summaryrefslogtreecommitdiff
path: root/app
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'security-fix-badges-leaked-to-unauthorized-users-11-11' into ↵GitLab Release Tools Bot2019-07-241-1/+2
|\ | | | | | | | | | | | | '11-11-stable' Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3186
| * Don't display badges when builds are restrictedFabio Pitino2019-06-271-1/+2
| | | | | | | | | | | | | | | | Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
* | Merge branch 'security-mr-pipeline-permissions-11-11' into '11-11-stable'GitLab Release Tools Bot2019-07-242-2/+3
|\ \ | | | | | | | | | | | | MR pipeline permissions See merge request gitlab/gitlabhq!3217
| * | Use MergeRequest#source_project as permissions reference for ↵drew cimino2019-07-052-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MergeRequest#all_pipelines MergeRequest#all_pipelines fetches Ci::Pipeline records from the source project, so we should specifically check that project for permissions. This was already happening for intra-project merge requests, but in the event that the target and source projects both have private builds, we should ensure that the project permissions are respected.
* | | Merge branch 'security-remove-take-trigger-ownership-feature-11-11' into ↵GitLab Release Tools Bot2019-07-242-14/+1
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | '11-11-stable' Drop feature to take ownership of a trigger token See merge request gitlab/gitlabhq!3228
| * | | Drop feature to take ownership of a trigger tokenFabio Pitino2019-07-102-14/+1
| |/ / | | | | | | | | | | | | | | | | | | Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
* | | Merge branch ↵GitLab Release Tools Bot2019-07-242-0/+5
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | 'security-2873-restrict-slash-commands-to-users-who-can-log-in-11-11' into '11-11-stable' Restrict slash commands to users who can log in See merge request gitlab/gitlabhq!3239
| * | | Restrict slash commands to users who can log inHordur Freyr Yngvason2019-07-122-0/+5
| |/ /
* | | Merge branch 'security-bvl-filter-mr-params-11-11' into '11-11-stable'GitLab Release Tools Bot2019-07-241-6/+22
|\ \ \ | | | | | | | | | | | | | | | | Filter params in MR build service See merge request gitlab/gitlabhq!3255
| * | | Filter params in MR build serviceBob Van Landuyt2019-07-171-6/+22
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reusing the existing `IssuableBaseService#filter_params` which uses the policies to determine what params a user can set, and which values it can be set to. This also removed the need for the seperate call to `IssuableBaseService#ensure_milestone_available`. The `Issues::BuildService` does not suffer from this because it limits the params that are assignable to the `title`, `description` and `milestone_id`.
* | | Do not show moved issue ids for user not authorizedFelipe Artur2019-07-151-1/+6
|/ / | | | | | | Do not show moved issue id for users that cannot read issue
* | Support object storage at FileMover classOswaldo Ferreira2019-06-301-18/+43
|/
* Merge branch 'security-notes-in-private-snippets-11-11' into '11-11-stable'GitLab Release Tools Bot2019-06-262-9/+13
|\ | | | | | | | | Ability to write a note in a private snippet See merge request gitlab/gitlabhq!3141
| * Correctly check permissions when creating snippet notesMarkus Koller2019-06-062-9/+13
| | | | | | | | | | | | | | | | | | | | In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization.
* | Merge branch ↵GitLab Release Tools Bot2019-06-262-2/+20
|\ \ | | | | | | | | | | | | | | | | | | 'security-prevent-detection-of-merge-request-template-name-11-11' into '11-11-stable' Guests can know whether merge request template name exists or not See merge request gitlab/gitlabhq!3149
| * | Authorize access before serving project templateLuke Duncalfe2019-06-122-2/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, if a user was a guest member of a private project, they could access the merge request template as we were not checking permission-levels of the user. When a issue template is asked for, the user must have :read_issue for the project; or :read_merge_request when a merge request template is asked for. We also now rescue_from FileNotFoundError and handle as 404. This is because RepoTemplateFinder can raise a FileNotFoundError exception, which Rails previously handled as a 500. Handling these in a way that is consistent with ActiveRecord::RecordNotFound exceptions, within controllers that inherit from Projects::ApplicationController at least, and returning a 404. https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
* | | Merge branch 'security-persist-tmp-snippet-uploads-11-11' into '11-11-stable'GitLab Release Tools Bot2019-06-265-17/+47
|\ \ \ | | | | | | | | | | | | | | | | Persist tmp snippet uploads at users See merge request gitlab/gitlabhq!3165
| * | | Persist tmp snippet uploadsOswaldo Ferreira2019-06-175-17/+47
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | It persist temporary personal snippets under user/:id namespaces temporarily while creating a upload record to track it. If an user gets removed while it's still a tmp upload, it also gets removed. If the tmp upload is sent, the upload gets moved to personal_snippets/:id as before. The upload record also gets updated to the new model type as well.
* | | Merge branch 'security-59581-related-merge-requests-count-11-11' into ↵GitLab Release Tools Bot2019-06-268-13/+44
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | '11-11-stable' Expose merge requests count based on user access See merge request gitlab/gitlabhq!3168
| * | | Expose merge requests count based on user accessAlexandru Croitor2019-06-188-13/+44
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | Count issues related merge requests based on user access level. And issue can have related MRs from projects where user does not have access so the number of related merge requests should be adjusted based on user's ability to access the related MRs. https://gitlab.com/gitlab-org/gitlab-ce/issues/59581
* | | Merge branch 'security-bvl-enforce-graphql-type-authorization-11-11' into ↵GitLab Release Tools Bot2019-06-266-5/+13
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | '11-11-stable' Fix type authorizations in GraphQL See merge request gitlab/gitlabhq!3173
| * | | Fix failing auhtorizations in GraphQLBob Van Landuyt2019-06-206-5/+13
| |/ / | | | | | | | | | | | | | | | | | | 0. Add authorize to LabelType and NamespaceType. 1. Make sure that authorizations on non-nullable fields are also executed.
* | | Merge branch 'security-2858-fix-color-validation-11-11' into '11-11-stable'GitLab Release Tools Bot2019-06-261-1/+1
|\ \ \ | | | | | | | | | | | | | | | | Fix color validation regex causing DoS See merge request gitlab/gitlabhq!3177
| * | | Fix color validation regexHeinrich Lee Yu2019-06-251-1/+1
| |/ / | | | | | | | | | Also prevents ReDoS vulnerability
* | | Merge branch 'security-fix-issue-59379-11-11' into '11-11-stable'GitLab Release Tools Bot2019-06-261-1/+1
|\ \ \ | | | | | | | | | | | | | | | | Disable Rails SQL query cache when applying service templates See merge request gitlab/gitlabhq!3180
| * | | Disable Rails SQL query cache when applying service templatesStan Hu2019-06-251-1/+1
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | When the SQL query cache is active, the SELECT query for finding projects to apply service templates returns the same values. This causes an infinite loop because even though bulk INSERT queries are made, the cached results never reflect that progress. To fix this, we call `Project.uncached` around the query to ensure new data is retrieved. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63595
* | | Merge branch '29769-11-11-port' into '11-11-stable-patch-4'Marin Jankovski2019-06-263-3/+17
|\ \ \ | | | | | | | | | | | | | | | | Fix IDE commit to use start_ref See merge request gitlab-org/gitlab-ce!30079
| * | | Fix IDE commit to use start_refPaul Slaughter2019-06-263-3/+17
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | **Why?** The branch HEAD could be changed since the IDE was opened. This leads to user's unintentionally creating commits that overwrite other changes. https://gitlab.com/gitlab-org/gitlab-ce/issues/59023
* | | Merge branch 'fe-fix-gl-dropdown-scrolling-to-top' into 'master'11-11-stable-patch-4Fatih Acet2019-06-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix gl_dropdown scrolling to top on assignee click See merge request gitlab-org/gitlab-ce!29500 (cherry picked from commit 2a29f910592e82d8f8d108e15497dd2fbbbb07ca) 3130572f Fix gl_dropdown scrolling to top on assignee click
* | | Merge branch 'sh-fix-fogbugz-import' into 'master'James Lopez2019-06-261-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix Fogbugz Importer not working Closes #33530 See merge request gitlab-org/gitlab-ce!29383 (cherry picked from commit 895519a83e186071a6144917806250fb8da59036) 1a4d1b05 Fix Fogbugz Importer not working
* | | Merge branch 'increase-ci-queue-histogram-buckets' into 'master'Kamil Trzciński2019-06-261-1/+1
|/ / | | | | | | | | | | | | | | | | | | | | Add 60s and 5m values to the buckets used by prometheus to measure time Closes #62113 See merge request gitlab-org/gitlab-ce!28557 (cherry picked from commit 20375f811a6ffa35568d70b97a3793b97231d0dd) 77d5516d Add 60s & 5m monitor buckets for CI queues
* | Merge branch '61246-fix-label-click-scroll-to-top' into 'master'Fatih Acet2019-06-101-0/+5
| | | | | | | | | | | | | | | | | | | | | | Fix label click scrolling to top Closes #61246 See merge request gitlab-org/gitlab-ce!29202 (cherry picked from commit 92b06c13bd12abf85f6beb18b3b5c2f0e38c2760) c9c7fa7b Fix label click scrolling to top
* | Merge branch 'revert-86900f00' into 'master'Grzegorz Bizon2019-06-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | Revert "Disable retrying cancelled jobs" Closes #62350 See merge request gitlab-org/gitlab-ce!29201 (cherry picked from commit 8501edcd465923c9c6a45abe6c863fc3cd25973a) e58e24b4 Revert "Merge branch..."
* | Merge branch 'revert-git-depth-for-merge-request' into 'master'Kamil Trzciński2019-06-101-3/+2
|/ | | | | | | | | Revert a default GIT_DEPTH for MR pipeline See merge request gitlab-org/gitlab-ce!28926 (cherry picked from commit 765917dc088bee52a3f95d76fc7f32d408a2af20) dbd62232 Revert a default GIT_DEPTH for MR pipeline
* Merge branch 'sh-fix-import-url-update' into 'master'11-11-stable-patch-1Thong Kuah2019-06-041-0/+2
| | | | | | | Fix project settings not being able to update Closes #62708 See merge request gitlab-org/gitlab-ce!29097
* Merge branch '11-11-stable' into 11-11-stable-patch-1Stan Hu2019-06-0413-10/+100
|\
| * Merge branch 'osw-disable-dns-rebind-protection-settings-11-11' into ↵GitLab Release Tools Bot2019-05-303-0/+10
| |\ | | | | | | | | | | | | | | | | | | '11-11-stable' Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3130
| | * Add DNS rebinding protection settingsOswaldo Ferreira2019-05-293-0/+10
| | |
| * | Fix the overriding of EE import paramsIgor Drozdov2019-05-292-7/+12
| |/
| * Merge branch 'security-60039-11-11' into '11-11-stable'GitLab Release Tools Bot2019-05-281-0/+12
| |\ | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3095
| | * Validate MR branch namesMark Chao2019-05-061-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported.
| * | Merge branch 'security-unsubscribing-from-issue-11-11' into '11-11-stable'GitLab Release Tools Bot2019-05-282-1/+5
| |\ \ | | | | | | | | | | | | | | | | Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3099
| | * | Hide issue title on unsubscribe for anonymous usersAlexandru Croitor2019-05-162-1/+5
| | | |
| * | | Merge branch 'security-fix-confidential-issue-label-visibility-11-11' into ↵GitLab Release Tools Bot2019-05-281-1/+7
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '11-11-stable' Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3102
| | * | | Fix confidential issue label disclosure on milestone viewPatrick Derichs2019-05-171-1/+7
| | | | |
| * | | | Merge branch 'security-id-leaked-password-in-import-url-frontend-11-11' into ↵GitLab Release Tools Bot2019-05-284-15/+47
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '11-11-stable' Handling password on import by url page See merge request gitlab/gitlabhq!3109
| | * | | | Handling password on import by url pageSam Bigelow2019-05-212-14/+8
| | | | | |
| | * | | | Hide password on import by url formIgor Drozdov2019-05-215-14/+52
| | |/ / /
| * | | | Merge branch 'security-fix_milestones_search_api_leak-11-11' into '11-11-stable'GitLab Release Tools Bot2019-05-281-0/+12
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3110
| | * | | | Resolve: Milestones leaked via search APIFelipe Artur2019-05-211-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones
View Lorry Controller Status