summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* [11.5] Fixed ability to comment on and edit/delete comments on locked or ↵Chantal Rollison2018-11-2613-34/+187
| | | | confidential issues
* Merge branch 'security-11-5-pages-toctou-race' into 'security-11-5'Steve Azzopardi2018-11-262-1/+7
|\ | | | | | | | | [11.5] [pages] Possible symlink time of check to time of use race condition See merge request gitlab/gitlabhq!2649
| * Upgrade GitLab Pages to v1.3.1Alessio Caiazza2018-11-212-1/+7
| |
* | Merge branch 'security-fix-pat-web-access-11-5' into 'security-11-5'Steve Azzopardi2018-11-2628-281/+538
|\ \ | | | | | | | | | | | | [11.5] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2655
| * | Update code to use API scope on PAT authJames Lopez2018-11-2328-281/+538
|/ /
* | Merge branch ↵Steve Azzopardi2018-11-235-2/+25
|\ \ | | | | | | | | | | | | | | | | | | 'security-11-5-xss-in-markdown-following-unrecognized-html-element' into 'security-11-5' [11.5] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2631
| * | Sanitize output of SpacedLinkFilterBrett Walker2018-11-165-2/+25
| | |
* | | Merge branch 'security-mermaid-xss-11-5' into 'security-11-5'Steve Azzopardi2018-11-234-1/+21
|\ \ \ | | | | | | | | | | | | | | | | [11.5] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2641
| * | | Configure mermaid to not render HTML content in diagramsWinnie Hellmann2018-11-192-0/+8
| | | | | | | | | | | | | | | | (cherry picked from commit f2e9f22f7d3d84abeea5ba2918ee5ffcc55f2dad)
| * | | Add failing test for XSS in mermaid diagramsWinnie Hellmann2018-11-192-1/+13
| | |/ | |/| | | | | | | (cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a)
* | | Merge branch 'security-bvl-exposure-in-commits-list-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-55/+67
|\ \ \ | | | | | | | | | | | | | | | | [11.5] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2642
| * | | Don't use fragment cache on commit pageBob Van Landuyt2018-11-193-55/+67
| |/ / | | | | | | | | | | | | This makes sure the user viewing the commit does not get to see anything they're not allowed to see
* | | Merge branch 'security-issue_51301-11-5' into 'security-11-5'Steve Azzopardi2018-11-236-12/+96
|\ \ \ | | | | | | | | | | | | | | | | [11.5] Resolve: Promoting a milestone is missing an authorization check See merge request gitlab/gitlabhq!2619
| * | | Fix milestone promotion authorizationFelipe Artur2018-11-146-12/+96
| | | | | | | | | | | | | | | | | | | | Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones.
* | | | Merge branch 'security-2736-prometheus-ssrf-11-5' into 'security-11-5'Steve Azzopardi2018-11-234-3/+25
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Do not follow redirects in prometheus service See merge request gitlab/gitlabhq!2623
| * | | | No redirects in prometheus servicerpereira22018-11-144-3/+25
| |/ / / | | | | | | | | | | | | Do not allow redirects in the prometheus service to prevent SSRFs.
* | | | Merge branch 'security-11-5-stored-xss-for-environments' into 'security-11-5'Steve Azzopardi2018-11-237-6/+67
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Stored XSS for Environments See merge request gitlab/gitlabhq!2614
| * | | | Validate URI scheme also for internal URIAlessio Caiazza2018-11-167-6/+67
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a backport for 11.5 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included.
* | | | Merge branch 'security-private-group-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-0/+26
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Fixed read name of private groups See merge request gitlab/gitlabhq!2590
| * | | | Fixed read name of private groupsChantal Rollison2018-11-063-0/+26
| | |/ / | |/| |
* | | | Merge branch 'security-182-update-workhorse-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-1/+9
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Redact sensitive information on gitlab-workhorse log See merge request gitlab/gitlabhq!2628
| * | | | Redact sensitive information on workhorse logMark Chao2018-11-233-1/+9
| | |/ / | |/| |
* | | | Merge branch '11-5-stable' into security-11-5Steve Azzopardi2018-11-23257-1247/+392
|\ \ \ \ | |_|_|/ |/| | |
| * | | Update VERSION to 11.5.0v11.5.0GitLab Release Tools Bot2018-11-211-1/+1
| | | |
| * | | Update CHANGELOG.md for 11.5.0GitLab Release Tools Bot2018-11-21239-1192/+262
| | | | | | | | | | | | [ci skip]
| * | | Update VERSION to 11.5.0-rc13v11.5.0-rc13GitLab Release Tools Bot2018-11-201-1/+1
| | | |
| * | | Merge branch 'sh-fix-issue-8448-ce' into 'master'Steve Azzopardi2018-11-201-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Stub Rails.application.env_config to prevent spec failures Closes gitlab-ee#8488 See merge request gitlab-org/gitlab-ce!23222
| * | | Merge branch 'docs-runbook-guide' into 'master'Mike Lewis2018-11-209-3/+91
| | | | | | | | | | | | | | | | | | | | add guide for creating runbook See merge request gitlab-org/gitlab-ce!22885
| * | | Merge branch '11-5-stable-prepare-rc13' into '11-5-stable'11-5-stable-prepare-rc13Cindy Pallares 🦉2018-11-209-60/+30
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Prepare 11.5 RC13 release See merge request gitlab-org/gitlab-ce!23206
| | * | | Merge branch 'jramsay/file-tree-docs' into 'master'Achilleas Pipinellis2018-11-192-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update merge request file tree docs See merge request gitlab-org/gitlab-ce!23187 (cherry picked from commit fa1fadb4dc214ded1e8f167bf7ae418608e639a5) fff9aa64 Update merge request file tree docs
| | * | | Merge branch 'image-discussion-ff-fix' into 'master'Filipa Lacerda2018-11-193-13/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixed image discussion styling Closes #54110 See merge request gitlab-org/gitlab-ce!23127 (cherry picked from commit ef1a158773c7cfbf681df6ed7f3514963ad8ca1b) 718c66f6 Fixed image discussion styling
| | * | | Merge branch 'docs/clusters-knative' into 'master'Marcia Ramos2018-11-191-13/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update the cluster docs for Knative See merge request gitlab-org/gitlab-ce!23113 (cherry picked from commit 17ef595865cde550e101806f69ead4b4394a79ae) 7b2fe02b Update the cluster docs for Knative
| | * | | Merge branch 'osw-remove-comment-on-any-diff-line-ff' into 'master'Douwe Maan2018-11-192-28/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove 'comment_on_any_diff_line' feature flag Closes #54034 See merge request gitlab-org/gitlab-ce!23093 (cherry picked from commit b7cedd91e5ec07461b25f3920ae6cf2b00f3d84e) 6c796702 Remove 'comment_on_any_diff_line' feature flag
| | * | | Merge branch 'libre-to-core' into 'master'Marcia Ramos2018-11-191-3/+4
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Documentation: update Libre -> Core See merge request gitlab-org/gitlab-ce!22533 (cherry picked from commit 633f59cb8e1d27ce13b532faac3b40141e002671) bd8021ae Update Libre -> Core be00c403 Add missing links d3ddd3fd Fix include intro note as per documentation guidelines
| * | | Merge branch '11-5-stable-fix-changelog' into '11-5-stable'Stan Hu2018-11-191-0/+0
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Move changelog for issue 54189 to correct location See merge request gitlab-org/gitlab-ce!23216
| | * | | Move changelog for issue 54189 to correct locationCindy Pallares2018-11-191-0/+0
| |/ / /
| * | | Update VERSION to 11.5.0-rc12v11.5.0-rc12GitLab Release Tools Bot2018-11-181-1/+1
| | | |
| * | | Merge branch 'sh-fix-issue-54189-11-5' into 'security-11-5'Steve Azzopardi2018-11-184-1/+37
| | | | | | | | | | | | | | | | | | | | [11.5] Prevent templated services from being imported See merge request gitlab/gitlabhq!2635
| * | | Merge branch 'security-11-5-2717-xss-username-autocomplete' into 'security-11-5'Steve Azzopardi2018-11-183-10/+39
| | | | | | | | | | | | | | | | | | | | [11.5] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2606
* | | | Merge branch 'sh-fix-issue-54189-11-5' into 'security-11-5'Steve Azzopardi2018-11-184-1/+37
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Prevent templated services from being imported See merge request gitlab/gitlabhq!2635
| * | | | Prevent templated services from being importedStan Hu2018-11-184-1/+37
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | Templated services should only be created by admins and does not apply to project import/export. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189
* | | | Merge branch 'security-11-5-2717-xss-username-autocomplete' into 'security-11-5'Steve Azzopardi2018-11-183-10/+39
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | [11.5] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2606
| * | | Add changelog entryKushal Pandya2018-11-121-0/+5
| | | |
| * | | Fix user name autocomplete XSS when name contains HTMLKushal Pandya2018-11-122-10/+34
| | |/ | |/|
* | | Update VERSION to 11.5.0-rc11v11.5.0-rc11GitLab Release Tools Bot2018-11-161-1/+1
| | |
* | | Merge branch '11-5-stable-prepare-rc11' into '11-5-stable'Steve Azzopardi2018-11-1615-60/+370
|\ \ \ | |_|/ |/| | | | | | | | Prepare 11.5 RC11 release See merge request gitlab-org/gitlab-ce!23139
| * | Merge branch ↵Steve Azzopardi2018-11-162-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | '54011-all-files-named-index-have-their-content-rendered-as-if-they-were-text-files' into 'master' Resolve "All files named `index.*` have their content rendered as if they were text files" Closes #54011 See merge request gitlab-org/gitlab-ce!23063
| * | Resolve conflict in doc/user/project/clusters/eks_and_gitlab/index.md11-5-stable-prepare-rc11Steve Azzopardi2018-11-161-22/+0
| | | | | | | | | | | | Resolve conflict for https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23139
| * | Merge branch 'docs-eks-update' into 'master'Achilleas Pipinellis2018-11-163-32/+202
| | | | | | | | | | | | | | | | | | Docs eks update See merge request gitlab-org/gitlab-ce!23133
| * | Merge branch 'docs/rs-revert-api-version' into 'master'Evan Read2018-11-162-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Revert API is going into 11.5, not 11.6. See merge request gitlab-org/gitlab-ce!23060 (cherry picked from commit 38d234e2e5474fc732306c2cfbbd274e1cc32fea) f1f03895 Revert API is going into 11.5, not 11.6.
View Lorry Controller Status