summaryrefslogtreecommitdiff
path: root/spec
Commit message (Expand)AuthorAgeFilesLines
* [master] Pipelines section is available to unauthorized usersKamil Trzciński2019-01-2815-53/+223
* Merge branch 'fix/security-group-user-removal' into 'master'Yorick Peterse2019-01-253-7/+59
|\
| * Add subresources removal to member destroy serviceJames Lopez2019-01-253-7/+59
* | Merge branch 'security-import-path-logging' into 'master'Yorick Peterse2019-01-254-3/+51
|\ \
| * | Fix path disclosure on Project ImportJames Lopez2019-01-074-3/+51
* | | Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'Yorick Peterse2019-01-253-9/+110
|\ \ \
| * | | Group Guests are no longer able to see merge requestsTiago Botelho2019-01-213-9/+110
* | | | Merge branch 'security-import-project-visibility' into 'master'Yorick Peterse2019-01-252-1/+146
|\ \ \ \
| * | | | Fix tree restorer visibility levelJames Lopez2019-01-242-1/+146
* | | | | Merge branch 'security-contributed-projects' into 'master'Yorick Peterse2019-01-252-0/+44
|\ \ \ \ \
| * | | | | Fix contributed projects finder shown private infoJames Lopez2019-01-082-0/+44
* | | | | | Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'Yorick Peterse2019-01-251-1/+11
|\ \ \ \ \ \
| * | | | | | Don't process MR refs for guests in the notesOswaldo Ferreira2019-01-101-1/+11
* | | | | | | Merge branch 'security-22076-sanitize-url-in-names' into 'master'Yorick Peterse2019-01-252-3/+19
|\ \ \ \ \ \ \
| * | | | | | | Use `sanitize_name` to sanitize URL in user full nameKushal Pandya2019-01-221-3/+5
| * | | | | | | Add `sanitize_name` helper to sanitize URLs in user full nameKushal Pandya2019-01-221-0/+14
* | | | | | | | Merge branch 'sh-fix-import-redirect-vulnerability' into 'master'Yorick Peterse2019-01-252-3/+16
|\ \ \ \ \ \ \ \
| * | | | | | | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-222-3/+16
* | | | | | | | | [master] Check access rights when creating/updating ProtectedRefsFrancisco Javier López2019-01-251-15/+8
* | | | | | | | | Merge branch 'security-55320-stored-xss-in-user-status' into 'master'Tim Zallmann2019-01-251-3/+3
|\ \ \ \ \ \ \ \ \ | |_|_|_|_|_|_|_|/ |/| | | | | | | |
| * | | | | | | | Use sanitized user status message for user popoverDennis Tang2019-01-231-3/+3
| |/ / / / / / /
* | | | | | | | Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-241-5/+18
|\ \ \ \ \ \ \ \
| * | | | | | | | Verify that LFS upload requests are genuineNick Thomas2019-01-221-5/+18
| |/ / / / / / /
* | | | | | | | Merge branch 'security-project-move-users' into 'master'Yorick Peterse2019-01-242-6/+38
|\ \ \ \ \ \ \ \
| * | | | | | | | Sent notification only to authorized usersJan Provaznik2019-01-232-6/+38
| |/ / / / / / /
* | | | | | | | Merge branch 'security-fix-user-email-tag-push-leak' into 'master'Yorick Peterse2019-01-241-2/+2
|\ \ \ \ \ \ \ \
| * | | | | | | | Fix private user email being visible in tag webhooksLuke Duncalfe2019-01-181-2/+2
| * | | | | | | | Prefer build() rather than create()Luke Duncalfe2019-01-151-1/+1
| | |/ / / / / / | |/| | | | | |
* | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX"Constance Okoghenun2019-01-241-1/+17
* | | | | | | | Merge branch 'extract-pages-with-rubyzip' into 'master'Yorick Peterse2019-01-2410-9/+356
|\ \ \ \ \ \ \ \
| * | | | | | | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-2210-9/+356
* | | | | | | | | Merge branch 'security-commit-status-shown-for-guest-user' into 'master'Yorick Peterse2019-01-241-0/+21
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Stop showing ci for guest usersSteve Azzopardi2019-01-231-0/+21
| | |_|_|_|_|/ / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-fix-lfs-import-project-ssrf-forgery' into 'master'Yorick Peterse2019-01-246-53/+240
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-216-53/+240
| | |_|_|_|_|/ / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-242-5/+60
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Fix subject in trigger presenter testsGrzegorz Bizon2019-01-151-1/+1
| * | | | | | | | | Add some specs for trigger presenterGrzegorz Bizon2019-01-151-0/+51
| * | | | | | | | | Do not expose trigger token when user should not see itGrzegorz Bizon2019-01-151-5/+9
| | |_|_|/ / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-fix-regex-dos' into 'master'Yorick Peterse2019-01-241-0/+6
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Fix slow project reference pattern regexHeinrich Lee Yu2019-01-111-0/+6
| | |_|_|_|_|/ / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-fix-wiki-access-rights-with-external-wiki-enabled' int...Yorick Peterse2019-01-245-28/+92
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Fixed bug when external wiki is enabledFrancisco Javier López2019-01-185-28/+92
| | |_|/ / / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-2769-idn-homograph-attack' into 'master'Yorick Peterse2019-01-244-0/+133
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Show tooltip for malicious looking linksBrett Walker2019-01-214-0/+133
| | |_|_|_|_|_|/ / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-fix-new-issues-login-message' into 'master'Yorick Peterse2019-01-241-1/+1
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Use common error for unauthenticated usersHeinrich Lee Yu2019-01-141-1/+1
| | |_|_|/ / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'Yorick Peterse2019-01-241-0/+2
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Prevent award_emoji to notes not visible to userHeinrich Lee Yu2019-01-151-0/+2
| |/ / / / / / / /
* | | | | | | | | Merge branch 'security-2779-fix-email-comment-permissions-check' into 'master'Yorick Peterse2019-01-246-22/+79
|\ \ \ \ \ \ \ \ \
View Lorry Controller Status