summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update visibility level doccodyw-docs-visbility-levelsCody West2019-07-291-1/+1
| | | | Adding parenthetical about guest users not being able to view private projects.
* Merge branch 'fj-fix-broken-master-url-blocker' into 'master'Mayra Cabrera2019-07-291-5/+2
|\ | | | | | | | | | | | | Fix broken master because of security merge Closes #65294 See merge request gitlab-org/gitlab-ce!31252
| * Fix broken master because of security mergeFrancisco Javier López2019-07-291-5/+2
|/
* Merge branch 'sh-update-rugged-0.28.2' into 'master'Douglas Barbosa Alexandre2019-07-291-1/+1
|\ | | | | | | | | Update Rugged to 0.28.2 See merge request gitlab-org/gitlab-ce!31218
| * Update Rugged to 0.28.2sh-update-rugged-0.28.2Stan Hu2019-07-261-1/+1
| | | | | | | | | | This is a bug fix release: https://github.com/libgit2/libgit2/releases
* | Merge branch 'tp-qtt182-6' into 'master'Mayra Cabrera2019-07-292-2/+2
|\ \ | | | | | | | | | | | | | | | | | | Change qa-merge-request-settings to rspec-merge-request-settings Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31207
| * | Change qa-* class references to rspec-*tp-qtt182-6Tanya Pazitny2019-07-262-2/+2
| | |
* | | Merge branch 'tp-qtt182-9' into 'master'Mayra Cabrera2019-07-297-11/+11
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* class references to js-* for suggestions Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31213
| * | | Change qa-* class references to js-* for suggestionsTanya Pazitny2019-07-297-11/+11
|/ / /
* | | Merge branch 'tp-qtt182-12' into 'master'Mayra Cabrera2019-07-292-2/+2
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* class references to js-* for squash-checkbox Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31214
| * | | Change qa-* class references to js-* for squash-checkboxTanya Pazitny2019-07-292-2/+2
|/ / /
* | | Merge branch 'tp-qtt182-1' into 'master'Mayra Cabrera2019-07-295-7/+7
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-reverse-sort class references to rspec-reverse-sort Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31202
| * | | Change qa-reverse-sort class references to rspec-reverse-sortTanya Pazitny2019-07-295-7/+7
|/ / /
* | | Merge branch 'tp-qtt182-10' into 'master'Mayra Cabrera2019-07-293-8/+8
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* class references to rspec-* in spec/features/contextual_sidebar_spec.rb Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31211
| * | | Change qa-* class references to rspec-* in ↵Tanya Pazitny2019-07-293-8/+8
|/ / / | | | | | | | | | spec/features/contextual_sidebar_spec.rb
* | | Merge branch 'tp-qtt182-7' into 'master'Mayra Cabrera2019-07-292-2/+2
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-issuable-form-description to rspec-issuable-form-description Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31209
| * | | Change qa-* class references to rspec-*tp-qtt182-7Tanya Pazitny2019-07-262-2/+2
| |/ /
* | | Merge branch 'tp-qtt182-5' into 'master'Mayra Cabrera2019-07-292-3/+3
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-full-name to rspec-full-name Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31206
| * | | Change qa-full-name to rspec-full-nameTanya Pazitny2019-07-292-3/+3
|/ / /
* | | Merge branch 'tp-qtt182-8' into 'master'Mayra Cabrera2019-07-294-8/+8
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* class references to rspec-* for repository settings Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31210
| * | | Change qa-* class references to rspec-* for repository settingsTanya Pazitny2019-07-294-8/+8
|/ / /
* | | Merge branch 'tp-qtt182-3' into 'master'Mayra Cabrera2019-07-292-2/+2
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-create-page-button to rspec-create-page-button Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31204
| * | | Change qa-* class references to rspec-*tp-qtt182-3Tanya Pazitny2019-07-262-2/+2
| |/ /
* | | Merge branch 'tp-qtt182-4' into 'master'Mayra Cabrera2019-07-292-2/+2
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* to rspec-* for save-merge-request-changes Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31205
| * | | Change qa-* class references to rspec-*tp-qtt182-4Tanya Pazitny2019-07-262-2/+2
| |/ /
* | | Merge branch 'tp-qtt182-2' into 'master'Mayra Cabrera2019-07-292-8/+8
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Change qa-* class references to rspec-* for `allowed-to-{push|merge}-dropdown` Closes gitlab-org/quality/team-tasks#182 See merge request gitlab-org/gitlab-ce!31203
| * | | Change qa-* class references to rspec-*tp-qtt182-2Tanya Pazitny2019-07-262-8/+8
| |/ /
* | | Merge branch 'ab-add-index-on-environments' into 'master'Mayra Cabrera2019-07-293-1/+24
|\ \ \ | | | | | | | | | | | | | | | | Create index on environments by state See merge request gitlab-org/gitlab-ce!31231
| * | | Create index on environments by stateAndreas Brandl2019-07-293-1/+24
|/ / /
* | | Merge branch 'sh-add-cmaps-for-pdfjs' into 'master'Mike Greiling2019-07-295-47/+107
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Make pdf.js render CJK characters Closes #62152 See merge request gitlab-org/gitlab-ce!31220
| * | | Make pdf.js render CJK characterssh-add-cmaps-for-pdfjsStan Hu2019-07-285-47/+107
| | |/ | |/| | | | | | | | | | | | | | | | | | | As mentioned in https://github.com/wojtekmaj/react-pdf/blob/master/README.md, pdf.js needs the bundled cMaps files to work. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/62152
* | | Merge branch '11090-export-design-management-1-issue-migration' into 'master'Mayra Cabrera2019-07-296-1/+108
|\ \ \ | | | | | | | | | | | | | | | | Migrations for adding issue_id to versions table (CE) See merge request gitlab-org/gitlab-ce!30765
| * | | Migrations for adding issue_id to versions tableLuke Duncalfe2019-07-296-1/+108
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These migrations do the following: - Adds a new `issue_id` column to `versions`. This fixes an n+1 problem when loading versions for an issue in GraphQL as AR can now load from cache - Change the unique restraint on versions.sha to be scoped to `issue_id` as in order to import version data, we need to allow duplicate `sha` values for versions - Update all versions with an `issue_id` https://gitlab.com/gitlab-org/gitlab-ee/issues/11090
* | | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqRobert Speicher2019-07-2944-298/+764
|\ \ \
| * | | Update CHANGELOG.md for 11.11.7GitLab Release Tools Bot2019-07-298-35/+15
| | | | | | | | | | | | [ci skip]
| * | | Update CHANGELOG.md for 12.1.2GitLab Release Tools Bot2019-07-262-5/+4
| | | | | | | | | | | | [ci skip]
| * | | Merge branch 'security-60143-patch-additional-xss-vector-in-wikis' into 'master'GitLab Release Tools Bot2019-07-269-92/+233
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Extract SanitizeNodeLink and apply to WikiLinkFilter See merge request gitlab/gitlabhq!3143
| | * | | Extract SanitizeNodeLink and apply to WikiLinkFilterKerri Miller2019-07-269-92/+233
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SanitizationFilter was running before the WikiFilter. Since WikiFilter can modify links, we could see links that _should_ be stopped by SanatizationFilter being rendered on the page. I (kerrizor) had previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4 However, an additional exploit was discovered after that was merged. Working through the issue, we couldn't simply shuffle the order of filters, due to some implicit assumptions about the order of filters, so instead we've extracted the logic that sanitizes a Nokogiri-generated Node object, and applied it to the WikiLinkFilter as well. On moving filters around: Once we start moving around filters, we get cascading failures; fix one, another one crops up. Many of the existing filters in the WikiPipeline chain seem to assume that other filters have already done their work, and thus operate on a "transform anything that's left" basis; WikiFilter, for instance, assumes any link it finds in the markdown should be prepended with the wiki_base_path.. but if it does that, it also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the UserReferenceFilter doesn't see as a user reference it needs to transform into a user profile link. This is true for all the reference filters in the WikiPipeline.
| * | | Merge branch 'security-fix-badges-leaked-to-unauthorized-users' into 'master'GitLab Release Tools Bot2019-07-263-31/+101
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't display badges when builds are restricted Closes #2864 See merge request gitlab/gitlabhq!3175
| | * | | Don't display badges when builds are restrictedFabio Pitino2019-07-113-31/+101
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
| * | | | Merge branch 'security-github-ssrf-redirect' into 'master'GitLab Release Tools Bot2019-07-266-3/+100
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Do not allow localhost url redirection in GitHub Integration See merge request gitlab/gitlabhq!3188
| | * | | | Do not allow localhost url redirection in GitHub Integrationmanojmj2019-07-056-3/+100
| | | | | |
| * | | | | Merge branch 'security-remove-take-trigger-ownership-feature' into 'master'GitLab Release Tools Bot2019-07-2611-141/+9
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop feature to take ownership of a trigger token Closes #2868 See merge request gitlab/gitlabhq!3198
| | * | | | | Drop feature to take ownership of a trigger tokenFabio Pitino2019-07-1011-141/+9
| | | |/ / / | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
| * | | | | Merge branch 'security-mr-pipeline-permissions' into 'master'GitLab Release Tools Bot2019-07-264-6/+102
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MR pipeline permissions Closes #2871 See merge request gitlab/gitlabhq!3204
| | * | | | | Use MergeRequest#source_project as permissions reference for ↵drew cimino2019-07-054-6/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MergeRequest#all_pipelines MergeRequest#all_pipelines fetches Ci::Pipeline records from the source project, so we should specifically check that project for permissions. This was already happening for intra-project merge requests, but in the event that the target and source projects both have private builds, we should ensure that the project permissions are respected.
| * | | | | | Merge branch 'security-dns-ssrf-bypass' into 'master'GitLab Release Tools Bot2019-07-264-14/+49
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Server Side Request Forgery mitigation bypass Closes #2872 See merge request gitlab/gitlabhq!3205
| | * | | | | | Fix Server Side Request Forgery mitigation bypassFrancisco Javier López2019-07-154-14/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
| * | | | | | | Merge branch 'security-60551-fix-upload-scope' into 'master'GitLab Release Tools Bot2019-07-267-2/+48
| |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Queries for Upload should be scoped by model See merge request gitlab/gitlabhq!3229
| | * | | | | | | Queries for Upload should be scoped by modelAdam Hegyi2019-07-117-2/+48
| | | |_|/ / / / | | |/| | | | |