| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.
On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.
|
| |\
| | |
| | |
| | |
| | |
| | |
| | | |
Don't display badges when builds are restricted
Closes #2864
See merge request gitlab/gitlabhq!3175
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.
Added guard clause to the controller to check if user can read
build.
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
Do not allow localhost url redirection in GitHub Integration
See merge request gitlab/gitlabhq!3188
|
| | | | |
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Drop feature to take ownership of a trigger token
Closes #2868
See merge request gitlab/gitlabhq!3198
|
| | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | | |
Removing API and frontend interactions that allowed
users to take ownership of a trigger token.
Removed mentions from the documentation.
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
MR pipeline permissions
Closes #2871
See merge request gitlab/gitlabhq!3204
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
MergeRequest#all_pipelines
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
|
| |\ \ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Server Side Request Forgery mitigation bypass
Closes #2872
See merge request gitlab/gitlabhq!3205
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
|
| |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Queries for Upload should be scoped by model
See merge request gitlab/gitlabhq!3229
|
| | | |_|/ /
| | |/| | | |
|
| |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Do not show moved issue ids for user not authorized
Closes #2878
See merge request gitlab/gitlabhq!3230
|
| | |/ / / /
| | | | | |
| | | | | |
| | | | | | |
Do not show moved issue id for users that cannot read issue
|
| |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Filter params in MR build service
Closes #2879
See merge request gitlab/gitlabhq!3237
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Reusing the existing `IssuableBaseService#filter_params` which uses
the policies to determine what params a user can set, and which values
it can be set to.
This also removed the need for the seperate call to
`IssuableBaseService#ensure_milestone_available`.
The `Issues::BuildService` does not suffer from this because it limits
the params that are assignable to the `title`, `description` and
`milestone_id`.
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Resolve EE specific differences in the spec/ directory
See merge request gitlab-org/gitlab-ce!31109
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This ensures this spec is the same in both CE and EE.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This changes the spec in question so that it is the same for both CE and
EE. This requires an `if Gitlab.ee?` since EE requires that we stub an
EE specific module, but doing so in CE will break the spec there.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This changes a protected tags feature spec so that it is the same in
both CE and EE. This requires the use of a `if Gitlab.ee?` check, as the
added lines don't work in CE but do work in EE. Removing them entirely
in turn breaks the EE spec.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This ensures that both CE and EE have the same specs.
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
This backports two EE specific changes made to the schema changes. We do
not yet backport the EE prepend, as this will/can be done when
https://gitlab.com/gitlab-org/gitlab-ce/issues/58170 is implemented.
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Replace peek-pg with our own implementation
Closes #44441
See merge request gitlab-org/gitlab-ce!31187
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This uses an ActiveRecord subscriber to get queries and calculate the
total query time from that. This means that the total will always be
consistent with the queries in the table. It does however mean that we
could potentially miss some queries that don't go through ActiveRecord.
Making this change also allows us to unify the response JSON a little
bit, making the frontend slightly simpler as a result.
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Backport EE changes made to the scripts/ directory
See merge request gitlab-org/gitlab-ce!31015
|
| | |/ / / / / / /
| |/| | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This backport changes made by EE to the files in the scripts/ directory.
This comes with a few changes to some scripts to make them work in the
single codebase setup.
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Further remove `if postgresql?` branches
Closes #65054
See merge request gitlab-org/gitlab-ce!31102
|
| |/ / / / / / / /
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
We dropped MySQL support and a lot of mysql specific code has been
removed in https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/29608.
This comes in from the other direction and removes any `if postgresql?`
branches.
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This adds diirect monitoring for sidekiq metrics. This is done via
sidekiq middleware and a sampler to pull from sidekiqs api.
|
|\ \ \ \ \ \ \ \ \
| |/ / / / / / / /
|/| | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Expose git blame in api
Closes #51345
See merge request gitlab-org/gitlab-ce!30675
|
| | | | | | | | | |
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Added usage ping counter when the user makes
a search through the navbar search component.
|
|\ \ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Add frozen_string_literal to spec/features
See merge request gitlab-org/gitlab-ce!31131
|
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Use unary plus as recommended by Performance/UnfreezeString cop
|
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
|
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Adds Job specific variables to facilitate specifying variables when
running manual jobs.
|
|\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
'61787-the-colour-selector-for-broadcast-messages-should-provide-a-few-default-options-with-descriptive-labels-like-red-green-blue' into 'master'
Resolve "Add color selector for broadcast messages"
Closes #61787
See merge request gitlab-org/gitlab-ce!30988
|
| | | | | | | | | | | |
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
Also removes all logic from ClusterConfigureWorker
and ClusterProjectConfigureWorker, which are also
no longer used.
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
'master'"
This reverts merge request !29733
|
|\ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Use NotesFinder to fetch notes in module IssuableActions
Closes #52123
See merge request gitlab-org/gitlab-ce!29733
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Add spec for concern IssuableActions
Add shared samples for discussions endpoint
Add schema validations for discussions
Fix rubocop style issue
Make target assignable
Use new possibility to provide target
|
|\ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
Redirect project.wiki.git to project wiki home
See merge request gitlab-org/gitlab-ce!31085
|
| | |_|/ / / / / / / / /
| |/| | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
https://gitlab.com/gitlab-org/gitlab-ce/issues/19186
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Otherwise capybara hits ambiguous match.
|
|\ \ \ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
Add frozen_string_literal to spec/lib (part 1)
See merge request gitlab-org/gitlab-ce!31130
|
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
Note that Performance/UnfreezeString recommends unary plus over
"".dup, but unary plus has lower precedence so we have to use
parenthesis
|
| |/ / / / / / / / / / /
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
|