Age | Commit message (Collapse) | Author |
|
|
|
Limit the negotiation phase for certain Gitaly RPCs
See merge request gitlab/gitaly!47
|
|
In most cases, Gitaly trusts that the caller of the RPC has validated
that the user is permitted to perform the action represented by the RPC
and doesn't repeat any access control checks. Where an RPC reads data
from a client-controlled stream before acting, the time between the
check and the operation can be artificially extended. This can lead to
security issues where
Solve this by placing a limit on the *negotiation phase* of two RPCs
that are known to be vulnerable:
* ssh.SSHUploadPack
* ssh.SSHUploadArchive
These RPCs are known not to be vulnerable, for one reason or another:
* ssh.SSHReceivePack
* smarthttp.ReceivePack
The smarthttp.UploadPack RPC is vulnerable, but the vulnerability is
being handled in Workhorse.
|
|
Fix protoc-gen-gitaly in 1-65-stable
See merge request gitlab-org/gitaly!1581
|
|
|
|
|
|
Backport !39 into 1-65-stable
See merge request gitlab/gitaly!43
|
|
|
|
|
|
|
|
Prevent nil panics in housekeeping.Perform
See merge request gitlab-org/gitaly!1492
|
|
|
|
Upgrade Rouge to v3.11.0
See merge request gitlab-org/gitaly!1493
|
|
Labels update in the feature flag issue template
See merge request gitlab-org/gitaly!1489
|
|
Git command DSL
Closes #1996, #1991, and #1847
See merge request gitlab-org/gitaly!1476
|
|
|
|
This fixes the JSON parser bug present in
v3.8.0+(https://github.com/rouge-ruby/rouge/issues/1330) and adds
support for a number of new lexers.
|
|
Replicator fixes from demo
See merge request gitlab-org/gitaly!1487
|
|
Add tests as well to give coverage to the processReplJob method
|
|
Add documentation snippet for ELK graphs
See merge request gitlab-org/gitaly!1491
|
|
|
|
Update downstream script to single code base
See merge request gitlab-org/gitaly!1488
|
|
|
|
|
|
Remove get-commit-signatures feature flag
Closes #1604 and #1921
See merge request gitlab-org/gitaly!1484
|
|
Measure replication latency
Closes #1882
See merge request gitlab-org/gitaly!1481
|
|
|
|
|
|
Add dedicated CI job for deprecation warnings
See merge request gitlab-org/gitaly!1480
|
|
|
|
Add first_parent to find-commits and count-commits
See merge request gitlab-org/gitaly!1463
|
|
|
|
Allows me to run this test locally again, as we dynamically set an
author now.
|
|
Rewritten to go, behind a feature flag in: https://gitlab.com/gitlab-org/gitaly/issues/1604
The go code works great on production, so the feature flag can be
removed.
Closes https://gitlab.com/gitlab-org/gitaly/issues/1604
|
|
Confirm checksums after replication
Closes #1922
See merge request gitlab-org/gitaly!1479
|
|
Fix publish script
See merge request gitlab-org/gitaly!1478
|
|
|
|
Use testhelper.CreateTag to have a Git ident
See merge request gitlab-org/gitaly!1474
|
|
Update Rouge to v3.10.0
See merge request gitlab-org/gitaly!1475
|
|
|
|
|
|
Removing @ in author line for changelog entry
See merge request gitlab-org/gitaly!1477
|
|
|
|
RenameRepository RPC
Closes #1912
See merge request gitlab-org/gitaly!1471
|
|
This keeps the version used in Gitaly consistent with CE/EE
to save a little space.
|
|
|
|
Locally I can't run some tests as Git would like to know the identity of
the user creating new objects. In my case these object creations get the
following message:
```
testhelper.go:184:
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: empty ident name (for <zegerjan@callisto.localdomain>) not allowed
```
Now, this leverages system packages on the Git side to determine the
identname. In our case I think the best way to move forward is just to
use the `testhelper.CreateTag()`, which sets the ident for us.
|
|
Add RemoveRepository RPC
Closes #1908
See merge request gitlab-org/gitaly!1470
|
|
Maintain permissions for attribute file while applying attribute
Closes #1855
See merge request gitlab-org/gitaly!1466
|
|
|