| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
This reverts commit 2404e6c71a9a9b1699bc2dbb487f909a320e21f3.
|
|
|
|
| |
This reverts commit fa242b393fbadf2578c32b70b437e8dd6f06172b.
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
Backport reliable fetcher to 12.1
See merge request gitlab/gitlabhq!3584
|
| |
| |
| |
| |
| |
| | |
backport https://gitlab.com/gitlab-org/gitlab/commit/2be136b6cdf59f4664d9fbbe91e16498a47ba227
see https://gitlab.com/gitlab-org/gitlab/commit/3baeb0c7fd6829b8c083a43370163d16f7700263
see https://gitlab.com/gitlab-org/gitlab/merge_requests/21161
|
|/ |
|
|\
| |
| |
| |
| | |
Sanitize search text to prevent XSS
See merge request gitlab/gitlabhq!3471
|
| | |
|
|\ \
| |/
|/|
| |
| | |
Handle Stored XSS for Grafana URL in settings
See merge request gitlab/gitlabhq!3483
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Extend Gitlab::UrlBlocker to allow relative urls (require_absolute
setting). The new `require_absolute` setting defaults to true,
which is the existing behavior.
- Extend AddressableUrlValidator to accept `require_abosolute` and
default to the existing behavior
- Add validation for ApplicationSetting#grafana_url to validate that
the URL does not contain XSS but can be a valid relative or absolute
url.
- In the case of existing stored URLs, validate the stored URL does
not contain XSS. If the stored URL contains stored XSS or is an
otherwise invalid URL, return the default database column value.
- Add tests for Gitlab::UrlBlocker to test require_absolute setting
- Add tests for AddressableUrlValidator
- Add tests for ApplicationSetting#grafana_url
|
|\ |
|
| | |
|
|/
|
| |
[ci skip]
|
|\ |
|
| | |
|
| |
| |
| | |
[ci skip]
|
| |\
|/ /
| |
| |
| | |
Fix private feature Elasticsearch leak
See merge request gitlab/gitlabhq!3452
|
|/
|
|
|
|
| |
Add spec to test different combinations.
Accept string for required_minimum_access_level
Allow more flexible project membership query
|
|
|
|
|
|
|
| |
Fix broken specs : Generate new GPG key in place of expired one
Closes #32956
See merge request gitlab-org/gitlab!17853
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.53.4]
See merge request gitlab/gitlabhq!3435
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'12-1-stable'
Check that SAML identity linking validates the origin of the request
See merge request gitlab/gitlabhq!3376
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If the request wasn't initiated by gitlab we shouldn't add the new
identity to the user, and instead show that we weren't able to link
the identity to the user.
This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Gitlab XSS in markdown preview page
See merge request gitlab/gitlabhq!3400
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Update mermaid to avoid xss surface area. The newer release
restricts script tags to be embedded in mermaid blocks.
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-1' into '12-1-stable'
Display only participants that user has permission to see
See merge request gitlab/gitlabhq!3403
|
| | | | | |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
'12-1-stable'
Prevent Bypassing Email Verification using Salesforce
See merge request gitlab/gitlabhq!3407
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fix rubocop offences and add changelog
Add email_verified key for feature specs
Add code review remarks
Add code review remarks
Fix specs
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Only render fixed number of mermaid blocks
See merge request gitlab/gitlabhq!3413
|
| |/ / / / |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
'security-12718-project-milestones-disclosed-via-groups-12-1-ce' into '12-1-stable'
Hide disabled project milestones in project settings on group level
See merge request gitlab/gitlabhq!3416
|
| | |_|_|/
| |/| | | |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Redirect user to root path after unsubscribing from private resource
See merge request gitlab/gitlabhq!3418
|
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.
https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
'security-12630-private-system-note-disclosed-in-graphql-12-1-ce' into '12-1-stable'
Add policy check if cross reference system notes are accessible
See merge request gitlab/gitlabhq!3428
|
| | |/ / /
| |/| | | |
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Cancel all running CI jobs when user is blocked
See merge request gitlab/gitlabhq!3438
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | | |
This prevents a MITM attack where attacker could
still access Git repository if any jobs were
running long enough.
|
|\ \ \ \ \
| |_|/ / /
|/| | | |
| | | | |
| | | | | |
Filter not accessible label events
See merge request gitlab/gitlabhq!3442
|
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.
|