- 14 Jun, 2016 3 commits
-
-
Tomasz Maczukin authored
-
Robert Speicher authored
Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
-
Douwe Maan authored
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
-
- 27 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 26 Apr, 2016 5 commits
-
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961
-
- 25 Apr, 2016 6 commits
-
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones ## Summary This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Fix This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. ## Further work `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954
-
Jacob Schatz authored
Fixes XSS injection REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 **Without the fix** ![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif) **With the fix** ![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif) See merge request !1952
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Rémy Coutable authored
-
- 19 Apr, 2016 4 commits
-
-
Robert Speicher authored
-
Douwe Maan authored
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Check permissions when sharing project with group ## Summary Unprivileged user was able to share project with group he didn't have access to, and therefore gain partial access to that group, which opened possibilities for further actions like listing private projects in that group. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15330 ## Fix This change introduces additional check for group read access. ## Further work We can think about preventing such problems in the future (this is quite common problem) by moving permissions checks to another layer of abstraction (TBD). Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15330 See merge request !1949 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 15 Apr, 2016 5 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
Fix revoking of authorized OAuth applications Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized. Added a spec and also found that the `gon` variables were not being set for this view. Closes #14370 See merge request !3690 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Yorick Peterse authored
Expire the exists cache before deletion to ensure project dir actually exists See merge request !3413 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix #14753: Check if head is born before trying to detect main language This MR makes sure that head exists before trying to detect the main language. This prevents errors on repo's without a master branch. Closes #14753 See merge request !3654
-
- 07 Apr, 2016 8 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Unblocks user when active_directory is disabled and it can be found We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed. Fixes #14253, #13179, #13259, #13959 See merge request !3550
-
Yorick Peterse authored
Update language after doing all other operations See merge request !3533 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Return status code 303 after a branch DELETE operation to avoid project deletion Closes #14994 See merge request !3583 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Check permissions when importing project members Closes #14899 See merge request !3535 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Yorick Peterse authored
Fix Importing repos from GHE doesn't work See merge request !3529 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 04 Apr, 2016 2 commits
-
-
Rémy Coutable authored
-
Douwe Maan authored
Don't fetch any tags from a forked repo Closes #13957 See merge request !3504 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 01 Apr, 2016 5 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Douwe Maan authored
Update gitlab-shell version and doc to 2.6.12 See merge request !280
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Allow temp-oauth-email as notification email Closes #14559 /cc @dblessing @rymai See merge request !3477 Signed-off-by: Rémy Coutable <remy@rymai.me>
-