summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| | | * | | | | | | | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-228-8/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
| | * | | | | | | | | | Merge branch 'security-fix-protected-branches-creation-access-rights-ce' ↵Yorick Peterse2019-01-252-23/+8
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into 'master' [master] Check access rights when creating/updating ProtectedRefs See merge request gitlab/gitlabhq!2799
| | | * | | | | | | | | | [master] Check access rights when creating/updating ProtectedRefsFrancisco Javier López2019-01-252-23/+8
| | |/ / / / / / / / / /
| | * | | | | | | | | | Merge branch 'security-2780-disable-git-v2-protocol' into 'master'Yorick Peterse2019-01-253-1/+13
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Disable git v2 protocol temporarily Closes #2780 See merge request gitlab/gitlabhq!2827
| | | * | | | | | | | | | Disable git v2 protocol temporarilyNick Thomas2019-01-243-1/+13
| | | | | | | | | | | | |
| | * | | | | | | | | | | Merge branch 'security-55320-stored-xss-in-user-status' into 'master'Tim Zallmann2019-01-253-7/+12
| | |\ \ \ \ \ \ \ \ \ \ \ | | | |_|_|_|_|_|_|_|_|/ / | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Use sanitized user status message in user popover Closes #2786 See merge request gitlab/gitlabhq!2848
| | | * | | | | | | | | | Use sanitized user status message for user popoverDennis Tang2019-01-233-7/+12
| | | | |/ / / / / / / / | | | |/| | | | | | | |
| | * | | | | | | | | | Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-244-7/+25
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Verify that LFS upload requests are genuine Closes #2767 See merge request gitlab/gitlabhq!2767
| | | * | | | | | | | | | Verify that LFS upload requests are genuineNick Thomas2019-01-224-7/+25
| | | |/ / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
| | * | | | | | | | | | Merge branch 'security-project-move-users' into 'master'Yorick Peterse2019-01-246-7/+59
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Send notification only to authorized users when moving a project Closes #2777 See merge request gitlab/gitlabhq!2791
| | | * | | | | | | | | | Sent notification only to authorized usersJan Provaznik2019-01-236-7/+59
| | | |/ / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When moving a project, it's possible that some users who had access to the project in old path can not access the project in the new path. Because `project_authorizations` records are updated asynchronously, when we send the notification about moved project the list of project team members contains old project members, we want to notify all these members except the old users who can not access the new location.
| | * | | | | | | | | | Merge branch 'security-fix-user-email-tag-push-leak' into 'master'Yorick Peterse2019-01-243-3/+8
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] User email is visible in hook logs if they triggers tag push events Closes #2775 See merge request gitlab/gitlabhq!2789
| | | * | | | | | | | | | Fix private user email being visible in tag webhooksLuke Duncalfe2019-01-183-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #54721
| | | * | | | | | | | | | Prefer build() rather than create()Luke Duncalfe2019-01-151-1/+1
| | | | |_|/ / / / / / / | | | |/| | | | | | | |
| | * | | | | | | | | | Merge branch 'security-stored-xss-via-katex' into 'master'Yorick Peterse2019-01-242-1/+22
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX" Closes #2760 See merge request gitlab/gitlabhq!2718
| | | * | | | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX"Constance Okoghenun2019-01-242-1/+22
| | |/ / / / / / / / / /
| | * | | | | | | | | | Merge branch 'extract-pages-with-rubyzip' into 'master'Yorick Peterse2019-01-2417-25/+594
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extract pages with rubyzip See merge request gitlab/gitlabhq!2758
| | | * | | | | | | | | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-2217-25/+594
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
| | * | | | | | | | | | | Merge branch 'security-commit-status-shown-for-guest-user' into 'master'Yorick Peterse2019-01-243-1/+27
| | |\ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Stop showing ci for guest users on private pipeline See merge request gitlab/gitlabhq!2830
| | | * | | | | | | | | | | Stop showing ci for guest usersSteve Azzopardi2019-01-233-1/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a user is a guest user, and the "Public Pipeline" is set to false inside of "Settings > CI/CD > General" the commit status in the project dashboard should not be shown.
| | * | | | | | | | | | | | Merge branch 'security-fix-lfs-import-project-ssrf-forgery' into 'master'Yorick Peterse2019-01-2413-103/+359
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] LFS object forgery in project import Closes #2784 See merge request gitlab/gitlabhq!2719
| | | * | | | | | | | | | | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-2113-103/+359
| | | | |_|_|_|_|_|/ / / / / | | | |/| | | | | | | | | |
| | * | | | | | | | | | | | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-2411-17/+130
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2735
| | | * | | | | | | | | | | | Add changelog for trigger token exposure fixGrzegorz Bizon2019-01-151-0/+5
| | | | | | | | | | | | | | |
| | | * | | | | | | | | | | | Fix subject in trigger presenter testsGrzegorz Bizon2019-01-151-1/+1
| | | | | | | | | | | | | | |
| | | * | | | | | | | | | | | Add some specs for trigger presenterGrzegorz Bizon2019-01-151-0/+51
| | | | | | | | | | | | | | |
| | | * | | | | | | | | | | | Present all pipeline triggers using trigger presenterGrzegorz Bizon2019-01-153-4/+6
| | | | | | | | | | | | | | |
| | | * | | | | | | | | | | | Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-158-13/+68
| | | | |_|_|/ / / / / / / / | | | |/| | | | | | | | | |
| | * | | | | | | | | | | | Merge branch 'security-fix-regex-dos' into 'master'Yorick Peterse2019-01-244-1/+14
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix DoS in reference extraction regexes Closes #2766 See merge request gitlab/gitlabhq!2768
| | | * | | | | | | | | | | | Fix slow project reference pattern regexHeinrich Lee Yu2019-01-114-1/+14
| | | | |_|_|_|_|_|/ / / / / | | | |/| | | | | | | | | |
| | * | | | | | | | | | | | Merge branch 'security-fix-wiki-access-rights-with-external-wiki-enabled' ↵Yorick Peterse2019-01-2414-51/+131
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into 'master' [master] Fix access to internal wiki when external wiki is enabled Closes #2783 See merge request gitlab/gitlabhq!2769
| | | * | | | | | | | | | | | Fixed bug when external wiki is enabledFrancisco Javier López2019-01-1814-51/+131
| | | | |_|/ / / / / / / / / | | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the external wiki is enabled, the internal wiki link is replaced by the external wiki url. But the internal wiki is still accessible. In this change the external wiki will have its own tab in the sidebar and only if the services are disabled the tab (and access rights) will not be displayed.
| | * | | | | | | | | | | | Merge branch 'security-2769-idn-homograph-attack' into 'master'Yorick Peterse2019-01-249-13/+228
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] GitLab vulnerable to IDN homograph attacks and RTLO attacks See merge request gitlab/gitlabhq!2770
| | | * | | | | | | | | | | | Bump the CACHE_COMMONMARK_VERSIONBrett Walker2019-01-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since we needed to bump the version to 13 in the backports, and we know that an MR on master also bumped it to 13, bump to 14 to ensure that when a customer upgrades to the most recent release, the markdown gets recalcuated as necessary.
| | | * | | | | | | | | | | | Show tooltip for malicious looking linksBrett Walker2019-01-218-12/+227
| | | | |_|_|_|_|_|_|_|/ / / | | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Such as those with IDN homographs or embedded right-to-left (RTLO) characters. Autolinked hrefs should be escaped
| | * | | | | | | | | | | | Merge branch 'security-fix-new-issues-login-message' into 'master'Yorick Peterse2019-01-243-10/+7
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Use common error for not logged in users when creating issues Closes #2772 See merge request gitlab/gitlabhq!2787
| | | * | | | | | | | | | | | Use common error for unauthenticated usersHeinrich Lee Yu2019-01-143-10/+7
| | | | |_|_|/ / / / / / / / | | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes special error message when creating new issues
| | * | | | | | | | | | | | Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'Yorick Peterse2019-01-243-0/+8
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Revoke award_emoji permissions for confidential issues Closes #2776 See merge request gitlab/gitlabhq!2790
| | | * | | | | | | | | | | | Prevent award_emoji to notes not visible to userHeinrich Lee Yu2019-01-153-0/+8
| | | |/ / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes
| | * | | | | | | | | | | | Merge branch 'security-2779-fix-email-comment-permissions-check' into 'master'Yorick Peterse2019-01-2412-37/+94
| | |\ \ \ \ \ \ \ \ \ \ \ \ | | | |_|_|_|_|_|_|_|/ / / / | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix discussion replies permissions check Closes #2779 See merge request gitlab/gitlabhq!2794
| | | * | | | | | | | | | | Prevent comments by email when issue is lockedHeinrich Lee Yu2019-01-2212-37/+94
| | | | |_|_|_|_|/ / / / / | | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
* | | | | | | | | | | | | Merge branch 'winh-note_app_spec-vue-test-utils' into 'master'sh-bump-supported-ruby-versionsFatih Acet2019-02-061-81/+86
|\ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert note_app_spec.js to Vue test utils See merge request gitlab-org/gitlab-ce!24900
| * | | | | | | | | | | | | Convert note_app_spec.js to Vue test utilsWinnie Hellmann2019-02-041-81/+86
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Merge branch 'gt-externalize-app-views-email_rejection_mailer' into 'master'Filipa Lacerda2019-02-054-2/+10
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Externalize strings from `/app/views/email_rejection_mailer` See merge request gitlab-org/gitlab-ce!24869
| * | | | | | | | | | | | | | Externalize strings from `/app/views/email_rejection_mailer`George Tsiolis2019-02-054-2/+10
| | | | | | | | | | | | | | |
* | | | | | | | | | | | | | | Merge branch '54544-update-project-topics-styling-to-use-badges-design' into ↵Fatih Acet2019-02-054-4/+25
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'master' Resolve "Update project topics styling to use badges design" Closes #54544 See merge request gitlab-org/gitlab-ce!24415
| * | | | | | | | | | | | | | | Resolve "Update project topics styling to use badges design"Brandon Labuschagne2019-02-054-4/+25
|/ / / / / / / / / / / / / / /
* | | | | | | | | | | | | | | Merge branch 'patch-29' into 'master'Evan Read2019-02-051-3/+3
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | docs: improve OpenSSH installation on Windows options See merge request gitlab-org/gitlab-ce!24206
| * | | | | | | | | | | | | | | docs: improve OpenSSH installation on Windows optionsBen Bodenmiller2019-02-051-3/+3
|/ / / / / / / / / / / / / / /
* | | | | | | | | | | | | | | Merge branch ↵Stan Hu2019-02-0511-0/+154
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'rd-update-last_activity_on-on-logins-and-browsing-activity-54947' into 'master' Update User's last_activity_on for any GET request on projects Closes #54947 See merge request gitlab-org/gitlab-ce!24642
View Lorry Controller Status