summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 12.1.16v12.1.16GitLab Release Tools Bot2019-12-121-1/+1
|
* Update CHANGELOG.md for 12.1.16GitLab Release Tools Bot2019-12-123-10/+8
| | | [ci skip]
* Adds message to indicate we are skipping release 12.1.15John T Skarbek2019-12-121-0/+4
|
* Revert "Update CHANGELOG.md for 12.1.15"John T Skarbek2019-12-123-8/+10
| | | | This reverts commit 2404e6c71a9a9b1699bc2dbb487f909a320e21f3.
* Revert "Update VERSION to 12.1.15"John T Skarbek2019-12-121-1/+1
| | | | This reverts commit fa242b393fbadf2578c32b70b437e8dd6f06172b.
* Update VERSION to 12.1.15v12.1.15GitLab Release Tools Bot2019-12-111-1/+1
|
* Update CHANGELOG.md for 12.1.15GitLab Release Tools Bot2019-12-113-10/+8
| | | [ci skip]
* Merge branch '12-1-stable-backport-reliable-fetcher' into '12-1-stable'John Skarbek2019-12-1012-46/+47
|\ | | | | | | | | Backport reliable fetcher to 12.1 See merge request gitlab/gitlabhq!3584
| * Fix specs, backportingValery Sizov2019-12-0910-43/+44
| | | | | | | | | | | | backport https://gitlab.com/gitlab-org/gitlab/commit/2be136b6cdf59f4664d9fbbe91e16498a47ba227 see https://gitlab.com/gitlab-org/gitlab/commit/3baeb0c7fd6829b8c083a43370163d16f7700263 see https://gitlab.com/gitlab-org/gitlab/merge_requests/21161
| * Backport reliable fetcherValery Sizov2019-12-092-3/+3
|/
* Merge branch 'security-stored-xss-using-find-file-12-1' into '12-1-stable'GitLab Release Tools Bot2019-10-242-1/+7
|\ | | | | | | | | Sanitize search text to prevent XSS See merge request gitlab/gitlabhq!3471
| * Sanitize search text to prevent XSSsamantha-dev2019-10-102-1/+7
| |
* | Merge branch 'security-xss-grafana-url-12-1' into '12-1-stable'GitLab Release Tools Bot2019-10-248-15/+189
|\ \ | |/ |/| | | | | Handle Stored XSS for Grafana URL in settings See merge request gitlab/gitlabhq!3483
| * Handle Stored XSS for Grafana URL in settingsDavid Wilkins2019-10-248-15/+189
|/ | | | | | | | | | | | | | | | | | | | | | | - Extend Gitlab::UrlBlocker to allow relative urls (require_absolute setting). The new `require_absolute` setting defaults to true, which is the existing behavior. - Extend AddressableUrlValidator to accept `require_abosolute` and default to the existing behavior - Add validation for ApplicationSetting#grafana_url to validate that the URL does not contain XSS but can be a valid relative or absolute url. - In the case of existing stored URLs, validate the stored URL does not contain XSS. If the stored URL contains stored XSS or is an otherwise invalid URL, return the default database column value. - Add tests for Gitlab::UrlBlocker to test require_absolute setting - Add tests for AddressableUrlValidator - Add tests for ApplicationSetting#grafana_url
* Merge remote-tracking branch 'dev/12-1-stable' into 12-1-stableGitLab Release Tools Bot2019-10-072-1/+5
|\
| * Update VERSION to 12.1.14v12.1.14GitLab Release Tools Bot2019-10-071-1/+1
| |
| * Update CHANGELOG.md for 12.1.14GitLab Release Tools Bot2019-10-071-0/+4
|/ | | [ci skip]
* Merge remote-tracking branch 'dev/12-1-stable' into 12-1-stableGitLab Release Tools Bot2019-10-028-3/+213
|\
| * Update VERSION to 12.1.13v12.1.13GitLab Release Tools Bot2019-10-011-1/+1
| |
| * Update CHANGELOG.md for 12.1.13GitLab Release Tools Bot2019-10-012-5/+7
| | | | | | [ci skip]
| * Merge branch 'security-29491-12-1-ce' into '12-1-stable'Marin Jankovski2019-10-017-2/+210
| |\ |/ / | | | | | | Fix private feature Elasticsearch leak See merge request gitlab/gitlabhq!3452
| * EE port: Fix private feature Elasticsearch leakMark Chao2019-10-017-2/+210
|/ | | | | | Add spec to test different combinations. Accept string for required_minimum_access_level Allow more flexible project membership query
* Merge branch 'fix_expired_gpg_key_specs' into 'master'Stan Hu2019-09-302-151/+270
| | | | | | | Fix broken specs : Generate new GPG key in place of expired one Closes #32956 See merge request gitlab-org/gitlab!17853
* Update VERSION to 12.1.12v12.1.12GitLab Release Tools Bot2019-09-261-1/+1
|
* Update CHANGELOG.md for 12.1.12GitLab Release Tools Bot2019-09-2612-58/+17
| | | [ci skip]
* Merge branch 'security-gitaly-1-53-4' into '12-1-stable'GitLab Release Tools Bot2019-09-262-1/+6
|\ | | | | | | | | Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.53.4] See merge request gitlab/gitlabhq!3435
| * Fix Gitaly SearchBlobs flag RPC injectionPaul Okstad2019-09-242-1/+6
| |
* | Merge branch 'security-sarcila-verify-saml-request-origin-12-1' into ↵GitLab Release Tools Bot2019-09-2612-40/+303
|\ \ | | | | | | | | | | | | | | | | | | '12-1-stable' Check that SAML identity linking validates the origin of the request See merge request gitlab/gitlabhq!3376
| * | Validate that SAML requests are originated from gitlabSebastian Arcila Valenzuela2019-09-1612-40/+303
| | | | | | | | | | | | | | | | | | | | | | | | If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
* | | Merge branch 'security-xss-mermaid-12-1' into '12-1-stable'GitLab Release Tools Bot2019-09-265-318/+1642
|\ \ \ | | | | | | | | | | | | | | | | Gitlab XSS in markdown preview page See merge request gitlab/gitlabhq!3400
| * | | Upgrade mermaid to prevent xss attackRajat Jain2019-09-105-318/+1642
| | | | | | | | | | | | | | | | | | | | Update mermaid to avoid xss surface area. The newer release restricts script tags to be embedded in mermaid blocks.
* | | | Merge branch ↵GitLab Release Tools Bot2019-09-263-1/+47
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-1' into '12-1-stable' Display only participants that user has permission to see See merge request gitlab/gitlabhq!3403
| * | | | Display only participants that user has permission to seeAlexandru Croitor2019-09-203-1/+47
| | | | |
* | | | | Merge branch 'security-bypass-email-verification-using-salesforce-12-1' into ↵GitLab Release Tools Bot2019-09-266-24/+78
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '12-1-stable' Prevent Bypassing Email Verification using Salesforce See merge request gitlab/gitlabhq!3407
| * | | | | Bring back unary operatorMałgorzata Ksionek2019-09-111-2/+2
| | | | | |
| * | | | | Switch unary operator to more verbose wayMałgorzata Ksionek2019-09-111-2/+2
| | | | | |
| * | | | | Bring back unary operatorMałgorzata Ksionek2019-09-111-2/+2
| | | | | |
| * | | | | Add checking for email_verified keyMałgorzata Ksionek2019-09-116-24/+78
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix rubocop offences and add changelog Add email_verified key for feature specs Add code review remarks Add code review remarks Fix specs
* | | | | Merge branch 'security-mermaid-block-12-1' into '12-1-stable'GitLab Release Tools Bot2019-09-263-1/+48
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Only render fixed number of mermaid blocks See merge request gitlab/gitlabhq!3413
| * | | | | Only render fixed number of mermaid blocksRajat Jain2019-09-193-1/+48
| |/ / / /
* | | | | Merge branch ↵GitLab Release Tools Bot2019-09-264-6/+115
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'security-12718-project-milestones-disclosed-via-groups-12-1-ce' into '12-1-stable' Hide disabled project milestones in project settings on group level See merge request gitlab/gitlabhq!3416
| * | | | | Hide disabled project milestones in project settings on group levelAlexandru Croitor2019-09-264-6/+115
| | |_|_|/ | |/| | |
* | | | | Merge branch 'security-64938-dont-disclose-path-12-1-ce' into '12-1-stable'GitLab Release Tools Bot2019-09-263-1/+40
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Redirect user to root path after unsubscribing from private resource See merge request gitlab/gitlabhq!3418
| * | | | | Redirect user to root path after unsubscribing from private resourceAlexandru Croitor2019-09-203-1/+40
| | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If user unsubsrcribes from a resource that they no longer have access to they should not be revealed the resource path, but be redirected to app root instead. https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
* | | | | Merge branch ↵GitLab Release Tools Bot2019-09-265-0/+178
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'security-12630-private-system-note-disclosed-in-graphql-12-1-ce' into '12-1-stable' Add policy check if cross reference system notes are accessible See merge request gitlab/gitlabhq!3428
| * | | | | Add policy check if cross reference system notes are accessibleAlexandru Croitor2019-09-255-0/+178
| | |/ / / | |/| | |
* | | | | Merge branch 'security-fp-stop-jobs-when-blocking-user-12-1' into '12-1-stable'GitLab Release Tools Bot2019-09-265-1/+68
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Cancel all running CI jobs when user is blocked See merge request gitlab/gitlabhq!3438
| * | | | | Cancel all running CI jobs when user is blockedFabio Pitino2019-09-245-1/+68
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | This prevents a MITM attack where attacker could still access Git repository if any jobs were running long enough.
* | | | | Merge branch 'security-cross-reference-fix-ce-12-1' into '12-1-stable'GitLab Release Tools Bot2019-09-268-34/+284
|\ \ \ \ \ | |_|/ / / |/| | | | | | | | | | | | | | Filter not accessible label events See merge request gitlab/gitlabhq!3442
| * | | | Filter not accessible label eventsJan Provaznik2019-09-248-34/+284
| |/ / / | | | | | | | | | | | | | | | | | | | | Label events may use cross-project or cross-group references, if the projects are not accessible by user, we don't show these label events.
View Lorry Controller Status