| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
| |
Prevent privilege escalation via notes API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
See merge request !1964
|
| |
|
|
|
|
|
|
| |
'master'"
This reverts commit 550f9a740c472ac4075284f08a2074ecffd64920.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix vulnerability that leaks private labels and milestones
This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service.
This affects merge requests and issues.
See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439
This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does.
`IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439
See merge request !1954
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Prevent users from deleting Webhooks via API they do not own
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576
See merge request !1959
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
|
|
| |
Prevent XSS via custom issue tracker URL
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437
See merge request !1955
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
|
|
|
|
| |
Prevent information disclosure via milestone API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
See merge request !1961
|
|
|
|
|
|
|
|
| |
Prevent information disclosure via new merge request page
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.
See merge request !1963
|
|
|
|
|
|
|
|
| |
Prevent privilege escalation via "impersonate" feature
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548
See merge request !1956
|
|
|
|
|
|
|
|
| |
Prevent information disclosure via snippet API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580
See merge request !1958
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes XSS injection
REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434
**Without the fix**
![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif)
**With the fix**
![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif)
See merge request !1952
|
|
|
|
|
|
|
|
|
| |
Fixes window.opener bug
Adds `noreferrer` value to rel attribute for external links
REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331
See merge request !1953
|
| |
|
| |
|
|
|
|
| |
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948
|
| |
|
|
|
|
|
|
| |
Fix 2FA authentication spoofing
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
|
|
|
|
|
| |
[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
Closes #13957
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Bump Git version requirement to 2.7.4 (for 8.4)
[ci skip]
See merge request !3283
|
|/ |
|
| |
|
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| |
| |
| | |
Fix missing gitlab_git version bump
Closes #13430
See merge request !2811
|
|/
|
|
| |
Closes #13430
|
|\
| |
| |
| |
| |
| |
| | |
Bump gitlab_git to ~> 7.2.24
bump gitlab_git to ~> 7.2.24 (closes: #13245)
See merge request !2772
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add notice about variables in build log
Related to: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942
[ci skip]
See merge request !2761
|
| |
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix timeout issue for rake task gitlab:backup:create
This is a fix for a database timeout which can occur when the backup
create task is taking very long (1-2 hours).
It seems that ActiveRecord is loosing the connection after a hour
idleness and need to be reconnected before use.
See merge request !2757
|
|\ \
| |/
|/|
| |
| |
| |
| | |
Limit guest access builds
This is https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942 for ce-stable
See merge request !1943
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This solves https://dev.gitlab.org/gitlab/gitlabhq/issues/2646
1. This MR simplifies CI permission model:
- read_build: allows to read a list of builds, artifacts and trace
- update_build: allows to cancel and retry builds
- admin_build: allows to manage triggers, runners and variables
- read_commit_status: allows to read a list of commit statuses (including the status of a build, but doesn't allow to see a build details)
- create_commit_status: allows to create a new commit status using API
2. I do make sure that the proper permissions are used in all places where the CI can be shown.
3. Add the `read_build` ability if user is anonymous or guest and allow_guest_to_access_builds is enabled.
4. Add CI setting: public_builds.
5. The artifacts specific permission are removed, since they are covered by `*_build`.
|
|
|
|
|
|
| |
Updated omniuath-saml to the latest version.
See merge request !2684
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow manual resize of js-autosize textareas
First, the autosize library was being too controlling and removed the
`resize` property from any elements to which it was attached, removing
the drag handle. We've disabled this behavior in the vendored library
and added a spec to prevent a regression during an upgrade.
Second, we detect (as best we can) when the user manually resizes an
autosize textarea, and then remove the autosize behavior from it and
increase its max-height.
This should allow for the best of both worlds.
Closes #12832
See merge request !2653
|
|
|
|
|
|
|
|
| |
Expand Git instrumentation
This instruments some extra `Gitlab::Git` code as well as a collection of `Rugged` constants.
See merge request !2664
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Increase LFS objects size column
Fixes #12745
Increases the `size` column integer limit to an 8-byte integer. This allows for a max value of `9223372036854775807` which is 9,223,372,036 GB. That should do it :smiley:
I tested this by first reproducing the error (push a file larger than 2.1 GB). The error was:
```
RangeError (3145728000 is out of range for ActiveRecord::ConnectionAdapters::PostgreSQL::OID::Integer with limit 4):
lib/gitlab/lfs/response.rb:232:in `store_file'
lib/gitlab/lfs/response.rb:170:in `render_lfs_upload_ok'
lib/gitlab/lfs/response.rb:51:in `block in render_storage_upload_store_response'
lib/gitlab/lfs/response.rb:204:in `render_response_to_push'
lib/gitlab/lfs/response.rb:50:in `render_storage_upload_store_response'
lib/gitlab/lfs/router.rb:76:in `put_response'
lib/gitlab/lfs/router.rb:20:in `try_call'
lib/gitlab/backend/grack_auth.rb:41:in `call'
lib/gitlab/backend/grack_auth.rb:18:in `call_with_kerberos_support'
lib/gitlab/backend/grack_auth.rb:8:in `call'
```
Then I ran this migration and pushed the file again. It uploaded successfully.
See merge request !2644
|
|
|
|
|
|
|
| |
Backport LDAP user assignment changes from EE
See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146
See merge request !2641
|
|
|
|
|
|
|
|
|
|
| |
Update sentry-raven gem.
Should resolve `fatal: Not a git repository (or any of the parent directories): .git` warnings.
Fixes #12657
See merge request !2636
|
|
|
|
|
|
|
|
| |
Correctly determine MR diff base when MR has merge conflicts
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/12779
See merge request !2632
|
|
|
|
|
| |
Fix highlighting in blame view.
See merge request !2630
|
| |
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|