- 02 Mar, 2020 33 commits
-
-
Mayra Cabrera authored
Hide Contribution Analytics from non-group members See merge request gitlab-org/security/gitlab!297
-
Aakriti Gupta authored
because non-group members should not be allowed to view activities or stats from group members. Render promotions page if promotions are on and the user does not have access to the feature.
-
Mayra Cabrera authored
Revert "Merge branch 'security-ag-contribution-analytics' into 'master'" See merge request gitlab-org/security/gitlab!296
-
Mayra Cabrera authored
This reverts merge request !58
-
Mayra Cabrera authored
Prevent directory traversal through FileUploader#secret See merge request gitlab-org/security/gitlab!288
-
GitLab Release Tools Bot authored
Hide Contribution Analytics from non-group members See merge request gitlab-org/security/gitlab!58
-
Aakriti Gupta authored
Better titles and some grammar updates
-
GitLab Release Tools Bot authored
Prevent an endless checking loop for two merge requests targeting each other See merge request gitlab-org/security/gitlab!85
-
GitLab Release Tools Bot authored
Update epic tree when group is transfered Closes #30 See merge request gitlab-org/security/gitlab!92
-
GitLab Release Tools Bot authored
Sanitize output by dependency linkers Closes #37 See merge request gitlab-org/security/gitlab!106
-
GitLab Release Tools Bot authored
Enforce feedback pipeline is in the same project See merge request gitlab-org/security/gitlab!117
-
GitLab Release Tools Bot authored
Check for registry permissions on docker login request Closes #43 See merge request gitlab-org/security/gitlab!144
-
GitLab Release Tools Bot authored
Don't require base_sha in DiffRefsType Closes #45 See merge request gitlab-org/security/gitlab!145
-
GitLab Release Tools Bot authored
Escape special chars in Sentry error header See merge request gitlab-org/security/gitlab!146
-
GitLab Release Tools Bot authored
Update ProjectAuthorization when deleting or updating GroupGroupLink Closes #55 See merge request gitlab-org/security/gitlab!165
-
GitLab Release Tools Bot authored
Update user 2fa when accepting group invite See merge request gitlab-org/security/gitlab!169
-
GitLab Release Tools Bot authored
Fix Service Side Request Forgery in JenkinsDeprecatedService See merge request gitlab-org/security/gitlab!179
-
GitLab Release Tools Bot authored
Expire account confirmation token See merge request gitlab-org/security/gitlab!180
-
GitLab Release Tools Bot authored
Fix for XSS in branch names Closes #49 See merge request gitlab-org/security/gitlab!184
-
Robert May authored
-
GitLab Release Tools Bot authored
Remove OID filtering during LFS imports See merge request gitlab-org/security/gitlab!188
-
GitLab Release Tools Bot authored
Respect member access level for group shares Closes #56 See merge request gitlab-org/security/gitlab!192
-
Imre Farkas authored
Previously, we only considered the access level set for the GroupGroupLink when calculated ProjectAuthorization or Group#max_member_access_for_user for the shared group. We need to consider access level in the shared with group as well, which might be lower than the one set for GroupGroupLink.
-
GitLab Release Tools Bot authored
Check merge requests read permissions before showing them in the pipeline widget Closes #60 See merge request gitlab-org/security/gitlab!207
-
GitLab Release Tools Bot authored
Forbid trigger pipeline requests with Gitlab-Event header Closes #61 See merge request gitlab-org/security/gitlab!216
-
GitLab Release Tools Bot authored
Prevent XSS in admin grafana url setting Closes #25 See merge request gitlab-org/security/gitlab!218
-
GitLab Release Tools Bot authored
Run badge images through asset proxy Closes #33 See merge request gitlab-org/security/gitlab!232
-
Heinrich Lee Yu authored
This allows us to proxy URLs without going through the HTML filter
-
GitLab Release Tools Bot authored
Recalculate ProjectAuthorizations Closes #75 See merge request gitlab-org/security/gitlab!272
-
Robert May authored
Validates secrets provided to FileUploader in order to prevent directory traversal attacks. We generate 32-byte hexadecimal secrets now and 10-byte hexadecimal secrets in the past, so these are the only two valid formats permitted. Also adds a test that proves the exploit works without the change, and a test that proves the change resolves the exploit.
-
rpereira2 authored
* Validate the grafana URL setting to ensure it is a valid URL and does not contain javascript. * Add a rel='noopener noreferrer' attribute to the link on the frontend so that when the link is opened in a new tab, it will not be able to control the tab from which it was opened. * Use the system_hook_validator for grafana_url since it is an admin setting. * Add migration to remove any javascript URLs from application_settings.grafana_url. * Add a blocked_message option to addressable_url_validator. The option allows a custom error message to be added if the URL is blocked. * Add a parse_url method to Gitlab::Util which returns an Addressable::URI object. * Add changelog entry.
-
Yorick Peterse authored
Fix fixtures for Error Tracking Web UI See merge request gitlab-org/security/gitlab!293
-
Takuya Noguchi authored
Signed-off-by: Takuya Noguchi <takninnovationresearch@gmail.com>
-
- 28 Feb, 2020 7 commits
-
-
Mike Lewis authored
Move interest in contributing an app to the end of the app list See merge request gitlab-org/gitlab!26180
-
Mike Lewis authored
-
Martin Wortschack authored
Update GitLab Packages See merge request gitlab-org/gitlab!26175
-
Mark Florian authored
199134 - Update severity badges See merge request gitlab-org/gitlab!25489
-
-
Robert Speicher authored
Disable ci variables ff See merge request gitlab-org/gitlab!26020
-
Phil Hughes authored
Add skeleton loaders to container registry See merge request gitlab-org/gitlab!25994
-