Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Update VERSION to 11.9.12v11.9.1211-9-stable | GitLab Release Tools Bot | 2019-05-30 | 1 | -1/+1 |
| | |||||
* | Update CHANGELOG.md for 11.9.12 | GitLab Release Tools Bot | 2019-05-30 | 13 | -60/+18 |
| | | | [ci skip] | ||||
* | Merge branch 'osw-disable-dns-rebind-protection-settings-11-9' into ↵ | GitLab Release Tools Bot | 2019-05-30 | 13 | -13/+183 |
|\ | | | | | | | | | | | | | '11-9-stable' Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3132 | ||||
| * | Rename UrlBlocker argument: schemes -> protocols | Stan Hu | 2019-05-29 | 1 | -1/+1 |
| | | | | | | | | | | This was renamed in GitLab 11.11, so the backport needs to use the original name. | ||||
| * | Use Rails migration v5.0 for GitLab 11.9 | Stan Hu | 2019-05-29 | 1 | -1/+1 |
| | | |||||
| * | Add changelog | Oswaldo Ferreira | 2019-05-29 | 1 | -0/+5 |
| | | |||||
| * | Add DNS rebinding protection settings | Oswaldo Ferreira | 2019-05-29 | 12 | -13/+178 |
|/ | |||||
* | Merge branch 'security-60143-address-xss-issue-11.09' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 3 | -0/+55 |
|\ | | | | | | | | | Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3107 | ||||
| * | Reject slug+uri concat if slug is deemed unsafe | Kerri Miller | 2019-05-27 | 3 | -0/+55 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug. | ||||
* | | Merge branch 'security-http-hostname-override-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 27 | -87/+410 |
|\ \ | | | | | | | | | | | | | Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3115 | ||||
| * | | Protect Gitlab::HTTP against DNS rebinding attack | Douwe Maan | 2019-05-22 | 27 | -87/+410 |
| | | | | | | | | | | | | | | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field. | ||||
* | | | Merge branch 'security-58856-persistent-xss-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 6 | -3/+41 |
|\ \ \ | | | | | | | | | | | | | | | | | Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3081 | ||||
| * | | | Change `prohibited_key` to use regexes | charlieablett | 2019-05-01 | 1 | -4/+2 |
| | | | | |||||
| * | | | Add `html` to sensitive words | charlieablett | 2019-05-01 | 3 | -2/+4 |
| | | | | |||||
| * | | | Add changelog entry | charlieablett | 2019-04-30 | 1 | -0/+5 |
| | | | | |||||
| * | | | Ensure Issue & MR note_html cannot be imported | Ash McKenzie | 2019-04-30 | 2 | -14/+16 |
| | | | | |||||
| * | | | Add newline to AttributeCleaner | charlieablett | 2019-04-30 | 1 | -1/+1 |
| | | | | |||||
| * | | | Refactor AttributeCleaner` for readability | charlieablett | 2019-04-30 | 1 | -2/+3 |
| | | | | |||||
| * | | | Refactor AttributeCleaner` for readability | charlieablett | 2019-04-30 | 1 | -7/+2 |
| | | | | |||||
| * | | | Tighten up prohibited_key method | charlieablett | 2019-04-26 | 1 | -4/+3 |
| | | | | |||||
| * | | | Add disallowed fields to AttributeCleaner | charlieablett | 2019-04-24 | 3 | -2/+38 |
| | | | | |||||
* | | | | Merge branch 'security-fix-project-existence-disclosure-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 3 | -16/+28 |
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | Fix url redaction for issue links See merge request gitlab/gitlabhq!3089 | ||||
| * | | | | Fix url redaction for issue links | Patrick Derichs | 2019-05-03 | 3 | -16/+28 |
| | | | | | |||||
* | | | | | Merge branch 'security-60039-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 8 | -33/+144 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3093 | ||||
| * | | | | | Validate MR branch names | Mark Chao | 2019-05-06 | 8 | -33/+144 |
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported. | ||||
* | | | | | Merge branch 'security-unsubscribing-from-issue-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 4 | -11/+111 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3101 | ||||
| * | | | | | Hide issue title on unsubscribe for anonymous users | Alexandru Croitor | 2019-05-20 | 4 | -11/+111 |
| |/ / / / | |||||
* | | | | | Merge branch 'security-fix-confidential-issue-label-visibility-11-9' into ↵ | GitLab Release Tools Bot | 2019-05-28 | 3 | -1/+40 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '11-9-stable' Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3104 | ||||
| * | | | | | Fix confidential issue label disclosure on milestone view | Patrick Derichs | 2019-05-19 | 3 | -1/+40 |
| |/ / / / | |||||
* | | | | | Merge branch 'security-fix_milestones_search_api_leak-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 7 | -6/+130 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3112 | ||||
| * | | | | | Resolve: Milestones leaked via search API | Felipe Artur | 2019-05-21 | 7 | -6/+130 |
| |/ / / / | | | | | | | | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones | ||||
* | | | | | Merge branch 'security-jej/prevent-web-sign-in-bypass-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 3 | -1/+48 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!3119 | ||||
| * | | | | | Prevent password sign in restriction bypass | James Edwards-Jones | 2019-05-23 | 3 | -1/+48 |
| |/ / / / | |||||
* | | | | | Merge branch 'security-knative-0.5-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 3 | -3/+8 |
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Update Knative version due to a security vulnerability See merge request gitlab/gitlabhq!3122 | ||||
| * | | | | | Update Knative version due to a security vulnerability | Tiger Watson | 2019-05-28 | 3 | -3/+8 |
|/ / / / / | |||||
* | | | | | Merge branch 'sh-fix-issue-59379-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-05-28 | 3 | -2/+18 |
|\ \ \ \ \ | |_|_|_|/ |/| | | | | | | | | | | | | | | Fix project visibility level validation See merge request gitlab/gitlabhq!3124 | ||||
| * | | | | Fix project visibility level validation | Peter Marko | 2019-05-24 | 3 | -2/+18 |
|/ / / / | |||||
* | | | | Merge branch '62283-fix-job-app-spec' into 'master' | Filipa Lacerda | 2019-05-24 | 1 | -1/+4 |
|/ / / | | | | | | | | | | | | | | | | | | | Replaces a hard-coded date in the job app spec Closes #62283 See merge request gitlab-org/gitlab-ce!28709 | ||||
* | | | Update VERSION to 11.9.11v11.9.11 | GitLab Release Tools Bot | 2019-04-30 | 1 | -1/+1 |
| | | | |||||
* | | | Update CHANGELOG.md for 11.9.11 | GitLab Release Tools Bot | 2019-04-30 | 2 | -5/+7 |
| | | | | | | | | | [ci skip] | ||||
* | | | Merge branch 'security-disallow-read-user-scope-to-read-project-events-11-9' ↵ | GitLab Release Tools Bot | 2019-04-29 | 7 | -182/+224 |
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | into '11-9-stable' Disallow read user scope to read project events See merge request gitlab/gitlabhq!3088 | ||||
| * | | | Add new api class for projects events | Małgorzata Ksionek | 2019-04-25 | 7 | -182/+224 |
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor api events class to use external helper Move specs from old class Add changelog and magic string Refactor events class to be more explicit Remove blank line | ||||
* | | | Update VERSION to 11.9.10v11.9.10 | GitLab Release Tools Bot | 2019-04-26 | 1 | -1/+1 |
| | | | |||||
* | | | Update CHANGELOG.md for 11.9.10 | GitLab Release Tools Bot | 2019-04-26 | 6 | -25/+11 |
|/ / | | | | | [ci skip] | ||||
* | | Merge branch 'security-approval-race-condition-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-04-25 | 2 | -3/+33 |
|\ \ | | | | | | | | | | | | | Add ApplicationRecord#safe_ensure_unique method See merge request gitlab/gitlabhq!3056 | ||||
| * | | Add ApplicationRecord#safe_ensure_unique method | Patrick Bajao | 2019-04-12 | 2 | -3/+33 |
| | | | | | | | | | | | | | | | | | | Port of https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/866 to CE excluding the migration and service changes as they don't apply to CE. | ||||
* | | | Merge branch 'security-upgrade-to-rails-5-0-7-2-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-04-25 | 3 | -36/+41 |
|\ \ \ | | | | | | | | | | | | | | | | | Upgrade Rails to 5.0.7.2 See merge request gitlab/gitlabhq!3058 | ||||
| * | | | Upgrade Rails to 5.0.7.2 | Heinrich Lee Yu | 2019-04-12 | 3 | -36/+41 |
| |/ / | |||||
* | | | Merge branch 'security-pb-email-watchers-no-access-11-9' into '11-9-stable' | GitLab Release Tools Bot | 2019-04-25 | 3 | -12/+53 |
|\ \ \ | | | | | | | | | | | | | | | | | Stop sending emails to users who can't read commit See merge request gitlab/gitlabhq!3064 | ||||
| * | | | Stop sending emails to users who can't read commit | Patrick Bajao | 2019-04-16 | 3 | -12/+53 |
| |/ / | | | | | | | | | | | | | | | | This is to ensure that only users will be able receive an email if they can read a commit from the repository even if they are watching the activity of it. |