| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
[11.4] Fix SSRF in project integrations
See merge request gitlab/gitlabhq!2610
|
| |
| |
| |
| |
| |
| | |
This commit fixes a SSRF vulnerability related to project
hooks and ipv6 addresses. It also addresses a problem with ipv6
mapped addresses.
|
|\ \
| | |
| | |
| | |
| | | |
[11.4] Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols
See merge request gitlab/gitlabhq!2580
|
| | | |
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
[11.4] Fix CRLF issue in UrlValidator
See merge request gitlab/gitlabhq!2653
|
|/ / |
|
|\ \ |
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
ci: Add COMPILE_ASSETS to cng build trigger
See merge request gitlab-org/gitlab-ce!23253
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add `COMPILE_ASSETS=true` to CNG build trigger.
This stems from https://gitlab.com/charts/gitlab/issues/937, where we
needed to add asset compilation to the CNG image pipelines when using
`<= 11.5.x`. This is only needed on versions prior to `11.5`, as they
do not have the asset compilation container backported.
|
|\ \ \
| |_|/
|/| |
| | |
| | | |
[11.4] Resolve: "Provide email notification when a user changes their email address"
See merge request gitlab/gitlabhq!2603
|
| | | |
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
[11.4] Fixed ability to comment on and edit/delete comments on locked or confidential issues
See merge request gitlab/gitlabhq!2647
|
|/ / /
| | |
| | |
| | | |
confidential issues
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
[11.4] [pages] Possible symlink time of check to time of use race condition
See merge request gitlab/gitlabhq!2650
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
[11.4] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2656
|
| |/ / / |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
'security-11-4-xss-in-markdown-following-unrecognized-html-element' into 'security-11-4'
[11.4] XSS in markdown following unrecognized HTML element
See merge request gitlab/gitlabhq!2632
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Fix XSS in mermaid diagrams
See merge request gitlab/gitlabhq!2622
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
(cherry picked from commit f2e9f22f7d3d84abeea5ba2918ee5ffcc55f2dad)
Conflicts:
app/assets/javascripts/behaviors/markdown/render_mermaid.js
|
| |/ / / /
| | | | |
| | | | |
| | | | | |
(cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a)
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Don't expose confidential information in commit message list
See merge request gitlab/gitlabhq!2643
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | | |
This makes sure the user viewing the commit does not get to see
anything they're not allowed to see
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Resolve: Promoting a milestone is missing an authorization check
See merge request gitlab/gitlabhq!2620
|
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | | |
Promoting milestone was missing an authorization check, guest
users were being able to promote project milestones to group milestones.
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Do not follow redirects in prometheus service
See merge request gitlab/gitlabhq!2624
|
| | |_|/ /
| |/| | |
| | | | |
| | | | | |
Do not allow redirects in the prometheus service to prevent SSRFs.
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Stored XSS for Environments
See merge request gitlab/gitlabhq!2615
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is a backport for 11.4 stable branch.
Gitlab::UrlBlocker ignores scheme when validating URI matching either
config.gitlab or config.gitlab_shell
This patch enforces matching config.gitlab.protocol for internal web and
ssh for internal shell.
A cleanup migration for stored XSS from environments table is included.
|
|\ \ \ \ \
| | |_|_|/
| |/| | | |
|
| | | | | |
|
| | | | |
| | | | |
| | | | | |
[ci skip]
|
| | | | | |
|
| | | | |
| | | | |
| | | | | |
[ci skip]
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[11.4] Prevent templated services from being imported
See merge request gitlab/gitlabhq!2636
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
[11.4] Escape user fullname while rendering autocomplete template to prevent XSS
See merge request gitlab/gitlabhq!2607
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[11.4] Fixed read name of private groups
See merge request gitlab/gitlabhq!2591
|
| | |_|/ /
| |/| | | |
|
|\ \ \ \ \
| |_|_|_|/
|/| | | |
| | | | |
| | | | | |
[11.4] Redact sensitive information on gitlab-workhorse log
See merge request gitlab/gitlabhq!2585
|
| |/ / / |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
[11.4] Prevent templated services from being imported
See merge request gitlab/gitlabhq!2636
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Templated services should only be created by admins and does not
apply to project import/export.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189
|
|\ \ \ \ \
| |_|_|_|/
|/| | | |
| | | | |
| | | | | |
[11.4] Escape user fullname while rendering autocomplete template to prevent XSS
See merge request gitlab/gitlabhq!2607
|
| | | | | |
|
| | |/ /
| |/| | |
|
|\ \ \ \
| |/ / /
|/| | /
| | |/
| |/| |
|
| | | |
|