summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'backport-7967-and-8189-to-8-13-stable' into '8-13-stable' 8-13-stableRémy Coutable2017-02-0812-13/+161
|\ | | | | | | | | Backport !7967 and !8189 to `8-13-stable` See merge request !8991
| * Update gitlab-shell to 3.6.7backport-7967-and-8189-to-8-13-stableRémy Coutable2017-02-063-3/+7
| | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
| * Reject blank environment vcariables in Gitlab::Git::RevListRémy Coutable2017-02-062-2/+9
| | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
| * [8.13 Backport] Merge branch '25301-git-2.11-force-push-bug' into 'master'Douglas Barbosa Alexandre2017-02-069-10/+147
|/ | | | | | | | | | | | | | | | | | | | | | | | | | Accept environment variables from the `pre-receive` script 1. Starting version 2.11, git changed the way the pre-receive flow works. - Previously, the new potential objects would be added to the main repo. If the pre-receive passes, the new objects stay in the repo but are linked up. If the pre-receive fails, the new objects stay orphaned in the repo, and are cleaned up during the next `git gc`. - In 2.11, the new potential objects are added to a temporary "alternate object directory", that git creates for this purpose. If the pre-receive passes, the objects from the alternate object directory are migrated to the main repo. If the pre-receive fails the alternate object directory is simply deleted. 2. In our workflow, the pre-recieve script (in `gitlab-shell`) calls the `/allowed` endpoint, which calls out directly to git to perform various checks. These direct calls to git do _not_ have the necessary environment variables set which allow access to the "alternate object directory" (explained above). Therefore these calls to git are not able to access any of the new potential objects to be added during this push. 3. We fix this by accepting the relevant environment variables (`GIT_ALTERNATE_OBJECT_DIRECTORIES`, `GIT_OBJECT_DIRECTORY`, and `GIT_QUARANTINE_PATH`) on the `/allowed` endpoint, and then include these environment variables while calling out to git. 4. This commit includes these environment variables while making the "force push" check. See https://gitlab.com/gitlab-org/gitlab-shell/merge_requests/120 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Update VERSION to 8.13.12v8.13.12Robert Speicher2017-01-211-1/+1
|
* Update CHANGELOG.md for 8.13.12Robert Speicher2017-01-216-20/+8
| | | [ci skip]
* Remove unnecessary `full_path_was` methodRobert Speicher2017-01-201-9/+1
| | | | | The `parent` namespace concept didn't exist until 8.15, so this was causing a `NoMethodError`.
* Add a changelog entry for #26242Robert Speicher2017-01-201-0/+4
|
* Merge branch 'upgrade-omniauth' into 'security' Robert Speicher2017-01-203-3/+7
| | | | | | | Upgrade OmniAuth Ruby gem to 1.3.2 Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/26813 See merge request !2056
* Merge branch 'fix-guest-access-posting-to-notes' into 'security'Robert Speicher2017-01-203-10/+32
| | | | | | Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
* Merge branch 'fix-api-mr-permissions' into 'security'Robert Speicher2017-01-208-29/+65
| | | | | | Ensure that only privileged users can access merge requests in the API See merge request !2053
* Merge branch 'fix/rename-group-export-vuln' into 'security'Robert Speicher2017-01-203-2/+91
| | | | | | Fix export files not removed when a user takes over a namespace See merge request !2051
* Merge branch 'fix-users-deleting-public-deployment-keys' into 'security' Robert Speicher2017-01-202-3/+11
| | | | | Fix users being able to delete instance public deployment keys See merge request !2049
* Merge commit 'dev/8-13-stable' into 8-13-stableRuben Davila2017-01-105-14/+63
|\
| * Update VERSION to 8.13.11v8.13.11Douglas Barbosa Alexandre2017-01-101-1/+1
| |
| * Update CHANGELOG.md for 8.13.11Douglas Barbosa Alexandre2017-01-103-8/+5
| | | | | | [ci skip]
| * Merge branch 'patch-turbolinks' into 'security'Robert Speicher2017-01-094-9/+57
| | | | | | | | | | | | Updated Turbolinks to patched version of turbolinks-classic See merge request !2048
| * Merge branch 'update-gitlab-markup-gem' into 'master'Douglas Barbosa Alexandre2017-01-093-4/+8
|/ | | | | | Update the gitlab-markup gem to the version `1.5.1` See merge request !8509
* Update VERSION to 8.13.10v8.13.10Alejandro Rodríguez2016-12-141-1/+1
|
* Update CHANGELOG.md for 8.13.10Alejandro Rodríguez2016-12-145-16/+7
| | | [ci skip]
* Fix specRémy Coutable2016-12-141-2/+0
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* Add missing CHANGELOGRémy Coutable2016-12-141-0/+4
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* Filter `authentication_token` parameterRémy Coutable2016-12-141-0/+1
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* Fix specsRémy Coutable2016-12-142-75/+1
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'rs-filter-params' into 'security'Rémy Coutable2016-12-141-1/+3
| | | | | | | | | | Filter `incoming_email_token` and `runners_token` parameters Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676 See merge request !2045 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'jej-24637-move-issue-visible_to_user-to-finder' into 'security'Sean McGivern2016-12-149-95/+90
| | | | | | | | | | Issue#visible_to_user moved to IssuesFinder Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637. See merge request !2039 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'jej-note-search-uses-finder' into 'security'Douwe Maan2016-12-1416-121/+387
| | | | | | | | Fix missing Note access checks in by moving Note#search to updated NoteFinder See merge request !2035 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch '25482-fix-api-sudo' into 'master'Sean McGivern2016-12-147-108/+223
| | | | | | | | | | API: Memoize the current_user so that the sudo can work properly Closes #25482 See merge request !8017 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Update VERSION to 8.13.9v8.13.9Alejandro Rodríguez2016-12-081-1/+1
|
* Update CHANGELOG.md for 8.13.9Alejandro Rodríguez2016-12-083-9/+5
| | | [ci skip]
* Merge branch '24537-reenable-private-token-with-sudo' into 'master'Douwe Maan2016-12-0810-95/+386
| | | | | | | | | | Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. Closes #24537 See merge request !7615 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'fix-migrations' into 'master'Sean McGivern2016-12-0822-3/+47
| | | | | | | | Make the `downtime_check` task happy See merge request !7845 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security' Douwe Maan2016-12-0722-60/+104
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace MR access checks with use of MergeRequestsFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### MR lookup from project - [x] :bomb: app/finders/notes_finder.rb:17 - [x] :warning: app/views/layouts/nav/_project.html.haml:80 [`.count`] - [x] :bomb: app/controllers/concerns/creates_commit.rb:84 - [x] :traffic_light: app/controllers/projects/commits_controller.rb:24 - [x] :traffic_light: app/controllers/projects/compare_controller.rb:56 - [x] :vertical_traffic_light: app/controllers/projects/discussions_controller.rb:29 - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:27 - [x] :vertical_traffic_light: app/models/commit.rb:268 - [x] :white_check_mark: lib/gitlab/search_results.rb:71 ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)` - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`. - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use of unchecked `merged_merge_request?` See merge request !2033
* Update VERSION to 8.13.8v8.13.8Alejandro Rodríguez2016-12-021-1/+1
|
* Update CHANGELOG.md for 8.13.8Alejandro Rodríguez2016-12-023-8/+5
| | | [ci skip]
* Merge branch ↵Sean McGivern2016-12-024-4/+37
| | | | | | | | | | | | '24813-project-members-with-developer-access-can-no-longer-create-tags' into 'master' Create tag after running pre-hooks and pass updated SHA to post-hooks Closes #24813 See merge request !7700 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'issue_25064' into 'security' Douwe Maan2016-12-023-6/+48
| | | | | | | | | Ensure state param has a valid value when filtering issuables. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/25064 This fix makes sure we only call safe methods on issuable when filtering by state. See merge request !2038
* Update VERSION to 8.13.7v8.13.7Rémy Coutable2016-11-281-1/+1
|
* Update CHANGELOG.md for 8.13.7Rémy Coutable2016-11-287-24/+9
| | | [ci skip]
* Merge branch 'zj-upgrade-grape' into 'master'Robert Speicher2016-11-253-3/+7
| | | | | | | | Update grape-entity to 0.6.0 See merge request !7491 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'jej-use-issuable-finder-instead-of-access-check' into 'security'Douwe Maan2016-11-2414-33/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x] :vertical_traffic_light: app/finders/notes_finder.rb:15 [`visible_to_user`] - [x] :traffic_light: app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x] :white_check_mark: app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x] :white_check_mark: lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x] :white_check_mark: lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x] :white_check_mark: lib/gitlab/search_results.rb:53 [`visible_to_user`] - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !2031 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'jej-fix-missing-access-check-on-issues' into 'security' Douwe Maan2016-11-2417-23/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix missing access checks on issue lookup using IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### Issue lookup without access check (security) - [x] :white_check_mark: app/controllers/projects/branches_controller.rb:39 - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with confidential issues, issues only visible to team, etc. - [x] :traffic_light: app/models/cycle_analytics/summary.rb:9 [`.count`] - [x] :white_check_mark: app/controllers/projects/todos_controller.rb:19 ### Code smells - [x] Potential double render in app/controllers/projects/todos_controller.rb ### Previous discussions - https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24 See merge request !2030
* Merge branch 'jej-22869' into 'security'Douwe Maan2016-11-246-14/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | Fix information disclosure in `Projects::BlobController#update` ## What does this MR do? It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that. ## Does this MR meet the acceptance criteria? - [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added - Tests - [x] Added for this feature/bug - [ ] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/22869 See merge request !2023 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'zj-fix-label-creation-non-members' into 'security' Douwe Maan2016-11-249-102/+99
| | | | | | | Fix label creation non members Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416 See merge request !2006
* Merge branch '23990-project-show-error-when-empty-repo' into 'master' Douwe Maan2016-11-243-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 500 error on project show when user is not logged in and project is still empty ## What does this MR do? Aims to fix the 500 error when the project is empty and the user is not logged in and tries to access project#show ## Screenshots (if relevant) When the project is empty and the user is not logged in we default to the empty project partial instead of readme. ![Screen_Shot_2016-11-11_at_22.54.21](/uploads/3d87e65195376c85d3e515e6d5a9a850/Screen_Shot_2016-11-11_at_22.54.21.png) ## Does this MR meet the acceptance criteria? - [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [x] API support added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? Closes #23990 See merge request !7376
* Merge branch 'docs/backport-jira-docs-to-8-13' into '8-13-stable' Achilleas Pipinellis2016-11-221-19/+27
|\ | | | | | | | | | | | | | | | | | | Backport JIRA api docs to 8-13-stable We need to backport the JIRA API docs that were until recently on master to 8-13-stable also. With 8.14 we simplified the way JIRA is configured and we need a link to point to the old docs. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7675/diffs#bb2ba7ca0e10bd01609ab50236882ea82a183e60_472_471 See merge request !7677
| * Backport JIRA api docs to 8-13-stableAchilleas Pipinellis2016-11-221-19/+27
|/ | | | [ci skip]
* Add missing changelog itemRémy Coutable2016-11-171-0/+1
| | | | | | [ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
* Add a missing CHANGELOG itemRémy Coutable2016-11-171-0/+1
| | | | | | [ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
* Update VERSION to 8.13.6v8.13.6Rémy Coutable2016-11-171-1/+1
|
View Lorry Controller Status