summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 11.8.2v11.8.2GitLab Release Tools Bot2019-03-131-1/+1
|
* Update CHANGELOG.md for 11.8.2GitLab Release Tools Bot2019-03-137-31/+15
| | | [ci skip]
* Merge branch 'modify_group_policy' into 'master'Rémy Coutable2019-03-133-5/+12
| | | | | Update group policy to reflect all the requirements See merge request gitlab-org/gitlab-ce!25854
* Merge dev 11-8-stable into .com 11-8-stableYorick Peterse2019-03-120-0/+0
|\
| * Merge branch 'security-shared-project-private-group-11-8' into '11-8-stable'Yorick Peterse2019-03-044-11/+67
| |\ | | | | | | | | | | | | Sharing a public project with a private group makes the group page publicly accessible See merge request gitlab/gitlabhq!2986
| | * Secure vulerability and add specsMałgorzata Ksionek2019-02-284-11/+67
| |/
* | Secure vulerability and add specsMałgorzata Ksionek2019-03-124-7/+67
| |
* | Merge branch '11-8-stable-patch-2' into '11-8-stable'Yorick Peterse2019-03-1223-30/+147
|\ \ | |/ |/| | | | | Prepare 11.8.2 release See merge request gitlab-org/gitlab-ce!25963
| * Merge branch 'rs-fix-time-based-broken-master' into 'master'Fatih Acet2019-03-121-0/+6
| | | | | | | | | | | | | | | | | | Freeze date in merge request status view spec See merge request gitlab-org/gitlab-ce!25671 (cherry picked from commit c994484d17d6a6da929f6a52f1b64dc15c38835c) a05aba61 Freeze date in merge request status view spec
| * Merge branch 'qa-quarantine-failing-push-mirror-repo-spec' into 'master'Ramya Authappan2019-03-111-1/+2
| | | | | | | | | | | | | | | | | | Quarantine failing push_mirroring_over_http_spec See merge request gitlab-org/gitlab-ce!25590 (cherry picked from commit 68b1ed92c18d5f975dd65c09d72ca3441eb0bc56) 141c5e4e Quarantine failing spec
| * Merge branch 'jc-fix-set-project-writable' into 'master'Douglas Barbosa Alexandre2019-03-113-1/+16
| | | | | | | | | | | | | | | | | | Fix method to mark a project repository as writable See merge request gitlab-org/gitlab-ce!25546 (cherry picked from commit a8a02387a7ea5c5a4a6f733a043adf2b1f907e3c) df044542 Fix project set_repository_writable!
| * Merge branch '58149-fix-read-list-board-policy' into 'master'Nick Thomas2019-03-113-2/+9
| | | | | | | | | | | | | | | | | | | | | | Allow `:read_list` when `:read_group` is allowed Closes #58149 See merge request gitlab-org/gitlab-ce!25524 (cherry picked from commit 61c1509cc992959ac5021d10825d5dbf9dd2c091) b81e7c52 Enable `:read_list` when `:read_group` is enabled
| * Merge branch 'sh-fix-issue-58103' into 'master'Grzegorz Bizon2019-03-113-1/+15
| | | | | | | | | | | | | | | | | | | | | | Properly handle multiple X-Forwarded-For addresses in runner IP Closes #58103 See merge request gitlab-org/gitlab-ce!25511 (cherry picked from commit dbf0a92292dd054843d28ec27d52222418400ca5) d03b7bb1 Properly handle multiple X-Forwarded-For addresses in runner IP
| * Merge branch 'jl-update-ruby-2-5-docs' into 'master'Evan Read2019-03-111-1/+1
| | | | | | | | | | | | | | | | | | | | Update minimum ruby version to 2.5. See merge request gitlab-org/gitlab-ce!25496 (cherry picked from commit 74cf92aae719969fc5225b41f923c2e7f3e04c5b) ac34b4ac Update minimum ruby version to 2.5. a538b6db Update example versions
| * Merge branch 'ps-remove-mr-widget-section-padding' into 'master'Annabel Dunstone Gray2019-03-112-2/+1
| | | | | | | | | | | | | | | | | | Remove padding for mr-widget-section See merge request gitlab-org/gitlab-ce!25475 (cherry picked from commit a6d52ff83ff86f88f59f6a231fc4a348640729f7) 7bd65593 Remove padding for mr-widget-section
| * Merge branch 'docs-review-mr-diffs-admin' into 'master'Sean McGivern2019-03-112-21/+14
| | | | | | | | | | | | | | | | | | | | | | | | Docs review: MR diffs external storage Closes #57335 See merge request gitlab-org/gitlab-ce!25433 (cherry picked from commit 56b82db63a91695a1dec1b7cbf39636bb01ad3df) 1387983b Docs review: wording, styles, missing links 01680510 Copy edit - add missing preposition
| * Merge branch 'qa-team-tasks-92-test-failure-retries' into 'master'Mark Lapierre2019-03-114-0/+67
| | | | | | | | | | | | | | | | | | | | | | Retry failing tests Closes gitlab-org/quality/team-tasks#92 See merge request gitlab-org/gitlab-ce!25391 (cherry picked from commit b570f53d17f5bc0e72fef9a122b7fe5645db0ea9) d54cb37d Retry failed tests with rspec-retry
| * Merge branch ↵Stan Hu2019-03-113-1/+16
|/ | | | | | | | | | | | | '57579-gitlab-project-import-fails-sidekiq-undefined-method-import_jid' into 'master' Resolve "Gitlab Project import fails: sidekiq undefined method import_jid" Closes #57579 See merge request gitlab-org/gitlab-ce!25239 (cherry picked from commit c06ebe511700f25a61b4dfaa518fbed7667c6876) 401a3bca Fix import_jid error on project import
* Update VERSION to 11.8.1v11.8.1GitLab Release Tools Bot2019-02-281-1/+1
|
* Update CHANGELOG.md for 11.8.1GitLab Release Tools Bot2019-02-2822-107/+27
| | | [ci skip]
* Merge branch '11-8-security-2774-milestones-detail' into '11-8-stable'Robert Speicher2019-02-274-4/+112
|\ | | | | | | | | Display only information visible to current user on Milestone detail See merge request gitlab/gitlabhq!2917
| * Display only informaton visible to current userJarka Košanová2019-02-274-4/+112
|/ | | | | | Display only labels and assignees of issues visible by the currently logged user Display only issues visible to user in the burndown chart
* Merge branch 'security-id-fix-mr-visibility-11-8' into '11-8-stable'Yorick Peterse2019-02-277-213/+335
|\ | | | | | | | | Display the correct number of MRs a user has access to See merge request gitlab/gitlabhq!2929
| * Display the correct number of MRs a user has access toIgor Drozdov2019-02-277-213/+335
|/
* Merge branch 'security-2818_filter_impersonated_sessions-11-8' into ↵Yorick Peterse2019-02-278-52/+38
|\ | | | | | | | | | | | | '11-8-stable' Filter impersonated sessions from active sessions and remove ability to revoke session See merge request gitlab/gitlabhq!2981
| * Remove ability to revoke active sessionImre Farkas2019-02-276-49/+7
| | | | | | | | | | | | Session ID is used as a parameter for the revoke session endpoint but it should never be included in the HTML as an attacker could obtain it via XSS.
| * Filter active sessions belonging to an admin impersonating the userImre Farkas2019-02-274-4/+32
| |
* | Merge branch 'security-id-restricted-access-to-private-repo-11-8' into ↵Yorick Peterse2019-02-275-60/+137
|\ \ | | | | | | | | | | | | | | | | | | '11-8-stable' Forbid creating discussions for users with restricted access See merge request gitlab/gitlabhq!2890
| * | Forbid creating discussions for users with restricted accessIgor Drozdov2019-02-075-60/+137
| | |
* | | Merge branch '11-8-security-2773-milestones-fix' into '11-8-stable'Yorick Peterse2019-02-2719-73/+187
|\ \ \ | | | | | | | | | | | | | | | | Check issue milestone availability See merge request gitlab/gitlabhq!2904
| * | | Check issue milestone availabilityJarka Košanová2019-02-1319-73/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add project when creating milestone in specs We validate milestone is from the same project/parent group as issuable -> we need to set project in specs correctly Improve methods names and specs organization
* | | | Merge branch 'security-tags-oracle-11-8' into '11-8-stable'Yorick Peterse2019-02-273-0/+23
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Prevent Releases links API to leak tag existence See merge request gitlab/gitlabhq!2908
| * | | | Prevent Releases links API to leak tag existanceAlessio Caiazza2019-02-133-0/+23
| |/ / /
* | | | Merge branch 'security-2798-fix-boards-policy-11-8' into '11-8-stable'Yorick Peterse2019-02-273-8/+19
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Disable issue board policies when issues are disabled See merge request gitlab/gitlabhq!2910
| * | | | Disable board policies when issues are disabledHeinrich Lee Yu2019-02-143-8/+19
| | | | | | | | | | | | | | | | | | | | Board list policies are also included
* | | | | Merge branch '11-8-security-2797-milestone-mrs' into '11-8-stable'Yorick Peterse2019-02-274-4/+61
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Show only MRs visible to user on milestone detail See merge request gitlab/gitlabhq!2923
| * | | | | Show only MRs visible to user on milestone detailJarka Košanová2019-02-144-4/+61
| |/ / / /
* | | | | Merge branch 'security-commit-private-related-mr-11-8' into '11-8-stable'Yorick Peterse2019-02-276-6/+65
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Don't allow non-members to see private related MRs See merge request gitlab/gitlabhq!2930
| * | | | | Don't allow non-members to see private related MRsPatrick Bajao2019-02-156-6/+65
| | | | | |
* | | | | | Merge branch 'security-kubernetes-google-login-csrf-11-8' into '11-8-stable'Yorick Peterse2019-02-273-30/+67
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Validate session key when authorizing with GCP to create a cluster See merge request gitlab/gitlabhq!2934
| * | | | | | Validate session key when authorizing with GCP to create a clusterTiger2019-02-193-30/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session.
* | | | | | | Merge branch 'security-50334-11-8' into '11-8-stable'Yorick Peterse2019-02-275-66/+82
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix git clone revealing private repo's presence See merge request gitlab/gitlabhq!2938
| * | | | | | | Fix git clone revealing private repo's presenceMark Chao2019-02-195-66/+82
| |/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure redirection to path with .git suffix regardless whether project exists or not.
* | | | | | | Merge branch 'security-56348-11-8' into '11-8-stable'Yorick Peterse2019-02-275-2/+60
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check snippet attached file to be moved is within designated directory See merge request gitlab/gitlabhq!2941
| * | | | | | | Check snippet attached file to be moved is within designated directoryMark Chao2019-02-215-2/+60
| |/ / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously one could move any temp/ sub folder around. Align spec with actual usage, as currently we pass temp file path to FileMover.
* | | | | | | Merge branch 'security-55468-check-validity-before-querying-11-8' into ↵Yorick Peterse2019-02-273-19/+53
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '11-8-stable' Fix blind SSRF in Prometheus Integration See merge request gitlab/gitlabhq!2944
| * | | | | | | Check validity of prometheus_service before queryReuben Pereira2019-02-273-19/+53
|/ / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Check validity before querying so that if the dns entry for the api_url has been changed to something invalid after the model was saved and checked for validity, it will not query. This is to solve a toctou (time of check to time of use) issue.
* | | | | | | Merge branch 'security-protect-private-repo-information-11-8' into '11-8-stable'Yorick Peterse2019-02-276-22/+85
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix leaking private repository information in API See merge request gitlab/gitlabhq!2948
| * | | | | | | Add changelog entryLuke Duncalfe2019-02-211-0/+5
| | | | | | | |
| * | | | | | | Removing sensitive properties from ProjectTypeLuke Duncalfe2019-02-201-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | defaultBranch and ciConfigPath should only be available to users with the :download_code permission for the Project, as the respository might be private. When implementing the authorize check on these properties, it was found that our current Graphql::Authorize::Instrumentation class does not work with fields that resolve to subclasses of GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE. After discussion with other Create Team members, it has been decided that because the GraphQL API is not GA, to remove these properties from ProjectType, and instead implement them as part of epic https://gitlab.com/groups/gitlab-org/-/epics/711 Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/55316
View Lorry Controller Status