summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix connection to Tiller error while uninstalling62713-fix-uninstalling-cluster-appsThong Kuah2019-06-051-0/+1
| | | | | | | | | | | Both the `install-<app>` and `uninstall-<app>` pods loads the `values-content-configuration-<app>` configmap into the pod (see `#volume_specification`). This configmap contains the cert necessary to connect to Tiller. The cert though is only valid for 30 minutes. So this fixes the bug where the configmap when uninstalling should be updated as well.
* Ignore Puma empty worker statsJan Provaznik2019-06-041-1/+2
| | | | | | | In some cases (during worker start) it's possible that Puma.stats returns an empty hash for worker's last status. In that case we just skip sampling of the worker until these stats are available.
* Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqRobert Speicher2019-06-032-1/+14
|\
| * Merge branch 'security-60143-address-xss-issue-master' into 'master'Robert Speicher2019-06-031-0/+8
| |\ | | | | | | | | | | | | Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3108
| | * Reject slug+uri concat if slug is deemed unsafeKerri Miller2019-05-241-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
| * | Merge branch 'security-58856-persistent-xss-in-note-objects' into 'master'Robert Speicher2019-06-031-1/+6
| |\ \ | | | | | | | | | | | | | | | | Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3075
| | * | Change `prohibited_key` to use regexescharlieablett2019-05-011-4/+2
| | | |
| | * | Add `html` to sensitive wordscharlieablett2019-05-011-1/+1
| | | |
| | * | Refactor `attribute_cleaner` for readabilitycharlieablett2019-04-301-1/+3
| | | |
| | * | Further clarify `attribute_cleaner`charlieablett2019-04-291-10/+4
| | | |
| | * | Tighten up prohibited_key methodcharlieablett2019-04-261-3/+2
| | | |
| | * | Use English instead of LatinCharlie Ablett2019-04-251-2/+2
| | | |
| | * | Add disallowed fields to AttributeCleanercharlieablett2019-04-242-4/+13
| | | |
| | * | Exclude fields from note importcharlieablett2019-04-231-0/+3
| | | |
* | | | Merge branch 'osw-sync-merge-ref-upon-mergeability-check' into 'master'Douwe Maan2019-06-032-19/+7
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatically update MR merge-ref along merge status Closes #58495 See merge request gitlab-org/gitlab-ce!28513
| * | | | Add payload to the service responseOswaldo Ferreira2019-05-311-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces payload to the ServiceResponse with the merge ref HEAD commit data
| * | | | Simplify merge_ref_head methodsOswaldo Ferreira2019-05-311-2/+2
| | | | |
| * | | | Automatically update MR merge-ref along merge statusOswaldo Ferreira2019-05-312-19/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This couples the code that transitions the `MergeRequest#merge_status` and refs/merge-requests/:iid/merge ref update. In general, instead of directly telling `MergeToRefService` to update the merge ref, we should rely on `MergeabilityCheckService` to keep both the merge status and merge ref synced. Now, if the merge_status is `can_be_merged` it means the merge-ref is also updated to the latest. We've also updated the logic to be more systematic and less user-based.
* | | | | Merge dev.gitlab.org master into GitLab.com masterYorick Peterse2019-06-039-29/+145
|\ \ \ \ \ | | |/ / / | |/| | |
| * | | | Merge branch 'security-fix_milestones_search_api_leak' into 'master'GitLab Release Tools Bot2019-06-032-3/+31
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API Closes #2822 See merge request gitlab/gitlabhq!2997
| | * | | | Resolve: Milestones leaked via search APIFelipe Artur2019-05-202-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones
| * | | | | Merge branch 'security-60039' into 'master'GitLab Release Tools Bot2019-06-031-2/+21
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3052
| | * | | | | Validate MR branch namesMark Chao2019-05-031-2/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported.
| * | | | | | Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'GitLab Release Tools Bot2019-06-031-0/+4
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handling password on import by url page See merge request gitlab/gitlabhq!3061
| | * | | | | | Hide password on import by url formIgor Drozdov2019-05-291-0/+4
| | | | | | | |
| * | | | | | | Merge branch 'dm-http-hostname-override' into 'master'GitLab Release Tools Bot2019-06-034-22/+84
| |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3071
| | * | | | | | | Add DNS rebinding protection settingsOswaldo Ferreira2019-05-303-11/+37
| | | | | | | | |
| | * | | | | | | Protect Gitlab::HTTP against DNS rebinding attackDouwe Maan2019-05-303-22/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
| * | | | | | | | Merge branch 'security-fix-project-existence-disclosure-master' into 'master'GitLab Release Tools Bot2019-06-031-2/+5
| |\ \ \ \ \ \ \ \ | | |/ / / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | Fix url redaction for issue links See merge request gitlab/gitlabhq!3091
| | * | | | | | | Fix url redaction for issue linksPatrick Derichs2019-05-031-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add changelog entry Add missing href to all redactor specs and removed href assignment Remove obsolete spec If original_content is given, it should be used for link content
* | | | | | | | | Merge branch 'ac-graphql-stats' into 'master'Dmitriy Zaporozhets2019-06-031-0/+23
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add Namespace and ProjectStatistics to GraphQL API See merge request gitlab-org/gitlab-ce!28277
| * | | | | | | | | Add Namespace and ProjectStatistics to GraphQL APIAlessio Caiazza2019-06-031-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can query namespaces, and nested projects. Projects now exposes statistics
* | | | | | | | | | Merge branch 'abstract-auto-merge' into 'master'Kamil Trzciński2019-06-031-7/+4
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor and abstract Auto Merge Processes See merge request gitlab-org/gitlab-ce!28595
| * | | | | | | | | | Abstract auto merge processesShinya Maeda2019-06-031-7/+4
| | |_|_|_|_|_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have one auto merge strategy today - Merge When Pipeline Succeeds. In order to add more strategies for Merge Train feature, we abstract the architecture to be more extensible. Removed arguments Fix spec
* | | | | | | | | | Merge branch 'ce-fj-11886-fix-port-validation' into 'master'Kamil Trzciński2019-06-032-1/+4
|\ \ \ \ \ \ \ \ \ \ | |_|/ / / / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix port validations in .gitlab-webide.yml See merge request gitlab-org/gitlab-ce!29016
| * | | | | | | | | Fix port validations in .gitlab-webide.ymlce-fj-11886-fix-port-validationFrancisco Javier López2019-06-012-1/+4
| |/ / / / / / / /
* | | | | | | | | Remove delta island feature flagZeger-Jan van de Weg2019-06-031-1/+1
|/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Delta islands were implemented last released in: https://gitlab.com/gitlab-org/gitaly/merge_requests/1110. It's been enabled on production and works as expected.
* | | | | | | | Merge branch 'osw-reset-merge-status-from-mergeable-mrs' into 'master'Douglas Barbosa Alexandre2019-05-311-0/+17
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reset merge status from mergeable MRs See merge request gitlab-org/gitlab-ce!28843
| * | | | | | | | Reset merge status from mergeable MRsOswaldo Ferreira2019-05-311-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds migrations to reset the merge_status of opened, mergeable MRs. That's required by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/28513 so we're able to sync the status update along merge-ref, without leaving MRs with a stale merge-ref.
* | | | | | | | | Add optional param :start_project to allow variable commit targetsKerri Miller2019-05-311-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This extends POST#:id/repository/commits to allow the optional parameter `:start_project`, which will allow targeting other projects besides the one derived from `:id`. Resolves https://gitlab.com/gitlab-org/gitlab-ce/issues/50850
* | | | | | | | | Merge branch 'gitaly-version-v1.43.0' into 'master'Bob Van Landuyt2019-05-312-40/+0
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upgrade Gitaly to v1.43.0 See merge request gitlab-org/gitlab-ce!28867
| * | | | | | | | | Remove hook directory requirement from Shellgitaly-version-v1.43.0Zeger-Jan van de Weg2019-05-302-40/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It used to be the case that GitLab created symlinks for each repository to one copy of the Git hooks, so these ran when required. This changed to set the hooks dynamically on Gitaly when invoking Git. The side effect is that we didn't need all these symlinks anymore, which Gitaly doesn't create anymore either. Now that means that the tests in GitLab-Rails should test for it either. Related: https://gitlab.com/gitlab-org/gitaly/issues/1392#note_175619926
* | | | | | | | | | Merge branch '59587-add-graphql-logging' into 'master'Sean McGivern2019-05-313-18/+80
|\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add logging to GraphQL Closes #59587 See merge request gitlab-org/gitlab-ce!27885
| * | | | | | | | | | Apply reviewer feedback59587-add-graphql-loggingcharlie ablett2019-05-311-21/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Comply doc with guidelines - Improve tests for readability and completeness - Separate out phases visually with newlines - Add `format_message` test - test readability - code and test structure/styling - static query analyzers - call `as_json` on `provided_variables` - add exception handling
| * | | | | | | | | | Move complexity/depth to `final_value`charlieablett2019-05-301-9/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tidy tests according to reviewer comments. Move complexity and depth calls from `initial_value` to `final_value` Log variables as json
| * | | | | | | | | | Call analyzers from LoggerAnalyzercharlieablett2019-05-301-19/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add changelog file - Fix failing tests
| * | | | | | | | | | Add GraphQL logging feature flagcharlieablett2019-05-301-1/+1
| | | | | | | | | | |
| * | | | | | | | | | Restructure complexity analyzercharlieablett2019-05-301-16/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove instance variables for class re-use, test individual methods, use `monotonic_time`
| * | | | | | | | | | Implement logger analyzercharlieablett2019-05-303-29/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Modify GraphqlLogger to subclass JsonLogger - Replace the single-line analyser with one that can log all the GraphQL query related information in one place. - Implement analyzer behavior with spec
| * | | | | | | | | | New logfile for graphql queriescharlieablett2019-05-302-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Specify dedicated logfile and logger class for GraphQL queries. Move complexity analyzer to a dedicated class.