summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 11.9.12v11.9.1211-9-stableGitLab Release Tools Bot2019-05-301-1/+1
|
* Update CHANGELOG.md for 11.9.12GitLab Release Tools Bot2019-05-3013-60/+18
| | | [ci skip]
* Merge branch 'osw-disable-dns-rebind-protection-settings-11-9' into ↵GitLab Release Tools Bot2019-05-3013-13/+183
|\ | | | | | | | | | | | | '11-9-stable' Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3132
| * Rename UrlBlocker argument: schemes -> protocolsStan Hu2019-05-291-1/+1
| | | | | | | | | | This was renamed in GitLab 11.11, so the backport needs to use the original name.
| * Use Rails migration v5.0 for GitLab 11.9Stan Hu2019-05-291-1/+1
| |
| * Add changelogOswaldo Ferreira2019-05-291-0/+5
| |
| * Add DNS rebinding protection settingsOswaldo Ferreira2019-05-2912-13/+178
|/
* Merge branch 'security-60143-address-xss-issue-11.09' into '11-9-stable'GitLab Release Tools Bot2019-05-283-0/+55
|\ | | | | | | | | Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3107
| * Reject slug+uri concat if slug is deemed unsafeKerri Miller2019-05-273-0/+55
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
* | Merge branch 'security-http-hostname-override-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-2827-87/+410
|\ \ | | | | | | | | | | | | Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3115
| * | Protect Gitlab::HTTP against DNS rebinding attackDouwe Maan2019-05-2227-87/+410
| | | | | | | | | | | | | | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
* | | Merge branch 'security-58856-persistent-xss-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-286-3/+41
|\ \ \ | | | | | | | | | | | | | | | | Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3081
| * | | Change `prohibited_key` to use regexescharlieablett2019-05-011-4/+2
| | | |
| * | | Add `html` to sensitive wordscharlieablett2019-05-013-2/+4
| | | |
| * | | Add changelog entrycharlieablett2019-04-301-0/+5
| | | |
| * | | Ensure Issue & MR note_html cannot be importedAsh McKenzie2019-04-302-14/+16
| | | |
| * | | Add newline to AttributeCleanercharlieablett2019-04-301-1/+1
| | | |
| * | | Refactor AttributeCleaner` for readabilitycharlieablett2019-04-301-2/+3
| | | |
| * | | Refactor AttributeCleaner` for readabilitycharlieablett2019-04-301-7/+2
| | | |
| * | | Tighten up prohibited_key methodcharlieablett2019-04-261-4/+3
| | | |
| * | | Add disallowed fields to AttributeCleanercharlieablett2019-04-243-2/+38
| | | |
* | | | Merge branch 'security-fix-project-existence-disclosure-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-283-16/+28
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Fix url redaction for issue links See merge request gitlab/gitlabhq!3089
| * | | | Fix url redaction for issue linksPatrick Derichs2019-05-033-16/+28
| | | | |
* | | | | Merge branch 'security-60039-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-288-33/+144
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3093
| * | | | | Validate MR branch namesMark Chao2019-05-068-33/+144
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported.
* | | | | Merge branch 'security-unsubscribing-from-issue-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-284-11/+111
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3101
| * | | | | Hide issue title on unsubscribe for anonymous usersAlexandru Croitor2019-05-204-11/+111
| |/ / / /
* | | | | Merge branch 'security-fix-confidential-issue-label-visibility-11-9' into ↵GitLab Release Tools Bot2019-05-283-1/+40
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '11-9-stable' Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3104
| * | | | | Fix confidential issue label disclosure on milestone viewPatrick Derichs2019-05-193-1/+40
| |/ / / /
* | | | | Merge branch 'security-fix_milestones_search_api_leak-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-287-6/+130
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3112
| * | | | | Resolve: Milestones leaked via search APIFelipe Artur2019-05-217-6/+130
| |/ / / / | | | | | | | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones
* | | | | Merge branch 'security-jej/prevent-web-sign-in-bypass-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-283-1/+48
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!3119
| * | | | | Prevent password sign in restriction bypassJames Edwards-Jones2019-05-233-1/+48
| |/ / / /
* | | | | Merge branch 'security-knative-0.5-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-283-3/+8
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Update Knative version due to a security vulnerability See merge request gitlab/gitlabhq!3122
| * | | | | Update Knative version due to a security vulnerabilityTiger Watson2019-05-283-3/+8
|/ / / / /
* | | | | Merge branch 'sh-fix-issue-59379-11-9' into '11-9-stable'GitLab Release Tools Bot2019-05-283-2/+18
|\ \ \ \ \ | |_|_|_|/ |/| | | | | | | | | | | | | | Fix project visibility level validation See merge request gitlab/gitlabhq!3124
| * | | | Fix project visibility level validationPeter Marko2019-05-243-2/+18
|/ / / /
* | | | Merge branch '62283-fix-job-app-spec' into 'master'Filipa Lacerda2019-05-241-1/+4
|/ / / | | | | | | | | | | | | | | | | | | Replaces a hard-coded date in the job app spec Closes #62283 See merge request gitlab-org/gitlab-ce!28709
* | | Update VERSION to 11.9.11v11.9.11GitLab Release Tools Bot2019-04-301-1/+1
| | |
* | | Update CHANGELOG.md for 11.9.11GitLab Release Tools Bot2019-04-302-5/+7
| | | | | | | | | [ci skip]
* | | Merge branch 'security-disallow-read-user-scope-to-read-project-events-11-9' ↵GitLab Release Tools Bot2019-04-297-182/+224
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | into '11-9-stable' Disallow read user scope to read project events See merge request gitlab/gitlabhq!3088
| * | | Add new api class for projects eventsMałgorzata Ksionek2019-04-257-182/+224
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor api events class to use external helper Move specs from old class Add changelog and magic string Refactor events class to be more explicit Remove blank line
* | | Update VERSION to 11.9.10v11.9.10GitLab Release Tools Bot2019-04-261-1/+1
| | |
* | | Update CHANGELOG.md for 11.9.10GitLab Release Tools Bot2019-04-266-25/+11
|/ / | | | | [ci skip]
* | Merge branch 'security-approval-race-condition-11-9' into '11-9-stable'GitLab Release Tools Bot2019-04-252-3/+33
|\ \ | | | | | | | | | | | | Add ApplicationRecord#safe_ensure_unique method See merge request gitlab/gitlabhq!3056
| * | Add ApplicationRecord#safe_ensure_unique methodPatrick Bajao2019-04-122-3/+33
| | | | | | | | | | | | | | | | | | Port of https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/866 to CE excluding the migration and service changes as they don't apply to CE.
* | | Merge branch 'security-upgrade-to-rails-5-0-7-2-11-9' into '11-9-stable'GitLab Release Tools Bot2019-04-253-36/+41
|\ \ \ | | | | | | | | | | | | | | | | Upgrade Rails to 5.0.7.2 See merge request gitlab/gitlabhq!3058
| * | | Upgrade Rails to 5.0.7.2Heinrich Lee Yu2019-04-123-36/+41
| |/ /
* | | Merge branch 'security-pb-email-watchers-no-access-11-9' into '11-9-stable'GitLab Release Tools Bot2019-04-253-12/+53
|\ \ \ | | | | | | | | | | | | | | | | Stop sending emails to users who can't read commit See merge request gitlab/gitlabhq!3064
| * | | Stop sending emails to users who can't read commitPatrick Bajao2019-04-163-12/+53
| |/ / | | | | | | | | | | | | | | | This is to ensure that only users will be able receive an email if they can read a commit from the repository even if they are watching the activity of it.
View Lorry Controller Status