| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Backport Kerberos clone URL to CE
See merge request gitlab-org/gitlab-ce!25750
(cherry picked from commit c9e5ce8dbd25203484b43c48f0a55a5d7bf396e8)
c0a97cf5 Backport Kerberos clone URL to CE
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
Display only information visible to current user on Milestone detail
See merge request gitlab/gitlabhq!2917
|
|/
|
|
|
|
| |
Display only labels and assignees of issues
visible by the currently logged user
Display only issues visible to user in the burndown chart
|
|\
| |
| |
| |
| | |
Display the correct number of MRs a user has access to
See merge request gitlab/gitlabhq!2929
|
|/ |
|
|\
| |
| |
| |
| |
| |
| | |
'11-8-stable'
Filter impersonated sessions from active sessions and remove ability to revoke session
See merge request gitlab/gitlabhq!2981
|
| |
| |
| |
| |
| |
| | |
Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'11-8-stable'
Forbid creating discussions for users with restricted access
See merge request gitlab/gitlabhq!2890
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Check issue milestone availability
See merge request gitlab/gitlabhq!2904
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add project when creating milestone in specs
We validate milestone is from the same
project/parent group as issuable ->
we need to set project in specs correctly
Improve methods names and specs organization
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Prevent Releases links API to leak tag existence
See merge request gitlab/gitlabhq!2908
|
| |/ / / |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Disable issue board policies when issues are disabled
See merge request gitlab/gitlabhq!2910
|
| | | | |
| | | | |
| | | | |
| | | | | |
Board list policies are also included
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Show only MRs visible to user on milestone detail
See merge request gitlab/gitlabhq!2923
|
| |/ / / / |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Don't allow non-members to see private related MRs
See merge request gitlab/gitlabhq!2930
|
| | | | | | |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Validate session key when authorizing with GCP to create a cluster
See merge request gitlab/gitlabhq!2934
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
It was previously possible to link a GCP account to another
user's GitLab account by having them visit the callback URL,
as there was no check that they were the initiator of the
request.
We now reject the callback unless the state parameter
matches the one added to the initiating user's session.
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Fix git clone revealing private repo's presence
See merge request gitlab/gitlabhq!2938
|
| |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Ensure redirection to path with .git suffix regardless whether project
exists or not.
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Check snippet attached file to be moved is within designated directory
See merge request gitlab/gitlabhq!2941
|
| |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Previously one could move any temp/ sub folder around.
Align spec with actual usage, as currently we pass temp file path to
FileMover.
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
'11-8-stable'
Fix blind SSRF in Prometheus Integration
See merge request gitlab/gitlabhq!2944
|
|/ / / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Check validity before querying so that if the dns entry for the api_url
has been changed to something invalid after the model was saved and
checked for validity, it will not query. This is to solve a toctou
(time of check to time of use) issue.
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Fix leaking private repository information in API
See merge request gitlab/gitlabhq!2948
|
| | | | | | | | |
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
defaultBranch and ciConfigPath should only be available to users with
the :download_code permission for the Project, as the respository might
be private.
When implementing the authorize check on these properties, it was
found that our current Graphql::Authorize::Instrumentation class does
not work with fields that resolve to subclasses of
GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE.
After discussion with other Create Team members, it has been decided
that because the GraphQL API is not GA, to remove these properties from
ProjectType, and instead implement them as part of epic
https://gitlab.com/groups/gitlab-org/-/epics/711
Issue:
https://gitlab.com/gitlab-org/gitlab-ce/issues/55316
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
default_branch, statistics and config_ci_path are now only exposed if
the user has permissions to the repository.
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Arbitrary file read via MergeRequestDiff
See merge request gitlab/gitlabhq!2951
|
|/ / / / / / / / |
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Remove link after issue move when no permissions
See merge request gitlab/gitlabhq!2955
|
| | |_|_|_|_|_|/
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Don't show new issue link after move
when a user does not have permissions
to display the new issue
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Block local URLs for Kubernetes integration
See merge request gitlab/gitlabhq!2959
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Use existing `public_url` validation to block various local urls. Note
that this validation will allow local urls if the "Allow requests to the
local network from hooks and services" admin setting is enabled.
Block KubeClient from using local addresses
It will also respect `allow_local_requests_from_hooks_and_services` so
if that is enabled KubeClinet will allow local addresses
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
'security-add-public-internal-groups-as-members-to-your-project-idor-11-8' into '11-8-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2962
|
| | |_|/ / / / / /
| |/| | | | | | | |
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Stop linking to unrecognized package sources
See merge request gitlab/gitlabhq!2969
|
| | | | | | | | | | |
|
| | | | | | | | | | |
|
| | |_|/ / / / / /
| |/| | | | | | | |
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
[11.8] Prevent disclosing project milestone titles
See merge request gitlab/gitlabhq!2973
|
| |/ / / / / / / /
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.
|
|\ \ \ \ \ \ \ \ \
| |/ / / / / / / /
|/| | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Limit number of characters allowed in mermaidjs
See merge request gitlab/gitlabhq!2978
|
| | |/ / / / / /
| |/| | | | | | |
|