Commits · 1e4cf2b0fc638612d5f3520eeea47b66f33a7189 · nexedi / gitlab-ce

04 Mar, 2020 1 commit

Fix vulnerability_feedback create service · 1e4cf2b0

Daniel Paul Searles authored Mar 03, 2020

Why:

* The create service would return as successful when the record is
  invalid if the record already preexisted.

This change addresses the need by:

* Only return as successful if feedback is persisted AND valid

1e4cf2b0

02 Mar, 2020 33 commits

Merge branch 'security-ag-contribution-analytics-2nd-attempt' into 'master' · 9056b5ef
Mayra Cabrera authored Mar 02, 2020
```
Hide Contribution Analytics from non-group members

See merge request gitlab-org/security/gitlab!297
```
9056b5ef

Hide Contribution Analytics from non-group members · 07d7b7c3

Aakriti Gupta authored Feb 14, 2020

because non-group members should not be allowed to
view activities or stats from group members.

Render promotions page if promotions are on and
the user does not have access to the feature.

07d7b7c3

Merge branch 'revert-' into 'master' · b4ba71c6

Mayra Cabrera authored Mar 02, 2020

Revert "Merge branch 'security-ag-contribution-analytics' into 'master'"

See merge request gitlab-org/security/gitlab!296

b4ba71c6

Revert "Merge branch 'security-ag-contribution-analytics' into 'master'" · ea930e5a
Mayra Cabrera authored Mar 02, 2020
```
This reverts merge request !58
```
ea930e5a
Merge branch 'security-709-secret-traversal' into 'master' · ca358373
Mayra Cabrera authored Mar 02, 2020
```
Prevent directory traversal through FileUploader#secret

See merge request gitlab-org/security/gitlab!288
```
ca358373
Merge branch 'security-ag-contribution-analytics' into 'master' · 7bdfaafe
GitLab Release Tools Bot authored Mar 02, 2020
```
Hide Contribution Analytics from non-group members

See merge request gitlab-org/security/gitlab!58
```
7bdfaafe
Review updates for HA doc cleanup · cf6fc400
Aakriti Gupta authored Mar 02, 2020
```
Better titles and some grammar updates
```
cf6fc400

Merge branch '36805-confidential-issue' into 'master' · 0d2d4d79

GitLab Release Tools Bot authored Mar 02, 2020

Prevent an endless checking loop for two merge requests targeting each other

See merge request gitlab-org/security/gitlab!85

0d2d4d79

Merge branch 'security-epic-groups' into 'master' · dadd4850
GitLab Release Tools Bot authored Mar 02, 2020
```
Update epic tree when group is transfered

Closes #30

See merge request gitlab-org/security/gitlab!92
```
dadd4850
Merge branch 'security-pb-fix-xss-dependency-link' into 'master' · 5dc78280
GitLab Release Tools Bot authored Mar 02, 2020
```
Sanitize output by dependency linkers

Closes #37

See merge request gitlab-org/security/gitlab!106
```
5dc78280
Merge branch 'security-vuln-feedback-pipeline' into 'master' · a7b1f35b
GitLab Release Tools Bot authored Mar 02, 2020
```
Enforce feedback pipeline is in the same project

See merge request gitlab-org/security/gitlab!117
```
a7b1f35b
Merge branch 'security-deploy-token-registry-access' into 'master' · ab00127c
GitLab Release Tools Bot authored Mar 02, 2020
```
Check for registry permissions on docker login request

Closes #43

See merge request gitlab-org/security/gitlab!144
```
ab00127c
Merge branch 'security-graphql-diff-refs-empty-base-sha' into 'master' · ae5763fd
GitLab Release Tools Bot authored Mar 02, 2020
```
Don't require base_sha in DiffRefsType

Closes #45

See merge request gitlab-org/security/gitlab!145
```
ae5763fd
Merge branch 'security-safe-sentry-error-culprit' into 'master' · ff8b9201
GitLab Release Tools Bot authored Mar 02, 2020
```
Escape special chars in Sentry error header

See merge request gitlab-org/security/gitlab!146
```
ff8b9201
Merge branch 'security-sharing_group_to_update_project_authorization-master' into 'master' · b1028190
GitLab Release Tools Bot authored Mar 02, 2020
```
Update ProjectAuthorization when deleting or updating GroupGroupLink

Closes #55

See merge request gitlab-org/security/gitlab!165
```
b1028190
Merge branch 'security-enforce-group-member-2fa' into 'master' · 37e776d2
GitLab Release Tools Bot authored Mar 02, 2020
```
Update user 2fa when accepting group invite

See merge request gitlab-org/security/gitlab!169
```
37e776d2
Merge branch 'security/sh-fix-jenkins-deprecated-service-ssrf' into 'master' · 9919924f
GitLab Release Tools Bot authored Mar 02, 2020
```
Fix Service Side Request Forgery in JenkinsDeprecatedService

See merge request gitlab-org/security/gitlab!179
```
9919924f
Merge branch 'security-expire-confirmation-token' into 'master' · 4ba79ff2
GitLab Release Tools Bot authored Mar 02, 2020
```
Expire account confirmation token

See merge request gitlab-org/security/gitlab!180
```
4ba79ff2
Merge branch 'security-49-xss-branch-names' into 'master' · 59d327c9
GitLab Release Tools Bot authored Mar 02, 2020
```
Fix for XSS in branch names

Closes #49

See merge request gitlab-org/security/gitlab!184
```
59d327c9
Fix for XSS in branch names · b4a0a234
Robert May authored Mar 02, 2020

b4a0a234
Merge branch 'security-deprecate-lfs-link-service' into 'master' · 77368a38
GitLab Release Tools Bot authored Mar 02, 2020
```
Remove OID filtering during LFS imports

See merge request gitlab-org/security/gitlab!188
```
77368a38
Merge branch 'security-sharing_group_to_respect_member_access_level-master' into 'master' · 83219a73
GitLab Release Tools Bot authored Mar 02, 2020
```
Respect member access level for group shares

Closes #56

See merge request gitlab-org/security/gitlab!192
```
83219a73

Respect member access level for group shares · 9e2ec37f

Imre Farkas authored Mar 02, 2020

Previously, we only considered the access level set for the
GroupGroupLink when calculated ProjectAuthorization or
Group#max_member_access_for_user for the shared group. We need to
consider access level in the shared with group as well, which might be
lower than the one set for GroupGroupLink.

9e2ec37f

Merge branch 'security-check-mr-permissions-for-pipeline-widget' into 'master' · 2e4777a4

GitLab Release Tools Bot authored Mar 02, 2020

Check merge requests read permissions before showing them in the pipeline widget

Closes #60

See merge request gitlab-org/security/gitlab!207

2e4777a4

Merge branch 'security-disable-pipeline-webhook-recursion' into 'master' · b21e3ab9
GitLab Release Tools Bot authored Mar 02, 2020
```
Forbid trigger pipeline requests with Gitlab-Event header

Closes #61

See merge request gitlab-org/security/gitlab!216
```
b21e3ab9
Merge branch 'security-grafana-stored-xss' into 'master' · ca1c3473
GitLab Release Tools Bot authored Mar 02, 2020
```
Prevent XSS in admin grafana url setting

Closes #25

See merge request gitlab-org/security/gitlab!218
```
ca1c3473
Merge branch 'security-badge-camo' into 'master' · 2bd7bd9c
GitLab Release Tools Bot authored Mar 02, 2020
```
Run badge images through asset proxy

Closes #33

See merge request gitlab-org/security/gitlab!232
```
2bd7bd9c
Add Gitlab::AssetProxy class to proxy URLs · fc5de3be
Heinrich Lee Yu authored Mar 02, 2020
```
This allows us to proxy URLs without going through
the HTML filter
```
fc5de3be
Merge branch 'security-recalculate_project_authorizations_run_2-master' into 'master' · b99e6b64
GitLab Release Tools Bot authored Mar 02, 2020
```
Recalculate ProjectAuthorizations

Closes #75

See merge request gitlab-org/security/gitlab!272
```
b99e6b64

Filter invalid secrets on file uploads · 96ec142d

Robert May authored Feb 29, 2020

Validates secrets provided to FileUploader in order to prevent
directory traversal attacks. We generate 32-byte hexadecimal secrets
now and 10-byte hexadecimal secrets in the past, so these are the only
two valid formats permitted.

Also adds a test that proves the exploit works without the change, and
a test that proves the change resolves the exploit.

96ec142d

Validate grafana_url setting · b63d4512

rpereira2 authored Feb 14, 2020

* Validate the grafana URL setting to ensure it is a valid URL and does
not contain javascript.
* Add a rel='noopener noreferrer' attribute to the link on the frontend
so that when the link is opened in a new tab, it will not be able to
control the tab from which it was opened.
* Use the system_hook_validator for grafana_url since it is an admin
setting.
* Add migration to remove any javascript URLs from
application_settings.grafana_url.
* Add a blocked_message option to addressable_url_validator. The option
allows a custom error message to be added if the URL is blocked.
* Add a parse_url method to Gitlab::Util which returns an
Addressable::URI object.
* Add changelog entry.

b63d4512

Merge branch 'security-208548-better-spec-test-for-error-tracking-web-ui' into 'master' · a7f3987e
Yorick Peterse authored Mar 02, 2020
```
Fix fixtures for Error Tracking Web UI

See merge request gitlab-org/security/gitlab!293
```
a7f3987e
Fix fixtures for Error Tracking Web UI · 35d95aa6
Takuya Noguchi authored Mar 01, 2020
```
Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
```
35d95aa6

28 Feb, 2020 6 commits
- Merge branch 'move-add-an-app' into 'master' · d719154c
  Mike Lewis authored Feb 28, 2020
```
Move interest in contributing an app to the end of the app list

See merge request gitlab-org/gitlab!26180
```
  d719154c
- Implement sentence case for title per style guide · 838b2f37
  Mike Lewis authored Feb 28, 2020
  
  838b2f37
- Merge branch 'renovate/gitlab-packages' into 'master' · 028a573f
  Martin Wortschack authored Feb 28, 2020
```
Update GitLab Packages

See merge request gitlab-org/gitlab!26175
```
  028a573f
- Merge branch '199134-update-security-badges' into 'master' · d93f21d9
  Mark Florian authored Feb 28, 2020
```
199134 - Update severity badges

See merge request gitlab-org/gitlab!25489
```
  d93f21d9
- Update to new severity badge design · c9e0609d
  Neil McCorrison authored Feb 28, 2020
```
https://gitlab.com/gitlab-org/gitlab/issues/199134
```
  c9e0609d
- Merge branch 'disable-new-variables-ui-ff' into 'master' · 2ff0a2eb
  Robert Speicher authored Feb 28, 2020
```
Disable ci variables ff

See merge request gitlab-org/gitlab!26020
```
  2ff0a2eb