| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| | |
Update version column on updated and installed
See merge request gitlab-org/gitlab-ce!24810
|
| |
| |
| |
| |
| |
| |
| | |
All applications except for Jupyter have the same #set_initial_status,
so create a new shared example which we include in all application specs
except for juptyer_spec. Juptyer specs already have specs for it's
version of #set_initial_status
|
| |
| |
| |
| |
| |
| | |
This makes this consistent with :updated. And also avoids a potential
issue where an install errors which means that that the recorded version
won't necessarily reflect the version that is actually installed.
|
| |
| |
| |
| |
| |
| |
| | |
Note: updating version column after :updating is not ideal in the
updating -> update_erroed case. This will mean that the application now
records the version as the version that failed to upgrade, not the
version that it is currently on.
|
|\ \ |
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
[master] Markdown of release notes leaks confidential issue titles and MR titles to any users
See merge request gitlab/gitlabhq!2869
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It was leaings confidential issue titles and MR titles to any users
Fix spec
Fix spec
Fix tests
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix a JS race in a spec
Closes #56860
See merge request gitlab-org/gitlab-ce!24684
|
| | | | |
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | | |
[master] Resolve "Removing a user from a private group doesn't remove them from group's project, if their project's role was changed"
See merge request gitlab/gitlabhq!2629
|
| | | | | |
|
| | |\ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
[master] Fix error disclosure on Project Import
See merge request gitlab/gitlabhq!2675
|
| | | | | | |
|
| | |\ \ \ \
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
[master] Group Guests are no longer able to see merge requests
See merge request gitlab/gitlabhq!2694
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Group guests will only be displayed merge requests to
projects they have a access level to, higher than Reporter.
Visible projects will still display the merge requests to Guests
|
| | |\ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
[master] Fix Imported Project Retains Prior Visibility Setting
See merge request gitlab/gitlabhq!2734
|
| | | | | | | | |
|
| | |\ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
[master] Fix contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2743
|
| | | | | | | | | |
|
| | |\ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
[master] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2771
|
| | | | | | | | | | |
|
| | |\ \ \ \ \ \ \ \
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
[master] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs
See merge request gitlab/gitlabhq!2793
|
| | | | | | | | | | | |
|
| | | | | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
[master] Alias GitHub and Bitbucket OAuth2 callback URLs
See merge request gitlab/gitlabhq!2840
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
To prevent an OAuth2 covert redirect vulnerability, this commit adds and
uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
following paths:
GitHub: /users/auth/-/import/github
Bitbucket: /users/auth/-/import/bitbucket
This allows admins to put a more restrictive callback URL in the OAuth2
configuration settings. Instead of https://example.com, admins can now use:
https://example.com/users/auth
It's possible but not trivial to change Devise and OmniAuth to use a
different prefix for callback URLs instead of /users/auth. For now,
aliasing the import URLs under the /users/auth namespace should suffice.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
|
| | | | | | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \ \
| | | |_|_|_|_|_|_|_|/ /
| | |/| | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
[master] Use sanitized user status message in user popover
Closes #2786
See merge request gitlab/gitlabhq!2848
|
| | | |/ / / / / / / / |
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
[master] Verify that LFS upload requests are genuine
Closes #2767
See merge request gitlab/gitlabhq!2767
|
| | | |/ / / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
LFS uploads are handled in concert by workhorse and rails. In normal
use, workhorse:
* Authorizes the request with rails (upload_authorize)
* Handles the upload of the file to a tempfile - disk or object storage
* Validates the file size and contents
* Hands off to rails to complete the upload (upload_finalize)
In `upload_finalize`, the LFS object is linked to the project. As LFS
objects are deduplicated across all projects, it may already exist. If
not, the temporary file is copied to the correct place, and will be
used by all future LFS objects with the same OID.
Workhorse uses the Content-Type of the request to decide to follow this
routine, as the URLs are ambiguous. If the Content-Type is anything but
"application/octet-stream", the request is proxied directly to rails,
on the assumption that this is a normal file edit request. If it's an
actual LFS request with a different content-type, however, it is routed
to the Rails `upload_finalize` action, which treats it as an LFS upload
just as it would a workhorse-modified request.
The outcome is that users can upload LFS objects that don't match the
declared size or OID. They can also create links to LFS objects they
don't really own, allowing them to read the contents of files if they
know just the size or OID.
We can close this hole by requiring requests to `upload_finalize` to be
sourced from Workhorse. The mechanism to do this already exists.
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
[master] Send notification only to authorized users when moving a project
Closes #2777
See merge request gitlab/gitlabhq!2791
|
| | | |/ / / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
When moving a project, it's possible that some users who had
access to the project in old path can not access the project
in the new path.
Because `project_authorizations` records are updated asynchronously,
when we send the notification about moved project the list of project
team members contains old project members, we want to notify all these
members except the old users who can not access the new location.
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
[master] User email is visible in hook logs if they triggers tag push events
Closes #2775
See merge request gitlab/gitlabhq!2789
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Fixes #54721
|
| | | | |/ / / / / / /
| | | |/| | | | | | | |
|
| | | | | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
Extract pages with rubyzip
See merge request gitlab/gitlabhq!2758
|
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
RubyZip allows us to perform strong validation of
expanded paths where we do extract file.
We introduce the following additional checks
to extract routines:
1. None of path components can be symlinked,
2. We drop privileges support for directories,
3. Symlink source needs to point within the target directory,
like `public/`,
4. The symlink source needs to exist ahead of time.
|
| | |\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
[master] Stop showing ci for guest users on private pipeline
See merge request gitlab/gitlabhq!2830
|
| | | | |_|_|_|_|/ / / /
| | | |/| | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | | | | | |
When a user is a guest user, and the "Public Pipeline" is set to false
inside of "Settings > CI/CD > General" the commit status in the project
dashboard should not be shown.
|
| | |\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
[master] LFS object forgery in project import
Closes #2784
See merge request gitlab/gitlabhq!2719
|
| | | | |_|_|_|_|/ / / /
| | | |/| | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
[master] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2735
|
| | | | | | | | | | | | | |
|
| | | | | | | | | | | | | |
|
| | | | |_|_|/ / / / / /
| | | |/| | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
[master] Fix DoS in reference extraction regexes
Closes #2766
See merge request gitlab/gitlabhq!2768
|
| | | | |_|_|_|_|/ / / /
| | | |/| | | | | | | | |
|
| | |\ \ \ \ \ \ \ \ \ \
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | |
| | | | | | | | | | | | | |
into 'master'
[master] Fix access to internal wiki when external wiki is enabled
Closes #2783
See merge request gitlab/gitlabhq!2769
|