summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Handle Stored XSS for Grafana URL in settingsDavid Wilkins2019-10-241-12/+32
| | | | | | | | | | | | | | | | | | | | | | | - Extend Gitlab::UrlBlocker to allow relative urls (require_absolute setting). The new `require_absolute` setting defaults to true, which is the existing behavior. - Extend AddressableUrlValidator to accept `require_abosolute` and default to the existing behavior - Add validation for ApplicationSetting#grafana_url to validate that the URL does not contain XSS but can be a valid relative or absolute url. - In the case of existing stored URLs, validate the stored URL does not contain XSS. If the stored URL contains stored XSS or is an otherwise invalid URL, return the default database column value. - Add tests for Gitlab::UrlBlocker to test require_absolute setting - Add tests for AddressableUrlValidator - Add tests for ApplicationSetting#grafana_url
* Merge branch 'security-sarcila-verify-saml-request-origin-12-1' into ↵GitLab Release Tools Bot2019-09-264-2/+97
|\ | | | | | | | | | | | | '12-1-stable' Check that SAML identity linking validates the origin of the request See merge request gitlab/gitlabhq!3376
| * Validate that SAML requests are originated from gitlabSebastian Arcila Valenzuela2019-09-164-2/+97
| | | | | | | | | | | | | | | | If the request wasn't initiated by gitlab we shouldn't add the new identity to the user, and instead show that we weren't able to link the identity to the user. This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
* | Filter not accessible label eventsJan Provaznik2019-09-241-3/+5
|/ | | | | | Label events may use cross-project or cross-group references, if the projects are not accessible by user, we don't show these label events.
* Avoid exposing unaccessible repo data upon GFM processingOswaldo Ferreira2019-08-261-0/+16
| | | | | | | | | | | | | | | | | | When post-processing relative links to absolute links RelativeLinkFilter didn't take into consideration that internal repository data could be exposed for users that do not have repository access to the project. This commit solves that by checking whether the user can `download_code` at this repository, avoiding any processing of this filter if the user can't. Additionally, if we're processing for a group ( no project was given), we check if the user can read it in order to expand the href as an extra. That doesn't seem necessarily a breach now, but an extra check doesn't hurt as after all the user needs to be able to `read_group`.
* Add captcha if there are multiple failed login attemptsMałgorzata Ksionek2019-08-264-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add method to store session ids by ip Add new specs for storing session ids Add cleaning up records after login Add retrieving anonymous sessions Add login recaptcha setting Add new setting to sessions controller Add conditions for showing captcha Add sessions controller specs Add admin settings specs for login protection Add new settings to api Add stub to devise spec Add new translation key Add cr remarks Rename class call Add cr remarks Change if-clause for consistency Add cr remarks Add code review remarks Refactor AnonymousSession class Add changelog entry Move AnonymousSession class to lib Move store unauthenticated sessions to sessions controller Move link to recaptcha info Regenerate text file Improve copy on the spam page Change action filter for storing anonymous sessions Fix rubocop offences Add code review remarks Fix schema Update schema version
* Merge branch 'security-12-1-enable-image-proxy' into '12-1-stable'GitLab Release Tools Bot2019-08-2611-7/+140
|\ | | | | | | | | Use image proxy to mitigate stealing ip addresses See merge request gitlab/gitlabhq!3231
| * Add support for using a Camo proxy serverBrett Walker2019-08-1511-7/+140
| | | | | | | | | | | | User images and videos will get proxied through the Camo server in order to keep malicious sites from collecting the IP address of users.
* | Merge branch 'security-61974-limit-issue-comment-size-12-1' into '12-1-stable'GitLab Release Tools Bot2019-08-262-1/+5
|\ \ | | | | | | | | | | | | Limit the size of issuable description and comments See merge request gitlab/gitlabhq!3271
| * | Limit the size of issuable description and commentsAlexandru Croitor2019-08-222-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Limiting the size of issuable description and comments to 1_000_000, which is close to ~1MB of ASCII characters, which represents 99.9% of all descriptions and comments we have in DB at the moment. This should help prevent DoS attacks when comments contain refference strings. Also this change updates regexp matching the namespaces paths by limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED, as we allow 20 levels deep groups. see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
* | | Merge branch 'security-epic-notes-api-reveals-historical-info-ce-12-1' into ↵GitLab Release Tools Bot2019-08-263-6/+10
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | '12-1-stable' Filter out old system notes for epics in notes api endpoint response See merge request gitlab/gitlabhq!3310
| * | | Filter out old system notes for epicsPatrick Derichs2019-08-093-6/+10
| |/ /
* | | Merge branch 'security-fix_jira_ssrf_vulnerability-12-1' into '12-1-stable'GitLab Release Tools Bot2019-08-261-0/+66
|\ \ \ | | | | | | | | | | | | | | | | Fix DNS rebind vulnerability for JIRA integration See merge request gitlab/gitlabhq!3311
| * | | Fix DNS rebind vulnerability for JIRA integrationFelipe Artur2019-08-081-0/+66
| |/ / | | | | | | | | | | | | Uses Gitlab::HTTP for JIRA requests instead of Net::Http. Gitlab::Http comes with some built in SSRF protections.
* | | Merge branch 'security-project-import-bypass-12-1' into '12-1-stable'GitLab Release Tools Bot2019-08-261-0/+88
|\ \ \ | | | | | | | | | | | | | | | | Project visibility restriction bypass See merge request gitlab/gitlabhq!3331
| * | | Fix project import restricted visibility bypassGeorge Koltsov2019-08-151-0/+88
| |/ / | | | | | | | | | | | | | | | Add Gitlab::VisibilityLevelChecker that verifies selected project visibility level (or overridden param) is not restricted when creating or importing a project
* | | Merge branch 'security-add-job-activity-limit-ce-12-1' into '12-1-stable'GitLab Release Tools Bot2019-08-261-0/+21
|\ \ \ | | | | | | | | | | | | | | | | Introduce JobActivity limit for alive jobs See merge request gitlab/gitlabhq!3342
| * | | Add active_jobs_limit to plans tableFabio Pitino2019-08-201-0/+21
| |/ / | | | | | | | | | | | | | | | | | | This is a port from EE changes where we introduce a new limit for Plan model. https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/1182
* | | Merge branch 'security-personal-snippets-12-1' into '12-1-stable'GitLab Release Tools Bot2019-08-262-4/+9
|\ \ \ | | | | | | | | | | | | | | | | Add direct upload support for personal snippets See merge request gitlab/gitlabhq!3358
| * | | Add direct upload support for personal snippetsJan Provaznik2019-08-232-4/+9
| |/ /
* | | Re-escape whole HTML content instead of only matchJan Provaznik2019-08-234-13/+35
|/ / | | | | | | | | | | | | | | | | | | When we un-escape HTML text to find references in it, we should then re-escape the whole text again, not only found matches. Because we replace matches with milestone/label links (which contain HTML tags we don't want to escape again), we re-escape HTML text with placeholders instead of these links and then replace placeholders in the escaped text.
* | Merge branch 'leipert-improve-ansi2html' into 'master'Fatih Acet2019-08-051-10/+17
| | | | | | | | | | | | | | | | | | | | | | Improve job log rendering performance See merge request gitlab-org/gitlab-ce!31262 (cherry picked from commit eb2d4adf38726da62f62e850d181cedf12c64c5e) 6b45d85e Prevent empty classes in ansi2html conversion 5366c89b Fix deep DOM tree problem in ansi2html d1f4d8c7 Improve size of rendered job trace
* | Merge branch 'patch-72' into 'master'Thong Kuah2019-08-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | Set DOCKER_TLS_CERTDIR in CI job templates See merge request gitlab-org/gitlab-ce!31201 (cherry picked from commit 82ce29d32fc8d98571ee43a6d348f89bdecfa9c0) 8d4f53a0 Set DOCKER_TLS_CERTDIR in CI job templates 25486f40 Merge remote-tracking branch 'upstream/master' into patch-72 2535575c Add changelog.
* | Merge branch 'osw-avoid-errors-due-to-concurrent-calls' into 'master'12-1-stable-patch-4Douwe Maan2019-08-051-2/+3
|/ | | | | | | | | Add exclusive lease to mergeability check process See merge request gitlab-org/gitlab-ce!31082 (cherry picked from commit c017dc578dc78729050792d22b449ce0529479cf) f4cd926c Add exclusive lease to mergeability check process
* Merge branch 'sh-fix-gitaly-access-control' into 'master'Douglas Barbosa Alexandre2019-07-301-1/+1
| | | | | | | | | | | Fix exception handling in Gitaly autodetection Closes #65328 See merge request gitlab-org/gitlab-ce!31285 (cherry picked from commit d92a8c1a5f9b061a10140239bed44b432b28abdf) 3b76d298 Fix exception handling in Gitaly autodetection
* Merge branch 'dm-submodule-links-nil' into 'master'Nick Thomas2019-07-301-3/+8
| | | | | | | | | Fix error rendering submodules in MR diffs when there is no .gitmodules See merge request gitlab-org/gitlab-ce!31162 (cherry picked from commit 55f99e930e1c147ec191a234ff4881ea7e70ea61) cfef1e8e Fix error rendering submodules in MR diffs when there is no .gitmodules
* Merge branch 'sh-support-docker-oci-images' into 'master'Dmitriy Zaporozhets2019-07-301-3/+6
| | | | | | | | | | | Support Docker OCI images Closes gitlab-ee#12877 and #58685 See merge request gitlab-org/gitlab-ce!31127 (cherry picked from commit 29f2903d161c2b93468a997f704a81adebcc9f58) a4011606 Support Docker OCI images
* Merge branch '65019-job-templates-dind-tls-fix' into 'master'Thong Kuah2019-07-305-0/+7
| | | | | | | | | Set DOCKER_TLS_CERTDIR in CI job templates See merge request gitlab-org/gitlab-ce!31080 (cherry picked from commit 8768e295c3474cb3fcee9afe3b7e9a2ac1431b50) c472bec5 Set DOCKER_TLS_CERTDIR in CI job templates
* Merge branch '65019-auto-devops-dind-tls-fix' into 'master'Thong Kuah2019-07-301-0/+2
| | | | | | | | | Set DOCKER_TLS_CERTDIR in Auto Dev-Ops CI template See merge request gitlab-org/gitlab-ce!31078 (cherry picked from commit a842c3882c4b47cc8b384fbd84be5643dacc7269) af88ccfa Set DOCKER_TLS_CERTDIR in Auto Dev-Ops CI template
* Merge branch 'alhashash1-12-1-stable-patch-67177' into 'master'Stan Hu2019-07-301-4/+11
| | | | | | | | | | | Fix incorrect web server selection parameter in init.d script Closes #64802 and #65008 See merge request gitlab-org/gitlab-ce!31076 (cherry picked from commit 0a2bbc9267e5aca220cda17f13e6f62bae7f1f1b) 2bc43c44 Fix incorrect web server parameter in init.d script
* Merge branch 'optimise-import-performance' into 'master'Stan Hu2019-07-304-4/+4
| | | | | | | | | | | Optimise import performance Closes #64924 See merge request gitlab-org/gitlab-ce!31045 (cherry picked from commit 0d538e44aff066372ecd9d10ac6786681bc347c9) 8d1e97fc Optimise import performance
* Merge branch 'security-dns-ssrf-bypass-12-1' into '12-1-stable'GitLab Release Tools Bot2019-07-241-2/+11
|\ | | | | | | | | Server Side Request Forgery mitigation bypass See merge request gitlab/gitlabhq!3220
| * Fix Server Side Request Forgery mitigation bypassFrancisco Javier López2019-07-151-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
* | Merge branch 'security-60143-patch-additional-xss-issue-12.1' into '12-1-stable'GitLab Release Tools Bot2019-07-246-50/+79
|\ \ | | | | | | | | | | | | Extract SanitizeNodeLink and apply to WikiLinkFilter See merge request gitlab/gitlabhq!3221
| * | Extract SanitizeNodeLink and apply to WikiLinkFilterKerri Miller2019-07-166-50/+79
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SanitizationFilter was running before the WikiFilter. Since WikiFilter can modify links, we could see links that _should_ be stopped by SanatizationFilter being rendered on the page. I (kerrizor) had previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4 However, an additional exploit was discovered after that was merged. Working through the issue, we couldn't simply shuffle the order of filters, due to some implicit assumptions about the order of filters, so instead we've extracted the logic that sanitizes a Nokogiri-generated Node object, and applied it to the WikiLinkFilter as well. On moving filters around: Once we start moving around filters, we get cascading failures; fix one, another one crops up. Many of the existing filters in the WikiPipeline chain seem to assume that other filters have already done their work, and thus operate on a "transform anything that's left" basis; WikiFilter, for instance, assumes any link it finds in the markdown should be prepended with the wiki_base_path.. but if it does that, it also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the UserReferenceFilter doesn't see as a user reference it needs to transform into a user profile link. This is true for all the reference filters in the WikiPipeline.
* | Merge branch 'security-github-ssrf-redirect-12-1' into '12-1-stable'GitLab Release Tools Bot2019-07-243-3/+26
|\ \ | | | | | | | | | | | | Do not allow localhost url redirection in GitHub Integration See merge request gitlab/gitlabhq!3223
| * | Do not allow localhost url redirection in GitHub Integrationmanojmj2019-07-093-3/+26
| | |
* | | Merge branch 'security-remove-take-trigger-ownership-feature-12-1' into ↵GitLab Release Tools Bot2019-07-241-21/+0
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | '12-1-stable' Drop feature to take ownership of a trigger token See merge request gitlab/gitlabhq!3225
| * | | Drop feature to take ownership of a trigger tokenFabio Pitino2019-07-101-21/+0
| |/ / | | | | | | | | | | | | | | | | | | Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
* | | Merge branch 'sh-fix-gitaly-server-info-cache' into 'master'Mayra Cabrera2019-07-191-1/+1
| | | | | | | | | | | | | | | | | | | | | Fix Gitaly auto-detection caching Closes #64802 See merge request gitlab-org/gitlab-ce!30954
* | | Merge branch 'ci_default_git_depth_only' into 'master'Douglas Barbosa Alexandre2019-07-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | API: Allow changing only ci_default_git_depth See merge request gitlab-org/gitlab-ce!30888 (cherry picked from commit 0854f18352e72c2bcc0beca601d1ea48b490d1be) 0f585d0d API: Allow changing only ci_default_git_depth
* | | Refactor RedisCounter and WebIdeCommitsCounterFrancisco Javier López2019-07-175-21/+25
| | | | | | | | | | | | | | | This MR refactor RedisCounter and WebIdeCommitsCounter to be reused by other components.
* | | Merge branch 'jc-wrap-rugged-calls-with-disk-access' into 'master'Stan Hu2019-07-176-19/+24
|\ \ \ | | | | | | | | | | | | | | | | Wrap rugged calls with access disk block See merge request gitlab-org/gitlab-ce!30592
| * | | Wrap rugged calls with access disk blockjc-wrap-rugged-calls-with-disk-accessJohn Cai2019-07-166-19/+24
| | | | | | | | | | | | | | | | | | | | Whenever we use the rugged implementation, we are going straight to disk so we want to bypass the disk access check.
* | | | Merge branch 'issue-64645-asciidoctor-footnote-links' into 'master'Nick Thomas2019-07-171-5/+28
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Preserve footnote link ids Closes #64645 See merge request gitlab-org/gitlab-ce!30790
| * | | | Preserve footnote link idsGuillaume Grossetie2019-07-171-5/+28
| | | | |
* | | | | Added submodule links to Submodule type in GraphQL APIIgor2019-07-173-3/+79
| | | | | | | | | | | | | | | | | | | | This is part of migration of Folder View to Vue
* | | | | Fix wrong pages access level defaultVladimir Shushlin2019-07-171-0/+128
| | | | | | | | | | | | | | | | | | | | | | | | | - Set access level in before_validation hook - Add post migration for updating existing project_features
* | | | | CE port of "Move external authorization service API management to EE"Imre Farkas2019-07-173-4/+6
| | | | | | | | | | | | | | | | | | | | EE MR: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14598
* | | | | Fetch latest link in the description for zoom link, add more tests and ↵Rajendra kadam2019-07-171-0/+21
| | | | | | | | | | | | | | | | | | | | remove frontend spec unnecessary tests
View Lorry Controller Status