Commits · 70911c7c43f5bc804156c701b3a4ba9b992548b3 · Boxiang Sun / gitlab-ce

26 Nov, 2019 4 commits
- Merge branch 'security-28802-respect-fork-parent-visibility-12-5' into '12-5-stable' · 70911c7c
  GitLab Release Tools Bot authored Nov 26, 2019
```
Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3555
```
  70911c7c
- Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable' · 1c029e63
  GitLab Release Tools Bot authored Nov 26, 2019
```
Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3558
```
  1c029e63
- Spec to ensure `_ids` are cleaned by ImportExport::AttributeCleaner · 518835f7
  Imre Farkas authored Nov 26, 2019
  
  518835f7
- Ensure attributes that end in `_ids` are cleaned · 70f684b5
  DJ Mountney authored Nov 25, 2019
```
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
```
  70f684b5
25 Nov, 2019 1 commit
- Check permissions before showing a forked project's source · 644d125b
  Nick Thomas authored Nov 19, 2019
  
  644d125b
22 Nov, 2019 4 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 4c442bdd
  GitLab Bot authored Nov 22, 2019
  
  4c442bdd
- Update VERSION to 12.5.0 · 1f0ab897
  GitLab Release Tools Bot authored Nov 22, 2019
  
  1f0ab897
- Update CHANGELOG.md for 12.5.0 · 2d143daf
  GitLab Release Tools Bot authored Nov 22, 2019
```
[ci skip]
```
  2d143daf
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · c6e6f89a
  GitLab Bot authored Nov 22, 2019
  
  c6e6f89a
20 Nov, 2019 4 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 89b09399
  GitLab Bot authored Nov 20, 2019
  
  89b09399
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · bbf697a0
  GitLab Bot authored Nov 20, 2019
  
  bbf697a0
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 23e599fb
  GitLab Bot authored Nov 20, 2019
  
  23e599fb
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · e2d670d5
  GitLab Bot authored Nov 20, 2019
  
  e2d670d5
19 Nov, 2019 3 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 43e9756c
  GitLab Bot authored Nov 19, 2019
  
  43e9756c
- Update VERSION to 12.5.0-rc42 · 8664e124
  GitLab Release Tools Bot authored Nov 19, 2019
  
  8664e124
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 5a8431fe
  GitLab Bot authored Nov 19, 2019
  
  5a8431fe
18 Nov, 2019 2 commits
- Update VERSION to 12.4.3 · 4d477238
  GitLab Release Tools Bot authored Nov 18, 2019
  
  4d477238
- Update CHANGELOG.md for 12.4.3 · b7ddcd16
  GitLab Release Tools Bot authored Nov 18, 2019
```
[ci skip]
```
  b7ddcd16
15 Nov, 2019 1 commit
- Add latest changes from gitlab-org/gitlab@12-4-stable-ee · b320251a
  GitLab Bot authored Nov 15, 2019
  
  b320251a
04 Nov, 2019 3 commits
- Update VERSION to 12.4.2 · 393a5bda
  GitLab Release Tools Bot authored Nov 04, 2019
  
  393a5bda
- Update CHANGELOG.md for 12.4.2 · 7fb895cb
  GitLab Release Tools Bot authored Nov 04, 2019
```
[ci skip]
```
  7fb895cb
- Add latest changes from gitlab-org/gitlab@12-4-stable-ee · 39b0e286
  GitLab Bot authored Nov 04, 2019
  
  39b0e286
30 Oct, 2019 1 commit
- Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable · 9fc4650d
  GitLab Release Tools Bot authored Oct 30, 2019
  
  9fc4650d
28 Oct, 2019 2 commits
- Update VERSION to 12.4.1 · 4281915c
  GitLab Release Tools Bot authored Oct 28, 2019
  
  4281915c
- Update CHANGELOG.md for 12.4.1 · 3830617e
  GitLab Release Tools Bot authored Oct 28, 2019
```
[ci skip]
```
  3830617e
25 Oct, 2019 4 commits
- Merge branch 'security-mask-sentry-token-12-4-ce' into '12-4-stable' · 8b69a396
  GitLab Release Tools Bot authored Oct 25, 2019
```
Mask Sentry auth token

See merge request gitlab/gitlabhq!3504
```
  8b69a396
- Merge branch 'security-remove-leaky-401-responses-12.4' into '12-4-stable' · 4f332498
  GitLab Release Tools Bot authored Oct 25, 2019
```
Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3491
```
  4f332498
- Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-4' into '12-4-stable' · 44612c0c
  GitLab Release Tools Bot authored Oct 25, 2019
```
Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3506
```
  44612c0c
- Return 404 on LFS request if project doesn't exist · 48ab4c01
  Igor Drozdov authored Oct 25, 2019
  
  48ab4c01
24 Oct, 2019 11 commits

Merge branch 'security-bvl-validate-force-remove-branch-on-mrs-12-4-ce' into '12-4-stable' · 1581fb4c
GitLab Release Tools Bot authored Oct 24, 2019
```
Only assign merge params when allowed

See merge request gitlab/gitlabhq!3487
```
1581fb4c
Merge branch 'security-wiki-rdoc-content-12-4-ce' into '12-4-stable' · a2c31462
GitLab Release Tools Bot authored Oct 24, 2019
```
Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3485
```
a2c31462
Merge branch 'security-developer-transfer-project-12-4' into '12-4-stable' · 6df4db1f
GitLab Release Tools Bot authored Oct 24, 2019
```
Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3486
```
6df4db1f
Merge branch 'security-open-redirect-internalredirect-12-4' into '12-4-stable' · b3490cf1
GitLab Release Tools Bot authored Oct 24, 2019
```
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3488
```
b3490cf1

Merge branch... · c9bcf8fc

GitLab Release Tools Bot authored Oct 24, 2019

Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable'

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3489

c9bcf8fc

Merge branch 'security-2920-fix-notes-with-label-cross-reference-12-4' into '12-4-stable' · 853618e0
GitLab Release Tools Bot authored Oct 24, 2019
```
Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3490
```
853618e0
Merge branch 'security-64519-circular-graphql-queries-12-4' into '12-4-stable' · a6adb336
GitLab Release Tools Bot authored Oct 24, 2019
```
Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3492
```
a6adb336
Merge branch 'security-33689-post-filter-search-results-ce-12-4' into '12-4-stable' · bbe85167
GitLab Release Tools Bot authored Oct 24, 2019
```
Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3496
```
bbe85167

Merge branch... · ddfb7160

GitLab Release Tools Bot authored Oct 24, 2019

Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable'

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3497

ddfb7160

Merge branch... · 203f5b43

GitLab Release Tools Bot authored Oct 24, 2019

Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-4' into '12-4-stable'

Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3503

203f5b43

Mask Sentry auth token · 5c072495

Ryan Cobb authored Oct 07, 2019

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.

5c072495