summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 8.14.10v8.14.108-14-stableDJ Mountney2017-02-151-1/+1
|
* Update CHANGELOG.md for 8.14.10DJ Mountney2017-02-151-0/+4
| | | [ci skip]
* Update VERSION to 8.14.9v8.14.9Robert Speicher2017-02-141-1/+1
|
* Update CHANGELOG.md for 8.14.9Robert Speicher2017-02-145-16/+7
| | | [ci skip]
* Fix migrations with missing DOWNTIME entryRuben Davila2017-02-132-0/+4
|
* Merge branch 'fix-github-import-MR-wrong-project' into 'security' Robert Speicher2017-02-132-3/+11
| | | | | Fix labels being applied to wrong merge requests on GitHub import See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2064
* Merge branch 'svg-xss-fix' into 'security' Robert Speicher2017-02-135-2/+39
| | | | | Fix for XSS vulnerability in SVG attachments See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
* Merge branch 'fix-rdoc-xss' into 'security' Robert Speicher2017-02-133-0/+29
| | | | | Fix XSS in rdoc and other markups See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058
* Merge branch 'asciidoctor-xss-patch' into 'security' Robert Speicher2017-02-133-0/+30
| | | | | Add sanitization filter to asciidocs output to prevent XSS See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
* Update VERSION to 8.14.8v8.14.8Alejandro Rodríguez2017-01-251-1/+1
|
* Update CHANGELOG.md for 8.14.8Alejandro Rodríguez2017-01-256-20/+8
| | | [ci skip]
* Fix stable branch after cherry-pick batchAlejandro Rodríguez2017-01-241-0/+1
|
* Merge branch '25848-fix-git-rev-list-env-parsing' into 'master' Sean McGivern2017-01-242-2/+9
| | | | | | | Reject blank environment variables in Gitlab::Git::RevList Closes #25848 See merge request !8189
* Merge branch 'jej-fix-n+1-queries-milestones-show' into 'master' Sean McGivern2017-01-245-1/+73
| | | | | | | Fix N+1 queries on milestone show pages Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/25832 See merge request !8185
* Merge branch '25339-2-webhooks-fired-for-issue-closed-and-reopened' into ↵Rémy Coutable2017-01-235-1/+37
| | | | | | | | | | | | 'master' Ensure issuable state changes only fire webhooks once Webhooks were fired twice when issuables were reopened or closed. Once for the status change and once for the `update` operation Closes #25339 See merge request !8101
* Merge branch 'update-gitlab-shell-4-1-1' into 'master'Douglas Barbosa Alexandre2017-01-232-2/+2
| | | | | | | | | | | | Bump gitlab-shell to 4.1.1 This fixes a compatibility issue with Git 2.11 (#25301): - [x] gitlab-shell MR: gitlab-org/gitlab-shell!112 - [x] CE MR: !7967 - [x] EE MR: gitlab-org/gitlab-ee!964 See merge request !8143
* Merge branch '25301-git-2.11-force-push-bug' into 'master' Douglas Barbosa Alexandre2017-01-2310-10/+147
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Accept environment variables from the `pre-receive` script ## Summary 1. Starting version 2.11, git changed the way the pre-receive flow works. - Previously, the new potential objects would be added to the main repo. If the pre-receive passes, the new objects stay in the repo but are linked up. If the pre-receive fails, the new objects stay orphaned in the repo, and are cleaned up during the next `git gc`. - In 2.11, the new potential objects are added to a temporary "alternate object directory", that git creates for this purpose. If the pre-receive passes, the objects from the alternate object directory are migrated to the main repo. If the pre-receive fails the alternate object directory is simply deleted. 2. In our workflow, the pre-recieve script (in `gitlab-shell`) calls the `/allowed` endpoint, which calls out directly to git to perform various checks. These direct calls to git do _not_ have the necessary environment variables set which allow access to the "alternate object directory" (explained above). Therefore these calls to git are not able to access any of the new potential objects to be added during this push. 3. We fix this by accepting the relevant environment variables (`GIT_ALTERNATE_OBJECT_DIRECTORIES`, `GIT_OBJECT_DIRECTORY`, and `GIT_QUARANTINE_PATH`) on the `/allowed` endpoint, and then include these environment variables while calling out to git. 4. This commit includes these environment variables while making the "force push" check. ## Issue Numbers - Closes #25301 (assuming the corresponding `gitlab-shell` MR has been merged in first) - Corresponding `gitlab-shell` MR: gitlab-org/gitlab-shell!112 - Corresponding EE MR: gitlab-org/gitlab-ee!964 ## Tasks - [#25301/!7967/!112] Git version 2.11.0 - Can't push to protected branch as master or developer - [x] Investigate - [x] Implementation - [x] `force_push.rb` should use the relevant environment variables - [x] Any other instances of `/allowed` calling out to git directly? - [x] Verify that the fix works over SSH as well - [x] Can we trim the number of env variables? Do we need all 3? - [x] Whitelist variables. Server shouldn't pass through _any_ env variable passed in - [x] Any security implications? - [x] Check for force push return code - [x] Shouldn't be able to opt-out from the force push check by passing an env variable - [x] Tests - [x] CE - [x] Added - [x] Passing - [x] Shell - [x] Added - [x] Passing - [x] Meta - [x] CHANGELOG entry created - [x] Branch has no merge conflicts with `master` - [x] Squashed related commits together - [x] EE merge request - [x] Review - [x] Endboss - [ ] Follow-up - [x] Make sure EE is working as expected - [x] [CE] Gitlab changes without gitlab-shell changes shouldn't raise any exceptions - [x] [CE] Gitlab-shell changes without gitlab changes shouldn't raise any exceptions - [x] [EE] Gitlab changes without gitlab-shell changes shouldn't raise any exceptions - [x] [EE] Gitlab-shell changes without gitlab changes shouldn't raise any exceptions - [ ] Wait for merge - [ ] CE - [ ] EE - [x] Shell See merge request !7967
* Merge branch '8-14-stable' of gitlab.com:gitlab-org/gitlab-ce into 8-14-stableAlejandro Rodríguez2017-01-2317-44/+192
|\
| * Update VERSION to 8.14.7v8.14.7Robert Speicher2017-01-211-1/+1
| |
| * Update CHANGELOG.md for 8.14.7Robert Speicher2017-01-216-20/+8
| | | | | | [ci skip]
| * `Project#add_guest` doesn't yet existRobert Speicher2017-01-201-1/+1
| |
| * Remove unnecessary `full_path_was` methodRobert Speicher2017-01-201-9/+1
| | | | | | | | | | The `parent` namespace concept didn't exist until 8.15, so this was causing a `NoMethodError`.
| * Add a changelog entry for #26242Robert Speicher2017-01-201-0/+4
| |
| * Merge branch 'upgrade-omniauth' into 'security' Robert Speicher2017-01-203-3/+7
| | | | | | | | | | | | | | Upgrade OmniAuth Ruby gem to 1.3.2 Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/26813 See merge request !2056
| * Merge branch 'fix-guest-access-posting-to-notes' into 'security' Robert Speicher2017-01-203-10/+32
| | | | | | | | | | Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
| * Merge branch 'fix-api-mr-permissions' into 'security' Robert Speicher2017-01-208-25/+66
| | | | | | | | | | Ensure that only privileged users can access merge requests in the API See merge request !2053
| * Merge branch 'fix/rename-group-export-vuln' into 'security'Robert Speicher2017-01-203-2/+91
| | | | | | | | | | | | Fix export files not removed when a user takes over a namespace See merge request !2051
| * Merge branch 'fix-users-deleting-public-deployment-keys' into 'security' Robert Speicher2017-01-202-3/+11
| | | | | | | | | | Fix users being able to delete instance public deployment keys See merge request !2049
* | Merge branch 'speed-up-group-milestone-index' into 'master'Sean McGivern2017-01-1910-46/+172
| | | | | | | | | | | | Speed up group milestone index by passing group_id to IssuesFinder See merge request !8363
* | Merge branch 'jej-memoize-milestoneish-visible-to-user' into 'master'Sean McGivern2017-01-194-6/+39
|/ | | | | | | | Memoize Milestoneish#issues_visible_to_user to reduce lookups https://gitlab.com/gitlab-org/gitlab-ce/issues/25748 See merge request !8146
* Merge commit 'dev/8-14-stable' into 8-14-stableRuben Davila2017-01-105-14/+63
|\
| * Update VERSION to 8.14.6v8.14.6Douglas Barbosa Alexandre2017-01-101-1/+1
| |
| * Update CHANGELOG.md for 8.14.6Douglas Barbosa Alexandre2017-01-103-8/+5
| | | | | | [ci skip]
| * Merge branch 'patch-turbolinks' into 'security'Robert Speicher2017-01-094-9/+57
| | | | | | | | | | | | Updated Turbolinks to patched version of turbolinks-classic See merge request !2048
| * Merge branch 'update-gitlab-markup-gem' into 'master'Douglas Barbosa Alexandre2017-01-093-4/+8
|/ | | | | | Update the gitlab-markup gem to the version `1.5.1` See merge request !8509
* Update VERSION to 8.14.5v8.14.5Alejandro Rodríguez2016-12-141-1/+1
|
* Update CHANGELOG.md for 8.14.5Alejandro Rodríguez2016-12-1413-49/+15
| | | [ci skip]
* Fix cherry-pick of !8017Alejandro Rodríguez2016-12-141-1/+1
| | | | | | The specs on the cherry-picked MR were counting on a behaviour that was added on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7843 (an 8.15 MR). We backport the relevant code.
* Merge branch 'rs-filter-params' into 'security' Rémy Coutable2016-12-141-1/+3
| | | | | | | Filter `incoming_email_token` and `runners_token` parameters Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676 See merge request !2045
* Merge branch 'jej-24637-move-issue-visible_to_user-to-finder' into 'security'Sean McGivern2016-12-149-95/+90
| | | | | | | | Issue#visible_to_user moved to IssuesFinder Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637. See merge request !2039
* Merge branch 'jej-note-search-uses-finder' into 'security' Douwe Maan2016-12-1416-121/+387
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix missing Note access checks in by moving Note#search to updated NoteFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR? :warning: - Potentially untested :bomb: - No test coverage :traffic_light: - Test coverage of some sort exists (a test failed when error raised) :vertical_traffic_light: - Test coverage of return value (a test failed when nil used) :white_check_mark: - Permissions check tested ### Note lookup without access check - [x] :white_check_mark: app/finders/notes_finder.rb:13 :download_code check - [x] :white_check_mark: app/finders/notes_finder.rb:19 `SnippetsFinder` - [x] :white_check_mark: app/models/note.rb:121 [`Issue#visible_to_user`] - [x] :white_check_mark: lib/gitlab/project_search_results.rb:113 - This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`. - It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked. ### Previous discussions - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit - [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used - `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223 ### Acceptance criteria met? - [x] Tests added for new code - [x] TODO comments removed - [x] Squashed and removed skipped tests - [x] Changelog entry - [ ] State Gitlab versions affected and issue severity in description - [ ] Create technical debt issue for NotesFinder. - Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two. - Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)` - Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes` See merge request !2035
* Merge branch '25482-fix-api-sudo' into 'master'Sean McGivern2016-12-147-113/+149
| | | | | | | | API: Memoize the current_user so that the sudo can work properly Closes #25482 See merge request !8017
* Merge branch 'process-commit-worker-migration-encoding' into 'master' Rémy Coutable2016-12-143-7/+44
| | | | | | | | | | | | | Encode when migrating ProcessCommitWorker jobs ## What does this MR do? This adds encoding logic to the migration for ProcessCommitWorker, ensuring it doesn't throw errors when the input can not be converted to UTF-8 without extra help. ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/25489 See merge request !8064
* Merge branch 'patch-8' into 'master' Stan Hu2016-12-141-1/+1
| | | | | | | | | Fix Crontab typo for PruneOldEventsWorker to run 4x/day instead of 60x/hour In c0a92cb8 the intended cron setting (per the comment) was to be "4 times a day", a * instead of a 0 means it runs 60x/hr 4x/day. Closes #25571 See merge request !8051
* Merge branch 'fix/milestone-summary' into 'master' Sean McGivern2016-12-142-2/+8
| | | | | Displays milestone remaining days only when it's present See merge request !7998
* Merge branch 'followup-7899' into 'master' Sean McGivern2016-12-141-6/+5
| | | | | Use a single query in Projects::ProjectMembersController to fetch members See merge request !7997
* Merge branch 'timeago-perf-fix' into 'master' Fatih Acet2016-12-142-1/+7
| | | | | | | | | Fixed timeago re-rendering every element ## What does this MR do? Fixes an issue when new notes are added timeago will be initialised for every timeago element on the page again and therefore adding more timeouts. See merge request !7969
* Merge branch 'issue_25030' into 'master'Sean McGivern2016-12-143-8/+43
| | | | | | | | Allow branch names with dots on API endpoint closes #25030 See merge request !7963
* Merge branch 'unescape-relative-path' into 'master' Gabriel Mazetto2016-12-143-9/+11
| | | | | | | | | | | | | | | | | Avoid escaping relative links in Markdown twice ## What does this MR do? Avoid escaping relative links in Markdown twice. ## Why was this MR needed? Relative links with special characters (e.g. spaces) were escaped twice. ## What are the relevant issue numbers? closes #25191, #25318 See merge request !7940
* Merge branch ↵Sean McGivern2016-12-145-19/+99
| | | | | | | | | | '25171-fix-mr-features-settings-hidden-when-builds-are-disabled' into 'master' Remove wrong '.builds-feature' class from the MR settings fieldset Closes #25171 See merge request !7930
View Lorry Controller Status