diff options
author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2018-11-29 12:52:01 +0300 |
---|---|---|
committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2018-11-29 12:52:01 +0300 |
commit | a7fec1779fe32bd2a7a08ca5780f826a58614af0 (patch) | |
tree | 77488fdc6d8e82a773bd2327d69f634419b62bce /config | |
parent | 439d22b90fed46d16ebc26fd756f1459da370280 (diff) | |
parent | 6852680584a1b22788f451457a6042eabf862a73 (diff) |
Merge commit '6852680584a1b22788f451457a6042eabf862a73' into fix/gb/encrypt-runners-tokens
* commit '6852680584a1b22788f451457a6042eabf862a73': (57 commits)
Diffstat (limited to 'config')
-rw-r--r-- | config/application.rb | 3 | ||||
-rw-r--r-- | config/initializers/devise.rb | 3 | ||||
-rw-r--r-- | config/initializers/doorkeeper.rb | 7 | ||||
-rw-r--r-- | config/initializers/rack_attack_global.rb | 10 |
4 files changed, 18 insertions, 5 deletions
diff --git a/config/application.rb b/config/application.rb index 5804d8fd27b..63a5b483fc2 100644 --- a/config/application.rb +++ b/config/application.rb @@ -103,6 +103,9 @@ module Gitlab # - Webhook URLs (:hook) # - Sentry DSN (:sentry_dsn) # - File content from Web Editor (:content) + # + # NOTE: It is **IMPORTANT** to also update gitlab-workhorse's filter when adding parameters here to not + # introduce another security vulnerability: https://gitlab.com/gitlab-org/gitlab-workhorse/issues/182 config.filter_parameters += [/token$/, /password/, /secret/, /key$/] config.filter_parameters += %i( certificate diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 179e00cdbd0..67eabb0b4fc 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -103,6 +103,9 @@ Devise.setup do |config| # Send a notification email when the user's password is changed config.send_password_change_notification = true + # Send a notification email when the user's email is changed + config.send_email_changed_notification = true + # ==> Configuration for :validatable # Range for password length. Default is 6..128. config.password_length = 8..128 diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index f321b4ea763..6be5c00daaa 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -48,6 +48,13 @@ Doorkeeper.configure do # force_ssl_in_redirect_uri false + # Specify what redirect URI's you want to block during Application creation. + # Any redirect URI is whitelisted by default. + # + # You can use this option in order to forbid URI's with 'javascript' scheme + # for example. + forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) } + # Provide support for an owner to be assigned to each registered application (disabled by default) # Optional parameter confirmation: true (default false) if you want to enforce ownership of # a registered application diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb index 45963831c41..86cb930eca9 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_global.rb @@ -33,22 +33,22 @@ class Rack::Attack throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req| Gitlab::Throttle.settings.throttle_authenticated_api_enabled && req.api_request? && - req.authenticated_user_id + req.authenticated_user_id([:api]) end throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req| Gitlab::Throttle.settings.throttle_authenticated_web_enabled && req.web_request? && - req.authenticated_user_id + req.authenticated_user_id([:api, :rss, :ics]) end class Request def unauthenticated? - !authenticated_user_id + !authenticated_user_id([:api, :rss, :ics]) end - def authenticated_user_id - Gitlab::Auth::RequestAuthenticator.new(self).user&.id + def authenticated_user_id(request_formats) + Gitlab::Auth::RequestAuthenticator.new(self).user(request_formats)&.id end def api_request? |