | | |
* | | | | Merge branch 'security-fix-html-injection-for-label-description-ce-12-2' ↵GitLab Release Tools Bot2019-08-265-3/+29
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into '12-2-stable' Fix HTML injection for label description See merge request gitlab/gitlabhq!3315
| * | | | | Fix html injection for label descriptionPatrick Derichs2019-08-195-3/+29
| |/ / / /
* | | | | Merge branch 'security-mr-head-pipeline-leak-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-263-5/+39
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Permission fix for MergeRequestsController#pipeline_status See merge request gitlab/gitlabhq!3322
| * | | | | Permission fix for MergeRequestsController#pipeline_statusdrew cimino2019-08-203-5/+39
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | - Use set_pipeline_variables to filter for visible pipelines - Mimic response of nonexistent pipeline if not found - Provide set_pipeline_variables as a before_filter for other actions
* | | | | Merge branch 'security-61974-limit-issue-comment-size-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-2614-19/+78
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Limit the size of issuable description and comments See merge request gitlab/gitlabhq!3323
| * | | | | Limit the size of issuable description and commentsAlexandru Croitor2019-08-2214-19/+78
| | |_|_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Limiting the size of issuable description and comments to 1_000_000, which is close to ~1MB of ASCII characters, which represents 99.9% of all descriptions and comments we have in DB at the moment. This should help prevent DoS attacks when comments contain refference strings. Also this change updates regexp matching the namespaces paths by limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED, as we allow 20 levels deep groups. see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
* | | | | Merge branch 'security-id-filter-timeline-activities-for-guests-12-2' into ↵GitLab Release Tools Bot2019-08-262-1/+6
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '12-2-stable' Add merge note type as cross reference See merge request gitlab/gitlabhq!3328
| * | | | | Add merge note type as cross referenceIgor Drozdov2019-08-212-1/+6
| |/ / / /
* | | | | Merge branch 'security-12-2-enable-image-proxy' into '12-2-stable'GitLab Release Tools Bot2019-08-2634-19/+594
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Use image proxy to mitigate stealing ip addresses See merge request gitlab/gitlabhq!3333
| * | | | | Fix failing spec due to changes UpdateServiceBrett Walker2019-08-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | for ApplicationSettings
| * | | | | Add support for using a Camo proxy serverBrett Walker2019-08-2033-18/+593
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | User images and videos will get proxied through the Camo server in order to keep malicious sites from collecting the IP address of users.
* | | | | Merge branch 'security-fix_jira_ssrf_vulnerability-12-2' into '12-2-stable'GitLab Release Tools Bot2019-08-264-1/+82
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Fix DNS rebind vulnerability for JIRA integration See merge request gitlab/gitlabhq!3338
View Lorry Controller Status