- 24 Jul, 2019 10 commits
-
-
Robert Speicher authored
-
GitLab Release Tools Bot authored
Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3186
-
GitLab Release Tools Bot authored
Extract SanitizeNodeLink and apply to WikiLinkFilter See merge request gitlab/gitlabhq!3202
-
GitLab Release Tools Bot authored
Do not allow localhost url redirection in GitHub Integration See merge request gitlab/gitlabhq!3207
-
GitLab Release Tools Bot authored
Server Side Request Forgery mitigation bypass See merge request gitlab/gitlabhq!3214
-
GitLab Release Tools Bot authored
MR pipeline permissions See merge request gitlab/gitlabhq!3217
-
GitLab Release Tools Bot authored
Drop feature to take ownership of a trigger token See merge request gitlab/gitlabhq!3228
-
GitLab Release Tools Bot authored
Merge branch 'security-2873-restrict-slash-commands-to-users-who-can-log-in-11-11' into '11-11-stable' Restrict slash commands to users who can log in See merge request gitlab/gitlabhq!3239
-
GitLab Release Tools Bot authored
Filter params in MR build service See merge request gitlab/gitlabhq!3255
-
GitLab Release Tools Bot authored
Do not show moved issue ids for user not authorized See merge request gitlab/gitlabhq!3264
-
- 17 Jul, 2019 1 commit
-
-
Bob Van Landuyt authored
Reusing the existing `IssuableBaseService#filter_params` which uses the policies to determine what params a user can set, and which values it can be set to. This also removed the need for the seperate call to `IssuableBaseService#ensure_milestone_available`. The `Issues::BuildService` does not suffer from this because it limits the params that are assignable to the `title`, `description` and `milestone_id`.
-
- 16 Jul, 2019 1 commit
-
-
Douglas Barbosa Alexandre authored
Fix order-dependent spec failure in appearance_spec.rb Closes #64083 See merge request gitlab-org/gitlab-ce!30323
-
- 15 Jul, 2019 1 commit
-
-
Felipe Artur authored
Do not show moved issue id for users that cannot read issue
-
- 12 Jul, 2019 1 commit
-
-
Hordur Freyr Yngvason authored
-
- 10 Jul, 2019 1 commit
-
-
Fabio Pitino authored
Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
-
- 09 Jul, 2019 1 commit
-
-
manojmj authored
-
- 08 Jul, 2019 1 commit
-
-
Kerri Miller authored
The SanitizationFilter was running before the WikiFilter. Since WikiFilter can modify links, we could see links that _should_ be stopped by SanatizationFilter being rendered on the page. I (kerrizor) had previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4 However, an additional exploit was discovered after that was merged. Working through the issue, we couldn't simply shuffle the order of filters, due to some implicit assumptions about the order of filters, so instead we've extracted the logic that sanitizes a Nokogiri-generated Node object, and applied it to the WikiLinkFilter as well. On moving filters around: Once we start moving around filters, we get cascading failures; fix one, another one crops up. Many of the existing filters in the WikiPipeline chain seem to assume that other filters have already done their work, and thus operate on a "transform anything that's left" basis; WikiFilter, for instance, assumes any link it finds in the markdown should be prepended with the wiki_base_path.. but if it does that, it also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the UserReferenceFilter doesn't see as a user reference it needs to transform into a user profile link. This is true for all the reference filters in the WikiPipeline.
-
- 05 Jul, 2019 1 commit
-
-
drew cimino authored
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source project, so we should specifically check that project for permissions. This was already happening for intra-project merge requests, but in the event that the target and source projects both have private builds, we should ensure that the project permissions are respected.
-
- 04 Jul, 2019 1 commit
-
-
Francisco Javier López authored
When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
-
- 01 Jul, 2019 2 commits
-
-
GitLab Release Tools Bot authored
[ci skip]
-
Marin Jankovski authored
Support object storage at FileMover class See merge request gitlab/gitlabhq!3196
-
- 30 Jun, 2019 1 commit
-
-
Oswaldo Ferreira authored
-
- 27 Jun, 2019 3 commits
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
Fabio Pitino authored
Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
-
- 26 Jun, 2019 15 commits
-
-
GitLab Release Tools Bot authored
Ability to write a note in a private snippet See merge request gitlab/gitlabhq!3141
-
GitLab Release Tools Bot authored
Prevent Billion Laughs attack See merge request gitlab/gitlabhq!3144
-
GitLab Release Tools Bot authored
Guests can know whether merge request template name exists or not See merge request gitlab/gitlabhq!3149
-
GitLab Release Tools Bot authored
Fix MR head pipeline leak See merge request gitlab/gitlabhq!3155
-
GitLab Release Tools Bot authored
Fix DOS when rendering issue/MR comments See merge request gitlab/gitlabhq!3158
-
GitLab Release Tools Bot authored
Persist tmp snippet uploads at users See merge request gitlab/gitlabhq!3165
-
GitLab Release Tools Bot authored
Expose merge requests count based on user access See merge request gitlab/gitlabhq!3168
-
GitLab Release Tools Bot authored
Fix type authorizations in GraphQL See merge request gitlab/gitlabhq!3173
-
GitLab Release Tools Bot authored
Fix color validation regex causing DoS See merge request gitlab/gitlabhq!3177
-
GitLab Release Tools Bot authored
Disable Rails SQL query cache when applying service templates See merge request gitlab/gitlabhq!3180
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
Marin Jankovski authored
Prepare 11.11.4 release See merge request gitlab-org/gitlab-ce!30069
-
Marin Jankovski authored
Master i18n 11.11 See merge request gitlab-org/gitlab-ce!30083
-
GitLab Crowdin Bot authored
[skip ci]
-