summaryrefslogtreecommitdiff
path: root/app
Commit message (Collapse)AuthorAgeFilesLines
* Display only informaton visible to current userJarka Košanová2019-02-272-2/+14
| | | | | | Display only labels and assignees of issues visible by the currently logged user Display only issues visible to user in the burndown chart
* Display the correct number of MRs a user has access toIgor Drozdov2019-02-275-14/+21
|
* Merge branch 'security-2818_filter_impersonated_sessions-11-6' into ↵Yorick Peterse2019-02-273-18/+5
|\ | | | | | | | | | | | | '11-6-stable' Filter impersonated sessions from active sessions and remove ability to revoke session See merge request gitlab/gitlabhq!2983
| * Remove ability to revoke active sessionImre Farkas2019-02-272-15/+0
| | | | | | | | | | | | Session ID is used as a parameter for the revoke session endpoint but it should never be included in the HTML as an attacker could obtain it via XSS.
| * Filter active sessions belonging to an admin impersonating the userImre Farkas2019-02-272-3/+5
| |
* | Merge branch '11-6-security-2773-milestones-fix' into '11-6-stable'Yorick Peterse2019-02-275-5/+24
|\ \ | | | | | | | | | | | | Check issue milestone availability See merge request gitlab/gitlabhq!2906
| * | Check issue milestone availabilityJarka Košanová2019-02-135-5/+24
| |/ | | | | | | | | | | | | | | | | | | Add project when creating milestone in specs We validate milestone is from the same project/parent group as issuable -> we need to set project in specs correctly Improve methods names and specs organization
* | Merge branch 'security-2798-fix-boards-policy-11-6' into '11-6-stable'Yorick Peterse2019-02-271-0/+2
|\ \ | | | | | | | | | | | | Disable issue board policies when issues are disabled See merge request gitlab/gitlabhq!2912
| * | Disable board policies when issues are disabledHeinrich Lee Yu2019-02-141-0/+2
| |/ | | | | | | Board list policies are also included
* | Merge branch '11-6-security-2797-milestone-mrs' into '11-6-stable'Yorick Peterse2019-02-275-3/+21
|\ \ | | | | | | | | | | | | Show only MRs visible to user on milestone detail See merge request gitlab/gitlabhq!2925
| * | Show only MRs visible to user on milestone detailJarka Košanová2019-02-195-3/+21
| |/
* | Merge branch 'security-commit-private-related-mr-11-6' into '11-6-stable'Yorick Peterse2019-02-272-2/+13
|\ \ | | | | | | | | | | | | Don't allow non-members to see private related MRs See merge request gitlab/gitlabhq!2932
| * | Don't allow non-members to see private related MRsPatrick Bajao2019-02-152-2/+13
| |/
* | Merge branch 'security-kubernetes-google-login-csrf-11-6' into '11-6-stable'Yorick Peterse2019-02-271-11/+21
|\ \ | | | | | | | | | | | | Validate session key when authorizing with GCP to create a cluster See merge request gitlab/gitlabhq!2936
| * | Validate session key when authorizing with GCP to create a clusterTiger2019-02-191-11/+21
| |/ | | | | | | | | | | | | | | | | | | It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session.
* | Merge branch 'security-56348-11-6' into '11-6-stable'Yorick Peterse2019-02-271-0/+8
|\ \ | | | | | | | | | | | | Check snippet attached file to be moved is within designated directory See merge request gitlab/gitlabhq!2943
| * | Check snippet attached file to be moved is within designated directoryMark Chao2019-02-211-0/+8
| |/ | | | | | | | | | | | | Previously one could move any temp/ sub folder around. Align spec with actual usage, as currently we pass temp file path to FileMover.
* | Check validity of prometheus_service before queryReuben Pereira2019-02-271-1/+5
| | | | | | | | | | | | | | Check validity before querying so that if the dns entry for the api_url has been changed to something invalid after the model was saved and checked for validity, it will not query. This is to solve a toctou (time of check to time of use) issue.
* | Merge branch 'security-protect-private-repo-information-11-6' into '11-6-stable'Yorick Peterse2019-02-271-2/+0
|\ \ | | | | | | | | | | | | Fix leaking private repository information in API See merge request gitlab/gitlabhq!2950
| * | Removing sensitive properties from ProjectTypeLuke Duncalfe2019-02-201-2/+0
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | defaultBranch and ciConfigPath should only be available to users with the :download_code permission for the Project, as the respository might be private. When implementing the authorize check on these properties, it was found that our current Graphql::Authorize::Instrumentation class does not work with fields that resolve to subclasses of GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE. After discussion with other Create Team members, it has been decided that because the GraphQL API is not GA, to remove these properties from ProjectType, and instead implement them as part of epic https://gitlab.com/groups/gitlab-org/-/epics/711 Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/55316
* | Arbitrary file read via MergeRequestDiffFrancisco Javier López2019-02-273-1/+12
| |
* | Merge branch '11-6-security-2799-emails' into '11-6-stable'Yorick Peterse2019-02-273-4/+12
|\ \ | | | | | | | | | | | | Remove link after issue move when no permissions See merge request gitlab/gitlabhq!2957
| * | Remove link after issue move when no permissionsJarka Košanová2019-02-203-4/+12
| |/ | | | | | | | | | | Don't show new issue link after move when a user does not have permissions to display the new issue
* | Merge branch ↵Yorick Peterse2019-02-272-4/+11
|\ \ | | | | | | | | | | | | | | | | | | 'security-add-public-internal-groups-as-members-to-your-project-idor-11-6' into '11-6-stable' Add public/internal groups as members to your Project(IDOR) See merge request gitlab/gitlabhq!2958
| * | Fix conflictMałgorzata Ksionek2019-02-202-4/+11
| |/
* | Merge branch 'security-kubernetes-local-ssrf-11-6' into '11-6-stable'Yorick Peterse2019-02-271-1/+1
|\ \ | | | | | | | | | | | | Block local URLs for Kubernetes integration See merge request gitlab/gitlabhq!2961
| * | Do not allow local urls in Kubernetes formThong Kuah2019-02-211-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | Use existing `public_url` validation to block various local urls. Note that this validation will allow local urls if the "Allow requests to the local network from hooks and services" admin setting is enabled. Block KubeClient from using local addresses It will also respect `allow_local_requests_from_hooks_and_services` so if that is enabled KubeClinet will allow local addresses
* | Merge branch 'security-osw-stop-linking-to-packages-11-6' into '11-6-stable'Yorick Peterse2019-02-271-5/+0
|\ \ | | | | | | | | | | | | Stop linking to unrecognized package sources See merge request gitlab/gitlabhq!2971
| * | Stop linking to unrecognized package sourcesOswaldo Ferreira2019-02-241-5/+0
| |/
* | Merge branch 'security-issue_54789_2-11-6' into '11-6-stable'Yorick Peterse2019-02-271-0/+2
|\ \ | | | | | | | | | | | | [11.6] Prevent disclosing project milestone titles See merge request gitlab/gitlabhq!2975
| * | Prevent disclosing project milestone titlesFelipe Artur2019-02-261-0/+2
| |/ | | | | | | | | Prevent unauthorized users having access to milestone titles through autocomplete endpoint.
* | Limit number of characters allowed in mermaidjsRajat Jain2019-02-271-0/+19
|/
* Merge branch 'security-11-6-55320-stored-xss-in-user-status' into ↵Tim Zallmann2019-02-041-4/+4
| | | | | | | | | | | 'security-11-6' [11.6] Use sanitized user status message in user popover See merge request gitlab/gitlabhq!2838 (cherry picked from commit 919913d4511c1e78b65d6bb29082ddc597b525f3) 9b736da4 Use sanitized user status message for user popover
* Merge branch 'security-11-6-22076-sanitize-url-in-names' into 'security-11-6'Yorick Peterse2019-01-2537-51/+59
| | | | | | | | | | | [11.6] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs See merge request gitlab/gitlabhq!2829 (cherry picked from commit 7dd747b8ce1f59672c530af25237bdf661cb480a) 61fc453c Add `sanitize_name` helper to sanitize URLs in user full name e5cd214e Use `sanitize_name` to sanitize URL in user full name 1b000d5a Add changelog entry
* Merge branch 'security-project-move-users-11-6' into 'security-11-6'Yorick Peterse2019-01-253-1/+23
| | | | | | | | | [11.6] Sent notification only to authorized users See merge request gitlab/gitlabhq!2857 (cherry picked from commit 4152329ce44bbc7567a1c7b03d5bf9e84bb1efc7) fb0fd18c Sent notification only to authorized users
* Merge branch 'sh-fix-issue-56663-11-6' into 'security-11-6'Yorick Peterse2019-01-242-3/+3
| | | | | | | | | [11.6] Alias GitHub and BitBucket OAuth2 callback URLs See merge request gitlab/gitlabhq!2846 (cherry picked from commit f8a23d89e6f94a74b2779b3b215c475a39ba8de3) f652a9e0 Alias GitHub and BitBucket OAuth2 callback URLs
* Merge branch 'security-import-path-logging-11-6' into 'security-11-6'Yorick Peterse2019-01-242-2/+24
| | | | | | | | | [11.6] Fix error disclosure on Project Import See merge request gitlab/gitlabhq!2733 (cherry picked from commit b4797537a586bce6a96580a0257f59f9c6a92c14) f470ad2f Fix path disclosure on Project Import
* Merge branch 'security-contributed-projects-11-6' into 'security-11-6'Yorick Peterse2019-01-241-0/+7
| | | | | | | | | | [11.6] Contributed projects info is still visible even user enable private profile See merge request gitlab/gitlabhq!2765 (cherry picked from commit dfc0edd52628ba86578f1b6645575049b9db1058) 7502af85 Fix contributed projects finder shown private info 06aadabb Use old spec syntax
* Merge branch 'security-11-6-2769-idn-homograph-attack' into '11-6-stable'Yorick Peterse2019-01-241-1/+1
|\ | | | | | | | | [11.6] GitLab vulnerable to IDN homograph attacks and RTLO attacks See merge request gitlab/gitlabhq!2822
| * Show tooltip for malicious looking linksBrett Walker2019-01-211-1/+1
| | | | | | | | | | | | | | Such as those with IDN homographs or embedded right-to-left (RTLO) characters. Autolinked hrefs should be escaped
* | Merge branch 'security-pipeline-trigger-tokens-exposure-11-6' into ↵Yorick Peterse2019-01-245-6/+27
| | | | | | | | | | | | | | | | | | | | | | 'security-11-6' [11.6] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2759 (cherry picked from commit 33fbd62b9b4a73679a9f3cd1d9020e5dc6e9072d) 64a328be Do not expose trigger token when user should not see it
* | Merge branch 'security-fix-regex-dos-11-6' into 'security-11-6'Yorick Peterse2019-01-241-0/+1
| | | | | | | | | | | | | | | | | | [11.6] Fix DoS in reference extraction regexes See merge request gitlab/gitlabhq!2778 (cherry picked from commit 06f1ea1f540b62aefbaa4f69901de2d29df11e7c) e73f2f1d Fix slow project reference pattern regex
* | Merge branch 'security-do-not-process-mr-ref-for-guests-11-6' into ↵Yorick Peterse2019-01-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | 'security-11-6' [11.6] Don't process MR refs for guests in the notes See merge request gitlab/gitlabhq!2782 (cherry picked from commit ee0f107791921dec7a6e3d43fe45ebef43d864be) 6e10237d Don't process MR refs for guests in the notes
* | Merge branch 'security-bump-rails-version-11-6' into 'security-11-6'Yorick Peterse2019-01-243-4/+27
| | | | | | | | | | | | | | | | | | [11.6] Bump Rails version to 5.0.7.1 See merge request gitlab/gitlabhq!2797 (cherry picked from commit 3a5dd09effda664888b25c935142b5c8fc23c304) f705c816 Bump Ruby on Rails version to 5.0.7.1
* | Merge branch ↵Yorick Peterse2019-01-247-23/+31
| | | | | | | | | | | | | | | | | | | | | | 'security-fix-wiki-access-rights-with-external-wiki-enabled-11-6' into 'security-11-6' [11.6] Fix access to internal wiki when external wiki is enabled See merge request gitlab/gitlabhq!2801 (cherry picked from commit 1edd23f18210a03ab3e1f6925aa4e434f68cee79) 24a48893 Fixed bug when external wiki is enabled
* | Merge branch 'security-11-6-test-permissions' into 'security-11-6'Yorick Peterse2019-01-2418-39/+93
| | | | | | | | | | | | | | | | | | | | [11.6] Pipelines section is available to unauthorized users See merge request gitlab/gitlabhq!2805 (cherry picked from commit 6f6e0e2ba7e8e2afe38e2d57883a8dfda0685d86) e5c0b597 Backport security fix 181c74a1 Add CHANGELONG entry
* | Merge branch 'security-fix-new-issues-login-message-11-6' into 'security-11-6'Yorick Peterse2019-01-241-9/+1
| | | | | | | | | | | | | | | | | | [11.6] Use common error for not logged in users when creating issues See merge request gitlab/gitlabhq!2812 (cherry picked from commit fe692173d2da5df4646050725359bc7fd1c99f4e) a2dba33c Use common error for unauthenticated users
* | Merge branch 'security-guests-can-see-list-of-merge-requests-11-6' into ↵Yorick Peterse2019-01-243-11/+38
| | | | | | | | | | | | | | | | | | | | | | 'security-11-6' [11.6] Group Guests are no longer able to see merge requests See merge request gitlab/gitlabhq!2815 (cherry picked from commit a662cfdb80a9d7fe6eacbc1a40fb24b5a7b9272e) f7a2dabd Group Guests are no longer able to see merge requests
* | Merge branch 'security-fix-lfs-import-project-ssrf-forgery-11-6' into ↵Yorick Peterse2019-01-244-45/+107
| | | | | | | | | | | | | | | | | | | | | | 'security-11-6' [11.6] LFS object forgery in project import See merge request gitlab/gitlabhq!2818 (cherry picked from commit 6402c62822692b924ee95234cbcc2578501236f9) bb635c64 Added validations to prevent LFS object forgery
* | Merge branch 'security-2779-fix-email-comment-permissions-check-11-6' into ↵Yorick Peterse2019-01-244-14/+9
| | | | | | | | | | | | | | | | | | | | | | 'security-11-6' [11.6] Fix discussion replies permissions check See merge request gitlab/gitlabhq!2825 (cherry picked from commit 367767766d9727101908a1f195120732d72201b1) 313a9f2e Prevent comments by email when issue is locked
View Lorry Controller Status