| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
| |
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
| |
Fix labels being applied to wrong merge requests on GitHub import
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2064
|
|
|
|
|
| |
Fix for XSS vulnerability in SVG attachments
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
|
|
|
|
|
| |
Fix XSS in rdoc and other markups
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058
|
|
|
|
|
| |
Add sanitization filter to asciidocs output to prevent XSS
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
|
| |
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
| |
Reject blank environment variables in Gitlab::Git::RevList
Closes #25848
See merge request !8189
|
|
|
|
|
|
|
| |
Fix N+1 queries on milestone show pages
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/25832
See merge request !8185
|
|
|
|
|
|
|
|
|
|
|
|
| |
'master'
Ensure issuable state changes only fire webhooks once
Webhooks were fired twice when issuables were reopened or closed. Once for the status change and once for the `update` operation
Closes #25339
See merge request !8101
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump gitlab-shell to 4.1.1
This fixes a compatibility issue with Git 2.11 (#25301):
- [x] gitlab-shell MR: gitlab-org/gitlab-shell!112
- [x] CE MR: !7967
- [x] EE MR: gitlab-org/gitlab-ee!964
See merge request !8143
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Accept environment variables from the `pre-receive` script
## Summary
1. Starting version 2.11, git changed the way the pre-receive flow works.
- Previously, the new potential objects would be added to the main repo. If the pre-receive passes, the new objects stay in the repo but are linked up. If the pre-receive fails, the new objects stay orphaned in the repo, and are cleaned up during the next `git gc`.
- In 2.11, the new potential objects are added to a temporary "alternate object directory", that git creates for this purpose. If the pre-receive passes, the objects from the alternate object directory are migrated to the main repo. If the pre-receive fails the alternate object directory is simply deleted.
2. In our workflow, the pre-recieve script (in `gitlab-shell`) calls the
`/allowed` endpoint, which calls out directly to git to perform
various checks. These direct calls to git do _not_ have the necessary
environment variables set which allow access to the "alternate object
directory" (explained above). Therefore these calls to git are not able to
access any of the new potential objects to be added during this push.
3. We fix this by accepting the relevant environment variables
(`GIT_ALTERNATE_OBJECT_DIRECTORIES`, `GIT_OBJECT_DIRECTORY`, and
`GIT_QUARANTINE_PATH`) on the `/allowed` endpoint, and then include
these environment variables while calling out to git.
4. This commit includes these environment variables while making the "force
push" check.
## Issue Numbers
- Closes #25301 (assuming the corresponding `gitlab-shell` MR has been merged in first)
- Corresponding `gitlab-shell` MR: gitlab-org/gitlab-shell!112
- Corresponding EE MR: gitlab-org/gitlab-ee!964
## Tasks
- [#25301/!7967/!112] Git version 2.11.0 - Can't push to protected branch as master or developer
- [x] Investigate
- [x] Implementation
- [x] `force_push.rb` should use the relevant environment variables
- [x] Any other instances of `/allowed` calling out to git directly?
- [x] Verify that the fix works over SSH as well
- [x] Can we trim the number of env variables? Do we need all 3?
- [x] Whitelist variables. Server shouldn't pass through _any_ env variable passed in
- [x] Any security implications?
- [x] Check for force push return code
- [x] Shouldn't be able to opt-out from the force push check by passing an env variable
- [x] Tests
- [x] CE
- [x] Added
- [x] Passing
- [x] Shell
- [x] Added
- [x] Passing
- [x] Meta
- [x] CHANGELOG entry created
- [x] Branch has no merge conflicts with `master`
- [x] Squashed related commits together
- [x] EE merge request
- [x] Review
- [x] Endboss
- [ ] Follow-up
- [x] Make sure EE is working as expected
- [x] [CE] Gitlab changes without gitlab-shell changes shouldn't raise any exceptions
- [x] [CE] Gitlab-shell changes without gitlab changes shouldn't raise any exceptions
- [x] [EE] Gitlab changes without gitlab-shell changes shouldn't raise any exceptions
- [x] [EE] Gitlab-shell changes without gitlab changes shouldn't raise any exceptions
- [ ] Wait for merge
- [ ] CE
- [ ] EE
- [x] Shell
See merge request !7967
|
|\ |
|
| | |
|
| |
| |
| | |
[ci skip]
|
| | |
|
| |
| |
| |
| |
| | |
The `parent` namespace concept didn't exist until 8.15, so this was
causing a `NoMethodError`.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Upgrade OmniAuth Ruby gem to 1.3.2
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/26813
See merge request !2056
|
| |
| |
| |
| |
| | |
Prevent users from creating notes on resources they can't access
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
|
| |
| |
| |
| |
| | |
Ensure that only privileged users can access merge requests in the API
See merge request !2053
|
| |
| |
| |
| |
| |
| | |
Fix export files not removed when a user takes over a namespace
See merge request !2051
|
| |
| |
| |
| |
| | |
Fix users being able to delete instance public deployment keys
See merge request !2049
|
| |
| |
| |
| |
| |
| | |
Speed up group milestone index by passing group_id to IssuesFinder
See merge request !8363
|
|/
|
|
|
|
|
|
| |
Memoize Milestoneish#issues_visible_to_user to reduce lookups
https://gitlab.com/gitlab-org/gitlab-ce/issues/25748
See merge request !8146
|
|\ |
|
| | |
|
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| | |
Updated Turbolinks to patched version of turbolinks-classic
See merge request !2048
|
|/
|
|
|
|
| |
Update the gitlab-markup gem to the version `1.5.1`
See merge request !8509
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
The specs on the cherry-picked MR were counting on a behaviour that
was added on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7843
(an 8.15 MR). We backport the relevant code.
|
|
|
|
|
|
|
| |
Filter `incoming_email_token` and `runners_token` parameters
Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676
See merge request !2045
|
|
|
|
|
|
|
|
| |
Issue#visible_to_user moved to IssuesFinder
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24637.
See merge request !2039
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix missing Note access checks in by moving Note#search to updated NoteFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
:warning: - Potentially untested
:bomb: - No test coverage
:traffic_light: - Test coverage of some sort exists (a test failed when error raised)
:vertical_traffic_light: - Test coverage of return value (a test failed when nil used)
:white_check_mark: - Permissions check tested
### Note lookup without access check
- [x] :white_check_mark: app/finders/notes_finder.rb:13 :download_code check
- [x] :white_check_mark: app/finders/notes_finder.rb:19 `SnippetsFinder`
- [x] :white_check_mark: app/models/note.rb:121 [`Issue#visible_to_user`]
- [x] :white_check_mark: lib/gitlab/project_search_results.rb:113
- This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`.
- It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked.
### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used
- `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223
### Acceptance criteria met?
- [x] Tests added for new code
- [x] TODO comments removed
- [x] Squashed and removed skipped tests
- [x] Changelog entry
- [ ] State Gitlab versions affected and issue severity in description
- [ ] Create technical debt issue for NotesFinder.
- Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two.
- Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)`
- Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes`
See merge request !2035
|
|
|
|
|
|
|
|
| |
API: Memoize the current_user so that the sudo can work properly
Closes #25482
See merge request !8017
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Encode when migrating ProcessCommitWorker jobs
## What does this MR do?
This adds encoding logic to the migration for ProcessCommitWorker, ensuring it doesn't throw errors when the input can not be converted to UTF-8 without extra help.
## What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ce/issues/25489
See merge request !8064
|
|
|
|
|
|
|
|
|
| |
Fix Crontab typo for PruneOldEventsWorker to run 4x/day instead of 60x/hour
In c0a92cb8 the intended cron setting (per the comment) was to be "4 times a day", a * instead of a 0 means it runs 60x/hr 4x/day.
Closes #25571
See merge request !8051
|
|
|
|
|
| |
Displays milestone remaining days only when it's present
See merge request !7998
|
|
|
|
|
| |
Use a single query in Projects::ProjectMembersController to fetch members
See merge request !7997
|
|
|
|
|
|
|
|
|
| |
Fixed timeago re-rendering every element
## What does this MR do?
Fixes an issue when new notes are added timeago will be initialised for every timeago element on the page again and therefore adding more timeouts.
See merge request !7969
|
|
|
|
|
|
|
|
| |
Allow branch names with dots on API endpoint
closes #25030
See merge request !7963
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid escaping relative links in Markdown twice
## What does this MR do?
Avoid escaping relative links in Markdown twice.
## Why was this MR needed?
Relative links with special characters (e.g. spaces) were escaped twice.
## What are the relevant issue numbers?
closes #25191, #25318
See merge request !7940
|
|
|
|
|
|
|
|
|
|
| |
'25171-fix-mr-features-settings-hidden-when-builds-are-disabled' into 'master'
Remove wrong '.builds-feature' class from the MR settings fieldset
Closes #25171
See merge request !7930
|