summaryrefslogtreecommitdiff
path: root/spec
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'cluster_application_version_updated' into 'master'Grzegorz Bizon2019-02-068-104/+56
|\ | | | | | | | | Update version column on updated and installed See merge request gitlab-org/gitlab-ce!24810
| * Refactor specs to run shared parts only when usedThong Kuah2019-02-077-24/+34
| | | | | | | | | | | | | | All applications except for Jupyter have the same #set_initial_status, so create a new shared example which we include in all application specs except for juptyer_spec. Juptyer specs already have specs for it's version of #set_initial_status
| * Update version on :installed, not :installingThong Kuah2019-02-077-84/+16
| | | | | | | | | | | | This makes this consistent with :updated. And also avoids a potential issue where an install errors which means that that the recorded version won't necessarily reflect the version that is actually installed.
| * Update version column after application is updatedThong Kuah2019-02-061-0/+10
| | | | | | | | | | | | | | Note: updating version column after :updating is not ideal in the updating -> update_erroed case. This will mean that the application now records the version as the version that failed to upgrade, not the version that it is currently on.
* | Merge dev.gitlab.org master into GitLab.com masterYorick Peterse2019-02-061-0/+25
|\ \
| * \ Merge branch 'security-makrdown-release-description-vulnerability' into 'master'Yorick Peterse2019-02-061-0/+25
| |\ \ | | | | | | | | | | | | | | | | [master] Markdown of release notes leaks confidential issue titles and MR titles to any users See merge request gitlab/gitlabhq!2869
| | * | Fix Markdown of release notesShinya Maeda2019-01-301-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was leaings confidential issue titles and MR titles to any users Fix spec Fix spec Fix tests
| | * | Merge branch '56860-fix-spec-race-condition-upside-the-head' into 'master'Douglas Barbosa Alexandre2019-01-281-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a JS race in a spec Closes #56860 See merge request gitlab-org/gitlab-ce!24684
| | * | [master] Pipelines section is available to unauthorized usersKamil Trzciński2019-01-2815-53/+223
| | | |
| | * | Merge branch 'fix/security-group-user-removal' into 'master'Yorick Peterse2019-01-253-7/+59
| | |\ \ | | | | | | | | | | | | | | | | | | | | [master] Resolve "Removing a user from a private group doesn't remove them from group's project, if their project's role was changed" See merge request gitlab/gitlabhq!2629
| | | * | Add subresources removal to member destroy serviceJames Lopez2019-01-253-7/+59
| | | | |
| | * | | Merge branch 'security-import-path-logging' into 'master'Yorick Peterse2019-01-254-3/+51
| | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix error disclosure on Project Import See merge request gitlab/gitlabhq!2675
| | | * | | Fix path disclosure on Project ImportJames Lopez2019-01-074-3/+51
| | | | | |
| | * | | | Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'Yorick Peterse2019-01-253-9/+110
| | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Group Guests are no longer able to see merge requests See merge request gitlab/gitlabhq!2694
| | | * | | | Group Guests are no longer able to see merge requestsTiago Botelho2019-01-213-9/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Group guests will only be displayed merge requests to projects they have a access level to, higher than Reporter. Visible projects will still display the merge requests to Guests
| | * | | | | Merge branch 'security-import-project-visibility' into 'master'Yorick Peterse2019-01-252-1/+146
| | |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix Imported Project Retains Prior Visibility Setting See merge request gitlab/gitlabhq!2734
| | | * | | | | Fix tree restorer visibility levelJames Lopez2019-01-242-1/+146
| | | | | | | |
| | * | | | | | Merge branch 'security-contributed-projects' into 'master'Yorick Peterse2019-01-252-0/+44
| | |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix contributed projects info is still visible even user enable private profile See merge request gitlab/gitlabhq!2743
| | | * | | | | | Fix contributed projects finder shown private infoJames Lopez2019-01-082-0/+44
| | | | | | | | |
| | * | | | | | | Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'Yorick Peterse2019-01-251-1/+11
| | |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Don't process MR refs for guests in the notes See merge request gitlab/gitlabhq!2771
| | | * | | | | | | Don't process MR refs for guests in the notesOswaldo Ferreira2019-01-101-1/+11
| | | | | | | | | |
| | * | | | | | | | Merge branch 'security-22076-sanitize-url-in-names' into 'master'Yorick Peterse2019-01-252-3/+19
| | |\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs See merge request gitlab/gitlabhq!2793
| | | * | | | | | | | Use `sanitize_name` to sanitize URL in user full nameKushal Pandya2019-01-221-3/+5
| | | | | | | | | | |
| | | * | | | | | | | Add `sanitize_name` helper to sanitize URLs in user full nameKushal Pandya2019-01-221-0/+14
| | | | | | | | | | |
| | * | | | | | | | | Merge branch 'sh-fix-import-redirect-vulnerability' into 'master'Yorick Peterse2019-01-252-3/+16
| | |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Alias GitHub and Bitbucket OAuth2 callback URLs See merge request gitlab/gitlabhq!2840
| | | * | | | | | | | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-222-3/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To prevent an OAuth2 covert redirect vulnerability, this commit adds and uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the following paths: GitHub: /users/auth/-/import/github Bitbucket: /users/auth/-/import/bitbucket This allows admins to put a more restrictive callback URL in the OAuth2 configuration settings. Instead of https://example.com, admins can now use: https://example.com/users/auth It's possible but not trivial to change Devise and OmniAuth to use a different prefix for callback URLs instead of /users/auth. For now, aliasing the import URLs under the /users/auth namespace should suffice. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
| | * | | | | | | | | | [master] Check access rights when creating/updating ProtectedRefsFrancisco Javier López2019-01-251-15/+8
| | | | | | | | | | | |
| | * | | | | | | | | | Merge branch 'security-55320-stored-xss-in-user-status' into 'master'Tim Zallmann2019-01-251-3/+3
| | |\ \ \ \ \ \ \ \ \ \ | | | |_|_|_|_|_|_|_|/ / | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Use sanitized user status message in user popover Closes #2786 See merge request gitlab/gitlabhq!2848
| | | * | | | | | | | | Use sanitized user status message for user popoverDennis Tang2019-01-231-3/+3
| | | |/ / / / / / / /
| | * | | | | | | | | Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-241-5/+18
| | |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Verify that LFS upload requests are genuine Closes #2767 See merge request gitlab/gitlabhq!2767
| | | * | | | | | | | | Verify that LFS upload requests are genuineNick Thomas2019-01-221-5/+18
| | | |/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LFS uploads are handled in concert by workhorse and rails. In normal use, workhorse: * Authorizes the request with rails (upload_authorize) * Handles the upload of the file to a tempfile - disk or object storage * Validates the file size and contents * Hands off to rails to complete the upload (upload_finalize) In `upload_finalize`, the LFS object is linked to the project. As LFS objects are deduplicated across all projects, it may already exist. If not, the temporary file is copied to the correct place, and will be used by all future LFS objects with the same OID. Workhorse uses the Content-Type of the request to decide to follow this routine, as the URLs are ambiguous. If the Content-Type is anything but "application/octet-stream", the request is proxied directly to rails, on the assumption that this is a normal file edit request. If it's an actual LFS request with a different content-type, however, it is routed to the Rails `upload_finalize` action, which treats it as an LFS upload just as it would a workhorse-modified request. The outcome is that users can upload LFS objects that don't match the declared size or OID. They can also create links to LFS objects they don't really own, allowing them to read the contents of files if they know just the size or OID. We can close this hole by requiring requests to `upload_finalize` to be sourced from Workhorse. The mechanism to do this already exists.
| | * | | | | | | | | Merge branch 'security-project-move-users' into 'master'Yorick Peterse2019-01-242-6/+38
| | |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Send notification only to authorized users when moving a project Closes #2777 See merge request gitlab/gitlabhq!2791
| | | * | | | | | | | | Sent notification only to authorized usersJan Provaznik2019-01-232-6/+38
| | | |/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When moving a project, it's possible that some users who had access to the project in old path can not access the project in the new path. Because `project_authorizations` records are updated asynchronously, when we send the notification about moved project the list of project team members contains old project members, we want to notify all these members except the old users who can not access the new location.
| | * | | | | | | | | Merge branch 'security-fix-user-email-tag-push-leak' into 'master'Yorick Peterse2019-01-241-2/+2
| | |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] User email is visible in hook logs if they triggers tag push events Closes #2775 See merge request gitlab/gitlabhq!2789
| | | * | | | | | | | | Fix private user email being visible in tag webhooksLuke Duncalfe2019-01-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #54721
| | | * | | | | | | | | Prefer build() rather than create()Luke Duncalfe2019-01-151-1/+1
| | | | |/ / / / / / / | | | |/| | | | | | |
| | * | | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX"Constance Okoghenun2019-01-241-1/+17
| | | | | | | | | | |
| | * | | | | | | | | Merge branch 'extract-pages-with-rubyzip' into 'master'Yorick Peterse2019-01-2410-9/+356
| | |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Extract pages with rubyzip See merge request gitlab/gitlabhq!2758
| | | * | | | | | | | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-2210-9/+356
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RubyZip allows us to perform strong validation of expanded paths where we do extract file. We introduce the following additional checks to extract routines: 1. None of path components can be symlinked, 2. We drop privileges support for directories, 3. Symlink source needs to point within the target directory, like `public/`, 4. The symlink source needs to exist ahead of time.
| | * | | | | | | | | | Merge branch 'security-commit-status-shown-for-guest-user' into 'master'Yorick Peterse2019-01-241-0/+21
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Stop showing ci for guest users on private pipeline See merge request gitlab/gitlabhq!2830
| | | * | | | | | | | | | Stop showing ci for guest usersSteve Azzopardi2019-01-231-0/+21
| | | | |_|_|_|_|/ / / / | | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a user is a guest user, and the "Public Pipeline" is set to false inside of "Settings > CI/CD > General" the commit status in the project dashboard should not be shown.
| | * | | | | | | | | | Merge branch 'security-fix-lfs-import-project-ssrf-forgery' into 'master'Yorick Peterse2019-01-246-53/+240
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] LFS object forgery in project import Closes #2784 See merge request gitlab/gitlabhq!2719
| | | * | | | | | | | | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-216-53/+240
| | | | |_|_|_|_|/ / / / | | | |/| | | | | | | |
| | * | | | | | | | | | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-242-5/+60
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Do not expose trigger token when user should not see it See merge request gitlab/gitlabhq!2735
| | | * | | | | | | | | | Fix subject in trigger presenter testsGrzegorz Bizon2019-01-151-1/+1
| | | | | | | | | | | | |
| | | * | | | | | | | | | Add some specs for trigger presenterGrzegorz Bizon2019-01-151-0/+51
| | | | | | | | | | | | |
| | | * | | | | | | | | | Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-151-5/+9
| | | | |_|_|/ / / / / / | | | |/| | | | | | | |
| | * | | | | | | | | | Merge branch 'security-fix-regex-dos' into 'master'Yorick Peterse2019-01-241-0/+6
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [master] Fix DoS in reference extraction regexes Closes #2766 See merge request gitlab/gitlabhq!2768
| | | * | | | | | | | | | Fix slow project reference pattern regexHeinrich Lee Yu2019-01-111-0/+6
| | | | |_|_|_|_|/ / / / | | | |/| | | | | | | |
| | * | | | | | | | | | Merge branch 'security-fix-wiki-access-rights-with-external-wiki-enabled' ↵Yorick Peterse2019-01-245-28/+92
| | |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into 'master' [master] Fix access to internal wiki when external wiki is enabled Closes #2783 See merge request gitlab/gitlabhq!2769
View Lorry Controller Status