| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Display only labels and assignees of issues
visible by the currently logged user
Display only issues visible to user in the burndown chart
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
'11-6-stable'
Filter impersonated sessions from active sessions and remove ability to revoke session
See merge request gitlab/gitlabhq!2983
|
| |
| |
| |
| |
| |
| | |
Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
Check issue milestone availability
See merge request gitlab/gitlabhq!2906
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add project when creating milestone in specs
We validate milestone is from the same
project/parent group as issuable ->
we need to set project in specs correctly
Improve methods names and specs organization
|
|\ \
| | |
| | |
| | |
| | | |
Disable issue board policies when issues are disabled
See merge request gitlab/gitlabhq!2912
|
| |/
| |
| |
| | |
Board list policies are also included
|
|\ \
| | |
| | |
| | |
| | | |
Show only MRs visible to user on milestone detail
See merge request gitlab/gitlabhq!2925
|
| |/ |
|
|\ \
| | |
| | |
| | |
| | | |
Don't allow non-members to see private related MRs
See merge request gitlab/gitlabhq!2932
|
| |/ |
|
|\ \
| | |
| | |
| | |
| | | |
Validate session key when authorizing with GCP to create a cluster
See merge request gitlab/gitlabhq!2936
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It was previously possible to link a GCP account to another
user's GitLab account by having them visit the callback URL,
as there was no check that they were the initiator of the
request.
We now reject the callback unless the state parameter
matches the one added to the initiating user's session.
|
|\ \
| | |
| | |
| | |
| | | |
Check snippet attached file to be moved is within designated directory
See merge request gitlab/gitlabhq!2943
|
| |/
| |
| |
| |
| |
| |
| | |
Previously one could move any temp/ sub folder around.
Align spec with actual usage, as currently we pass temp file path to
FileMover.
|
| |
| |
| |
| |
| |
| |
| | |
Check validity before querying so that if the dns entry for the api_url
has been changed to something invalid after the model was saved and
checked for validity, it will not query. This is to solve a toctou
(time of check to time of use) issue.
|
|\ \
| | |
| | |
| | |
| | | |
Fix leaking private repository information in API
See merge request gitlab/gitlabhq!2950
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
defaultBranch and ciConfigPath should only be available to users with
the :download_code permission for the Project, as the respository might
be private.
When implementing the authorize check on these properties, it was
found that our current Graphql::Authorize::Instrumentation class does
not work with fields that resolve to subclasses of
GraphQL::Schema::Scalar, like GraphQL::STRING_TYPE.
After discussion with other Create Team members, it has been decided
that because the GraphQL API is not GA, to remove these properties from
ProjectType, and instead implement them as part of epic
https://gitlab.com/groups/gitlab-org/-/epics/711
Issue:
https://gitlab.com/gitlab-org/gitlab-ce/issues/55316
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
Remove link after issue move when no permissions
See merge request gitlab/gitlabhq!2957
|
| |/
| |
| |
| |
| |
| | |
Don't show new issue link after move
when a user does not have permissions
to display the new issue
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
'security-add-public-internal-groups-as-members-to-your-project-idor-11-6' into '11-6-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2958
|
| |/ |
|
|\ \
| | |
| | |
| | |
| | | |
Block local URLs for Kubernetes integration
See merge request gitlab/gitlabhq!2961
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use existing `public_url` validation to block various local urls. Note
that this validation will allow local urls if the "Allow requests to the
local network from hooks and services" admin setting is enabled.
Block KubeClient from using local addresses
It will also respect `allow_local_requests_from_hooks_and_services` so
if that is enabled KubeClinet will allow local addresses
|
|\ \
| | |
| | |
| | |
| | | |
Stop linking to unrecognized package sources
See merge request gitlab/gitlabhq!2971
|
| |/ |
|
|\ \
| | |
| | |
| | |
| | | |
[11.6] Prevent disclosing project milestone titles
See merge request gitlab/gitlabhq!2975
|
| |/
| |
| |
| |
| | |
Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
| |
'security-11-6'
[11.6] Use sanitized user status message in user popover
See merge request gitlab/gitlabhq!2838
(cherry picked from commit 919913d4511c1e78b65d6bb29082ddc597b525f3)
9b736da4 Use sanitized user status message for user popover
|
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs
See merge request gitlab/gitlabhq!2829
(cherry picked from commit 7dd747b8ce1f59672c530af25237bdf661cb480a)
61fc453c Add `sanitize_name` helper to sanitize URLs in user full name
e5cd214e Use `sanitize_name` to sanitize URL in user full name
1b000d5a Add changelog entry
|
|
|
|
|
|
|
|
|
| |
[11.6] Sent notification only to authorized users
See merge request gitlab/gitlabhq!2857
(cherry picked from commit 4152329ce44bbc7567a1c7b03d5bf9e84bb1efc7)
fb0fd18c Sent notification only to authorized users
|
|
|
|
|
|
|
|
|
| |
[11.6] Alias GitHub and BitBucket OAuth2 callback URLs
See merge request gitlab/gitlabhq!2846
(cherry picked from commit f8a23d89e6f94a74b2779b3b215c475a39ba8de3)
f652a9e0 Alias GitHub and BitBucket OAuth2 callback URLs
|
|
|
|
|
|
|
|
|
| |
[11.6] Fix error disclosure on Project Import
See merge request gitlab/gitlabhq!2733
(cherry picked from commit b4797537a586bce6a96580a0257f59f9c6a92c14)
f470ad2f Fix path disclosure on Project Import
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2765
(cherry picked from commit dfc0edd52628ba86578f1b6645575049b9db1058)
7502af85 Fix contributed projects finder shown private info
06aadabb Use old spec syntax
|
|\
| |
| |
| |
| | |
[11.6] GitLab vulnerable to IDN homograph attacks and RTLO attacks
See merge request gitlab/gitlabhq!2822
|
| |
| |
| |
| |
| |
| |
| | |
Such as those with IDN homographs or embedded
right-to-left (RTLO) characters.
Autolinked hrefs should be escaped
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2759
(cherry picked from commit 33fbd62b9b4a73679a9f3cd1d9020e5dc6e9072d)
64a328be Do not expose trigger token when user should not see it
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Fix DoS in reference extraction regexes
See merge request gitlab/gitlabhq!2778
(cherry picked from commit 06f1ea1f540b62aefbaa4f69901de2d29df11e7c)
e73f2f1d Fix slow project reference pattern regex
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2782
(cherry picked from commit ee0f107791921dec7a6e3d43fe45ebef43d864be)
6e10237d Don't process MR refs for guests in the notes
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Bump Rails version to 5.0.7.1
See merge request gitlab/gitlabhq!2797
(cherry picked from commit 3a5dd09effda664888b25c935142b5c8fc23c304)
f705c816 Bump Ruby on Rails version to 5.0.7.1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-fix-wiki-access-rights-with-external-wiki-enabled-11-6' into 'security-11-6'
[11.6] Fix access to internal wiki when external wiki is enabled
See merge request gitlab/gitlabhq!2801
(cherry picked from commit 1edd23f18210a03ab3e1f6925aa4e434f68cee79)
24a48893 Fixed bug when external wiki is enabled
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Pipelines section is available to unauthorized users
See merge request gitlab/gitlabhq!2805
(cherry picked from commit 6f6e0e2ba7e8e2afe38e2d57883a8dfda0685d86)
e5c0b597 Backport security fix
181c74a1 Add CHANGELONG entry
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Use common error for not logged in users when creating issues
See merge request gitlab/gitlabhq!2812
(cherry picked from commit fe692173d2da5df4646050725359bc7fd1c99f4e)
a2dba33c Use common error for unauthenticated users
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Group Guests are no longer able to see merge requests
See merge request gitlab/gitlabhq!2815
(cherry picked from commit a662cfdb80a9d7fe6eacbc1a40fb24b5a7b9272e)
f7a2dabd Group Guests are no longer able to see merge requests
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] LFS object forgery in project import
See merge request gitlab/gitlabhq!2818
(cherry picked from commit 6402c62822692b924ee95234cbcc2578501236f9)
bb635c64 Added validations to prevent LFS object forgery
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Fix discussion replies permissions check
See merge request gitlab/gitlabhq!2825
(cherry picked from commit 367767766d9727101908a1f195120732d72201b1)
313a9f2e Prevent comments by email when issue is locked
|