summaryrefslogtreecommitdiff
path: root/lib/gitlab
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'security-58856-persistent-xss-in-note-objects' into 'master'Robert Speicher2019-06-031-1/+6
|\ | | | | | | | | Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3075
| * Change `prohibited_key` to use regexescharlieablett2019-05-011-4/+2
| |
| * Add `html` to sensitive wordscharlieablett2019-05-011-1/+1
| |
| * Refactor `attribute_cleaner` for readabilitycharlieablett2019-04-301-1/+3
| |
| * Further clarify `attribute_cleaner`charlieablett2019-04-291-10/+4
| |
| * Tighten up prohibited_key methodcharlieablett2019-04-261-3/+2
| |
| * Use English instead of LatinCharlie Ablett2019-04-251-2/+2
| |
| * Add disallowed fields to AttributeCleanercharlieablett2019-04-242-4/+13
| |
| * Exclude fields from note importcharlieablett2019-04-231-0/+3
| |
* | Merge branch 'security-fix_milestones_search_api_leak' into 'master'GitLab Release Tools Bot2019-06-032-3/+31
|\ \ | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API Closes #2822 See merge request gitlab/gitlabhq!2997
| * | Resolve: Milestones leaked via search APIFelipe Artur2019-05-202-3/+31
| | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones
* | | Merge branch 'security-60039' into 'master'GitLab Release Tools Bot2019-06-031-2/+21
|\ \ \ | | | | | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3052
| * | | Validate MR branch namesMark Chao2019-05-031-2/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported.
* | | | Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'GitLab Release Tools Bot2019-06-031-0/+4
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Handling password on import by url page See merge request gitlab/gitlabhq!3061
| * | | | Hide password on import by url formIgor Drozdov2019-05-291-0/+4
| | | | |
* | | | | Add DNS rebinding protection settingsOswaldo Ferreira2019-05-302-11/+32
| | | | |
* | | | | Protect Gitlab::HTTP against DNS rebinding attackDouwe Maan2019-05-303-22/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
* | | | | Merge branch 'use-source-ref-name-in-webhook' into 'master'Ash McKenzie2019-05-281-1/+1
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use source ref in pipeline webhook Closes #61553 See merge request gitlab-org/gitlab-ce!28772
| * | | | | Use source ref for pipeline webhookuse-source-ref-name-in-webhookShinya Maeda2019-05-281-1/+1
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | When user uses Pipelines for merge requests, the pipeline is a run on a merge request ref instead of branch ref. However, we should send source ref as a webhook in order to respect the original behavior.
* | | | | Fix removing empty lines via suggestionsIgor2019-05-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Before this fix, a suggestion which just removes an empty line wasn't appliable
* | | | | Store Let's Encrypt private key in settingsVladimir Shushlin2019-05-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Storing this key in secrets.yml was a bad idea, it would require users using HA setups to manually replicate secrets across nodes during update, it also needed support from omnibus package * Revert "Generate Let's Encrypt private key" This reverts commit 444959bfa0b79e827a2a1a7a314acac19390f976. * Add Let's Encrypt private key to settings as encrypted attribute * Generate Let's Encrypt private key in database migration
* | | | | add postgres version to subsequent helm deploysBrandon Dimcheff2019-05-281-0/+1
|/ / / / | | | | | | | | | | | | If the postgres image version isn't passed to upgrades, helm will revert to the default postgres version. If it crosses incompatible version boundaries, this will break postgres horribly, as it won't be able to read the data files.
* | | | Add no-tabs class and externalize stringsMartin Wortschack2019-05-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add .no-tabs to login-box - Externalize strings in common signup box - Leverage render_if_exists - Update PO file
* | | | Add changelog entryJacques Erasmus2019-05-271-0/+23
| | | | | | | | | | | | | | | | Added a changelog entry for the feature
* | | | Clarify that /copy_metadata only works within same projectWinnie Hellmann2019-05-241-1/+1
| | | |
* | | | Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVELLucas Charles2019-05-241-0/+1
| | | | | | | | | | | | | | | | | | | | This env was missing, causing the variable to not be propagated to child containers and thus, be ineffective
* | | | Merge branch '56959-remove-auto-devops-domain-ci-variable' into 'master'Stan Hu2019-05-241-11/+1
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Drop support for AUTO_DEVOPS_DOMAIN See merge request gitlab-org/gitlab-ce!28460
| * | | | Stop emitting AUTO_DEVOPS_DOMAIN Ci variableThong Kuah2019-05-241-11/+1
| | | | | | | | | | | | | | | | | | | | Update documentation to reflect removal
* | | | | Changes RackAttack logger to use structured logsMayra Cabrera2019-05-241-0/+9
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | Creates a new filename to register auth logs. This change should allow SRE's queries to make better queries through logging infrastructure. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54528
* | | | Fix OmniAuth OAuth2Generic strategy not loadingStan Hu2019-05-231-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In https://github.com/rails/rails/commit/83b767ce, Rails 5.1 removed support for using a String to specify a middleware. When the strategy_class argument is passed from the GitLab YAML config to Devise, Devise passes the string value straight through to Rails, and GitLab would crash with a NoMethodError inside ActionDispatch::MiddlewareStack. To make this OmniAuth strategy work again, we normalize the arguments by converting the strategy_class value into an actual Class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/62216
* | | | Fix issue importing members with owner accessJames Lopez2019-05-231-1/+5
| | | |
* | | | Fix invalid visibility string comparison in project importStan Hu2019-05-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This resolves an "ArgumentError: comparison of String with 0 failed" issue where the visibility_level is stored as a string in the project import data because the value comes directly from the Web form. This problem happened upon creating a project from a template or restoring a project. We now cast the value to an integer to guard against these kinds of failures. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/61692
* | | | Merge branch ↵Nick Thomas2019-05-221-2/+1
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '61935-remove-code-left-over-from-when-clusters-were-always-project-specific' into 'master' remove `Clusters::Platforms::Kubernetes#actual_namespace` Closes #61935 See merge request gitlab-org/gitlab-ce!28391
| * | | | Remove legacy Kubernetes #actual_namespace61935-remove-code-left-over-from-when-clusters-were-always-project-specificTiger2019-05-211-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When Kubernetes clusters were originally built they could only exist at the project level, and so there was logic included that assumed there would only ever be a single Kubernetes namespace per cluster. We now support clusters at the group and instance level, which allows multiple namespaces. This change consolidates various project-specific fallbacks to generate namespaces, and hands all responsibility to the Clusters::KubernetesNamespace model. There is now no concept of a single namespace for a Clusters::Platforms::Kubernetes; to retrieve a namespace a project must now be supplied in all cases. This simplifies upcoming work to use a separate Kubernetes namespace per project environment (instead of a namespace per project).
* | | | | Geo: Remove Gitlab::LfsToken::LegacyRedisDeviseToken implementationValery Sizov2019-05-221-41/+1
|/ / / / | | | | | | | | | | | | We kept it for smooth update only
* | | | Jobs should be better isolated to avoid interference with other `image` or ↵Luca Orlandi2019-05-211-9/+12
| | | | | | | | | | | | | | | | `before_script` statements.
* | | | Make env vars consistentPhilippe Lafoucrière2019-05-211-37/+20
| | | | | | | | | | | | | | | | `DAST_TARGET_AVAILABILITY_TIMEOUT` already defaults to 60 in `analyze`
* | | | Merge branch '61697-add-project-id-to-le-common-name' into 'master'Robert Speicher2019-05-201-2/+2
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve "Cert Manager problems with Group/Instance cluster" Closes #61697 See merge request gitlab-org/gitlab-ce!28373
| * | | | Add project ID to Let's Encrypt common name61697-add-project-id-to-le-common-nameTiger2019-05-161-2/+2
| | |/ / | |/| |
* | | | Merge branch 'sh-fix-rugged-get-tree-entries-recursive' into 'master'Douglas Barbosa Alexandre2019-05-201-0/+2
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Fix recursive flag not working with Rugged get_tree_entries flag Closes #61979 See merge request gitlab-org/gitlab-ce!28494
| * | | | API: Fix recursive flag not working with Rugged get_tree_entries flagStan Hu2019-05-201-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Attempting to use the API endpoint /projects/:id/repository/tree?recursive=true would only return a subset of the results since the full recursive list wasn't actually being returned. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/61979
* | | | | Revert "Merge branch '56850-add-new-unicorn-metrics' into 'master'"revert-c5a9bc17Ryan Cobb2019-05-203-69/+17
| | | | | | | | | | | | | | | This reverts merge request !27474
* | | | | Fix typos in the whole gitlab-ce projectYoginth2019-05-206-10/+10
| | | | |
* | | | | Merge branch '49517-fix-notes-import-export' into 'master'Mayra Cabrera2019-05-201-0/+2
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Include type to notes import / export Closes #49517 See merge request gitlab-org/gitlab-ce!28401
| * | | | | Include type to notes import / export49517-fix-notes-import-exportHeinrich Lee Yu2019-05-171-0/+2
| | | | | |
* | | | | | Merge branch 'kinolaev-master-patch-13154' into 'master'Grzegorz Bizon2019-05-201-1/+3
|\ \ \ \ \ \ | |_|/ / / / |/| | | | | | | | | | | | | | | | | Auto-DevOps: allow to disable rollout status check See merge request gitlab-org/gitlab-ce!28130
| * | | | | Auto-DevOps: allow to disable rollout status checkSergej2019-05-171-1/+3
| | | | | |
* | | | | | Add new version of scriptSarah Groff Hennigh-Palermo2019-05-171-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | More aligned design. More functionality.
* | | | | | Add PoolRepository to the usage pingZeger-Jan van de Weg2019-05-171-1/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PoolRepository is a relatively new model of which the counts could help to further determine the priority of new features. Also gives some insight into the number of forks customers have.
* | | | | | Edit comments in CI templateEvan Read2019-05-171-41/+50
| |/ / / / |/| | | |
View Lorry Controller Status