summaryrefslogtreecommitdiff
path: root/changelogs
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'fix/security-group-user-removal' into 'master'Yorick Peterse2019-01-251-0/+5
|\ | | | | | | | | [master] Resolve "Removing a user from a private group doesn't remove them from group's project, if their project's role was changed" See merge request gitlab/gitlabhq!2629
| * Add subresources removal to member destroy serviceJames Lopez2019-01-251-0/+5
| |
* | Merge branch 'security-import-path-logging' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ | | | | | | | | | | | | [master] Fix error disclosure on Project Import See merge request gitlab/gitlabhq!2675
| * | Fix path disclosure on Project ImportJames Lopez2019-01-071-0/+5
| | |
* | | Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'Yorick Peterse2019-01-251-0/+6
|\ \ \ | | | | | | | | | | | | | | | | [master] Group Guests are no longer able to see merge requests See merge request gitlab/gitlabhq!2694
| * | | Group Guests are no longer able to see merge requestsTiago Botelho2019-01-211-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Group guests will only be displayed merge requests to projects they have a access level to, higher than Reporter. Visible projects will still display the merge requests to Guests
* | | | Merge branch 'security-import-project-visibility' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [master] Fix Imported Project Retains Prior Visibility Setting See merge request gitlab/gitlabhq!2734
| * | | | Fix tree restorer visibility levelJames Lopez2019-01-241-0/+5
| | | | |
* | | | | Merge branch 'security-contributed-projects' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix contributed projects info is still visible even user enable private profile See merge request gitlab/gitlabhq!2743
| * | | | | Fix contributed projects finder shown private infoJames Lopez2019-01-081-0/+5
| | | | | |
* | | | | | Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Don't process MR refs for guests in the notes See merge request gitlab/gitlabhq!2771
| * | | | | | Don't process MR refs for guests in the notesOswaldo Ferreira2019-01-101-0/+5
| | | | | | |
* | | | | | | Merge branch 'security-22076-sanitize-url-in-names' into 'master'Yorick Peterse2019-01-251-0/+6
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs See merge request gitlab/gitlabhq!2793
| * | | | | | | Add changelog entryKushal Pandya2019-01-221-0/+6
| | | | | | | |
* | | | | | | | Merge branch 'sh-fix-import-redirect-vulnerability' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Alias GitHub and Bitbucket OAuth2 callback URLs See merge request gitlab/gitlabhq!2840
| * | | | | | | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-221-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
* | | | | | | | | Merge branch 'security-2780-disable-git-v2-protocol' into 'master'Yorick Peterse2019-01-251-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Disable git v2 protocol temporarily Closes #2780 See merge request gitlab/gitlabhq!2827
| * | | | | | | | | Disable git v2 protocol temporarilyNick Thomas2019-01-241-0/+5
| | | | | | | | | |
* | | | | | | | | | Merge branch 'security-55320-stored-xss-in-user-status' into 'master'Tim Zallmann2019-01-251-0/+5
|\ \ \ \ \ \ \ \ \ \ | |_|_|_|_|_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Use sanitized user status message in user popover Closes #2786 See merge request gitlab/gitlabhq!2848
| * | | | | | | | | Use sanitized user status message for user popoverDennis Tang2019-01-231-0/+5
| | |/ / / / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Verify that LFS upload requests are genuine Closes #2767 See merge request gitlab/gitlabhq!2767
| * | | | | | | | | Verify that LFS upload requests are genuineNick Thomas2019-01-221-0/+5
| |/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
* | | | | | | | | Merge branch 'security-project-move-users' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Send notification only to authorized users when moving a project Closes #2777 See merge request gitlab/gitlabhq!2791
| * | | | | | | | | Sent notification only to authorized usersJan Provaznik2019-01-231-0/+5
| |/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When moving a project, it's possible that some users who had access to the project in old path can not access the project in the new path. Because `project_authorizations` records are updated asynchronously, when we send the notification about moved project the list of project team members contains old project members, we want to notify all these members except the old users who can not access the new location.
* | | | | | | | | Merge branch 'security-fix-user-email-tag-push-leak' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] User email is visible in hook logs if they triggers tag push events Closes #2775 See merge request gitlab/gitlabhq!2789
| * | | | | | | | | Fix private user email being visible in tag webhooksLuke Duncalfe2019-01-181-0/+5
| | |_|/ / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | Fixes #54721
* | | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX"Constance Okoghenun2019-01-241-0/+5
| | | | | | | | |
* | | | | | | | | Merge branch 'extract-pages-with-rubyzip' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extract pages with rubyzip See merge request gitlab/gitlabhq!2758
| * | | | | | | | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-221-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
* | | | | | | | | | Merge branch 'security-commit-status-shown-for-guest-user' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Stop showing ci for guest users on private pipeline See merge request gitlab/gitlabhq!2830
| * | | | | | | | | | Stop showing ci for guest usersSteve Azzopardi2019-01-231-0/+5
| | |_|_|_|_|_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a user is a guest user, and the "Public Pipeline" is set to false inside of "Settings > CI/CD > General" the commit status in the project dashboard should not be shown.
* | | | | | | | | | Merge branch 'security-fix-lfs-import-project-ssrf-forgery' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] LFS object forgery in project import Closes #2784 See merge request gitlab/gitlabhq!2719
| * | | | | | | | | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-211-0/+5
| | |_|_|_|_|_|/ / / | |/| | | | | | | |
* | | | | | | | | | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2735
| * | | | | | | | | | Add changelog for trigger token exposure fixGrzegorz Bizon2019-01-151-0/+5
| | |_|_|/ / / / / / | |/| | | | | | | |
* | | | | | | | | | Merge branch 'security-fix-regex-dos' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix DoS in reference extraction regexes Closes #2766 See merge request gitlab/gitlabhq!2768
| * | | | | | | | | | Fix slow project reference pattern regexHeinrich Lee Yu2019-01-111-0/+5
| | |_|_|_|_|_|/ / / | |/| | | | | | | |
* | | | | | | | | | Merge branch 'security-fix-wiki-access-rights-with-external-wiki-enabled' ↵Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into 'master' [master] Fix access to internal wiki when external wiki is enabled Closes #2783 See merge request gitlab/gitlabhq!2769
| * | | | | | | | | | Fixed bug when external wiki is enabledFrancisco Javier López2019-01-181-0/+5
| | |_|/ / / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the external wiki is enabled, the internal wiki link is replaced by the external wiki url. But the internal wiki is still accessible. In this change the external wiki will have its own tab in the sidebar and only if the services are disabled the tab (and access rights) will not be displayed.
* | | | | | | | | | Merge branch 'security-2769-idn-homograph-attack' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] GitLab vulnerable to IDN homograph attacks and RTLO attacks See merge request gitlab/gitlabhq!2770
| * | | | | | | | | | Show tooltip for malicious looking linksBrett Walker2019-01-211-0/+5
| | |_|_|_|_|_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Such as those with IDN homographs or embedded right-to-left (RTLO) characters. Autolinked hrefs should be escaped
* | | | | | | | | | Merge branch 'security-fix-new-issues-login-message' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Use common error for not logged in users when creating issues Closes #2772 See merge request gitlab/gitlabhq!2787
| * | | | | | | | | | Use common error for unauthenticated usersHeinrich Lee Yu2019-01-141-0/+5
| | |_|_|/ / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes special error message when creating new issues
* | | | | | | | | | Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Revoke award_emoji permissions for confidential issues Closes #2776 See merge request gitlab/gitlabhq!2790
| * | | | | | | | | | Prevent award_emoji to notes not visible to userHeinrich Lee Yu2019-01-151-0/+5
| |/ / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes
* | | | | | | | | | Merge branch 'security-2779-fix-email-comment-permissions-check' into 'master'Yorick Peterse2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ \ | |_|_|_|_|_|_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix discussion replies permissions check Closes #2779 See merge request gitlab/gitlabhq!2794
| * | | | | | | | | Prevent comments by email when issue is lockedHeinrich Lee Yu2019-01-221-0/+5
| | |_|_|_|_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
* | | | | | | | | Fix markdown table borderJacques Erasmus2019-01-241-0/+5
| | | | | | | | |
* | | | | | | | | Merge branch 'docs-push-mirror-GitLab-GitHub' into 'master'Evan Read2019-01-241-0/+5
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (docs) Updated fields information for push mirror from GitLab to GitHub See merge request gitlab-org/gitlab-ce!24566
| * | | | | | | | | Added changelogJoseph Yu2019-01-221-0/+5
| | | | | | | | | |
View Lorry Controller Status