Commits · a90b38641d43870a4bf36544ed1d966ae8d1fa13 · Boxiang Sun / gitlab-ce

26 Jul, 2019 11 commits

Update CHANGELOG.md for 12.1.2 · a90b3864
GitLab Release Tools Bot authored Jul 26, 2019
```
[ci skip]
```
a90b3864
Merge branch 'security-60143-patch-additional-xss-vector-in-wikis' into 'master' · f9b4f939
GitLab Release Tools Bot authored Jul 26, 2019
```
Extract SanitizeNodeLink and apply to WikiLinkFilter

See merge request gitlab/gitlabhq!3143
```
f9b4f939

Extract SanitizeNodeLink and apply to WikiLinkFilter · acc694ea

Kerri Miller authored Jul 26, 2019

The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.

On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.

acc694ea

Merge branch 'security-fix-badges-leaked-to-unauthorized-users' into 'master' · 7501d649
GitLab Release Tools Bot authored Jul 26, 2019
```
Don't display badges when builds are restricted

Closes #2864

See merge request gitlab/gitlabhq!3175
```
7501d649
Merge branch 'security-github-ssrf-redirect' into 'master' · c4bc5dff
GitLab Release Tools Bot authored Jul 26, 2019
```
Do not allow localhost url redirection in GitHub Integration

See merge request gitlab/gitlabhq!3188
```
c4bc5dff
Merge branch 'security-remove-take-trigger-ownership-feature' into 'master' · 890c1421
GitLab Release Tools Bot authored Jul 26, 2019
```
Drop feature to take ownership of a trigger token

Closes #2868

See merge request gitlab/gitlabhq!3198
```
890c1421
Merge branch 'security-mr-pipeline-permissions' into 'master' · 3a178b26
GitLab Release Tools Bot authored Jul 26, 2019
```
MR pipeline permissions

Closes #2871

See merge request gitlab/gitlabhq!3204
```
3a178b26
Merge branch 'security-dns-ssrf-bypass' into 'master' · f65ed874
GitLab Release Tools Bot authored Jul 26, 2019
```
Server Side Request Forgery mitigation bypass

Closes #2872

See merge request gitlab/gitlabhq!3205
```
f65ed874
Merge branch 'security-60551-fix-upload-scope' into 'master' · 461101c3
GitLab Release Tools Bot authored Jul 26, 2019
```
Queries for Upload should be scoped by model

See merge request gitlab/gitlabhq!3229
```
461101c3
Merge branch 'security-hide_moved_issue_id' into 'master' · 4b2d49b7
GitLab Release Tools Bot authored Jul 26, 2019
```
Do not show moved issue ids for user not authorized

Closes #2878

See merge request gitlab/gitlabhq!3230
```
4b2d49b7
Merge branch 'security-bvl-filter-mr-params' into 'master' · cfc327b0
GitLab Release Tools Bot authored Jul 26, 2019
```
Filter params in MR build service

Closes #2879

See merge request gitlab/gitlabhq!3237
```
cfc327b0

25 Jul, 2019 1 commit
- Update CHANGELOG.md for 12.1.2 · 85104fc8
  GitLab Release Tools Bot authored Jul 25, 2019
```
[ci skip]
```
  85104fc8
24 Jul, 2019 28 commits
- Merge branch 'sh-peek-cleanup' into 'master' · 6a5d2df3
  Douglas Barbosa Alexandre authored Jul 24, 2019
```
Use a base class for Peek views

See merge request gitlab-org/gitlab-ce!31108
```
  6a5d2df3
- Merge branch '63553-remove-pluralize-in-favour-of-n__' into 'master' · d86ef0b0
  Paul Slaughter authored Jul 24, 2019
```
Resolve "Remove `pluralize` in favour of `n__`"

Closes #63553

See merge request gitlab-org/gitlab-ce!30882
```
  d86ef0b0
- Removed pluralize function · 78d57823
  Ezekiel Kigbo authored Jul 24, 2019
```
Replaced instance of the `pluralize` js function
with `n__` to follow our development guide.
```
  78d57823
- Merge branch 'remove-unused-peek-views' into 'master' · 945eb2ae
  Rémy Coutable authored Jul 24, 2019
```
Remove unused peek view code

See merge request gitlab-org/gitlab-ce!31099
```
  945eb2ae
- Merge branch 'ab-count-strategies' into 'master' · e7f795a3
  Nick Thomas authored Jul 24, 2019
```
Remove feature flag for tablesample counts

See merge request gitlab-org/gitlab-ce!31048
```
  e7f795a3
- Enable tablesample count strategy by default · 259493bb
  Andreas Brandl authored Jul 24, 2019
```
https://gitlab.com/gitlab-org/gitlab-ce/issues/58792
```
  259493bb
- Merge branch 'rverissimo-master-patch-43755' into 'master' · 25698fda
  Clement Ho authored Jul 24, 2019
```
Update tooltip values to meet design specs

Closes gitlab-ui#264

See merge request gitlab-org/gitlab-ce!30981
```
  25698fda
- Use a base class for Peek views · d7eadcc0
  Stan Hu authored Jul 24, 2019
```
Introduce a `DetailedView` base class, which is inherited by
the Gitaly, Redis, and Rugged views. This reduces code duplication.
```
  d7eadcc0
- Merge branch 'docs/tidy-up-chaos-endpoint' into 'master' · 5c69b781
  Marcia Ramos authored Jul 24, 2019
```
Followup edit of documentation

See merge request gitlab-org/gitlab-ce!30986
```
  5c69b781
- Followup edit of documentation · dee72df5
  Evan Read authored Jul 24, 2019
  
  dee72df5
- Merge branch '64998-increase-helm-deploy-command-timeout' into 'master' · c02c83fa
  Sean McGivern authored Jul 24, 2019
```
Increase the Review App deploy command timeout to 15 minutes

Closes #64998

See merge request gitlab-org/gitlab-ce!31061
```
  c02c83fa
- Merge branch 'mc/feature/use-only-pat-cicd-projects' into 'master' · 2a072751
  Grzegorz Bizon authored Jul 24, 2019
```
Remove OAuth GitHub CI/CD project code paths

See merge request gitlab-org/gitlab-ce!30716
```
  2a072751
- Merge branch 'add-project-selection-to-cycle-analytics-service' into 'master' · f987e03c
  Mike Greiling authored Jul 24, 2019
```
Add projectIds to CA service

See merge request gitlab-org/gitlab-ce!30894
```
  f987e03c
- Add projectIds to CA service · 68d1a9a3
  Brandon Labuschagne authored Jul 24, 2019
  
  68d1a9a3
- Merge branch 'docs/fix-more-errors' into 'master' · 1a123b36
  Marcia Ramos authored Jul 24, 2019
```
Fix some errors in Markdown files

See merge request gitlab-org/gitlab-ce!30822
```
  1a123b36
- Fix some errors in Markdown files · a0adccd2
  Evan Read authored Jul 24, 2019
  
  a0adccd2
- Merge branch 'docs/better-blocked-user-docs' into 'master' · 9e7fdb71
  Marcia Ramos authored Jul 24, 2019
```
Better information on blocking users

Closes #61255 and #53748

See merge request gitlab-org/gitlab-ce!30767
```
  9e7fdb71
- Better information on blocking users · b8683c26
  Evan Read authored Jul 24, 2019
  
  b8683c26
- Merge branch 'docs/tidy-auto-devops-topic' into 'master' · e9121227
  Marcia Ramos authored Jul 24, 2019
```
Improve the Auto DevOps topic a bit

See merge request gitlab-org/gitlab-ce!30721
```
  e9121227
- Improve the Auto DevOps topic a bit · 9a5ffe40
  Evan Read authored Jul 24, 2019
  
  9a5ffe40
- Merge branch 'docs-markdown-header-lint' into 'master' · d7249357
  Marcia Ramos authored Jul 24, 2019
```
Docs: Clean up headers in markdown

See merge request gitlab-org/gitlab-ce!30597
```
  d7249357
- Clean up headers in markdown · 74a34e8b
  Marcel Amirault authored Jul 24, 2019
```
Some markdown headers needed tweaking to adhere
to standards, including blank lines above and below,
only one space after hash, first header should be
h1, and only one h1 per doc
```
  74a34e8b
- Merge branch 'docs/enhance-code-quality-topics' into 'master' · 0ef53789
  Marcia Ramos authored Jul 24, 2019
```
Improve code quality documentation

Closes #60725

See merge request gitlab-org/gitlab-ce!30545
```
  0ef53789
- Improve code quality documentation · ea2a64c3
  Evan Read authored Jul 24, 2019
  
  ea2a64c3
- Merge branch '64243-design-management-docs' into 'master' · 3e4b15a3
  Marcia Ramos authored Jul 24, 2019
```
PerhAdd documentation for Design Management feature

See merge request gitlab-org/gitlab-ce!30448
```
  3e4b15a3
- Merge branch 'docs/add-go-test-guidelines' into 'master' · 8fce2ae8
  Marcia Ramos authored Jul 24, 2019
```
Add Go test guidelines

See merge request gitlab-org/gitlab-ce!29159
```
  8fce2ae8
- Add Go test guidelines · 105bb6ff
  Steve Azzopardi authored Jul 24, 2019
  
  105bb6ff
- Merge branch 'docs/cross-link-kaniko' into 'master' · eebc9cb6
  Marcia Ramos authored Jul 24, 2019
```
Improve GitLab and Docker configuration docs

Closes #31379

See merge request gitlab-org/gitlab-ce!30498
```
  eebc9cb6