Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-01-13 | Update VERSION to 12.4.8v12.4.8 | GitLab Release Tools Bot | |
2020-01-13 | Update CHANGELOG.md for 12.4.8 | GitLab Release Tools Bot | |
[ci skip] | |||
2020-01-10 | Add latest changes from gitlab-org/security/gitlab@12-4-stable-ee | GitLab Bot | |
2020-01-02 | Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable | GitLab Release Tools Bot | |
2020-01-02 | Update VERSION to 12.4.7v12.4.7 | GitLab Release Tools Bot | |
2020-01-02 | Update CHANGELOG.md for 12.4.7 | GitLab Release Tools Bot | |
[ci skip] | |||
2019-12-31 | Add latest changes from gitlab-org/security/gitlab@12-4-stable-ee | GitLab Bot | |
2019-12-16 | Add latest changes from gitlab-org/gitlab@12-4-stable-ee | GitLab Bot | |
2019-12-10 | Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable | GitLab Release Tools Bot | |
2019-12-09 | Update VERSION to 12.4.6v12.4.6 | GitLab Release Tools Bot | |
2019-12-09 | Update CHANGELOG.md for 12.4.6 | GitLab Release Tools Bot | |
[ci skip] | |||
2019-12-09 | Merge branch 'security-37766-transfer-group-reindex-ce-12-4' into '12-4-stable' | Alessio Caiazza | |
Trigger Elasticsearch indexing when public group moved to private See merge request gitlab/gitlabhq!3578 | |||
2019-12-06 | Trigger Elasticsearch indexing when public group moved to private | Dylan Griffith | |
This fixes https://gitlab.com/gitlab-org/gitlab/issues/37766 which is caused by the fact that we leave the stale permissions data in the index after a group is moved to another group. | |||
2019-12-06 | Add latest changes from gitlab-org/gitlab@12-4-stable-ee | GitLab Bot | |
2019-11-27 | Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable | GitLab Release Tools Bot | |
2019-11-27 | Update VERSION to 12.4.5v12.4.5 | GitLab Release Tools Bot | |
2019-11-27 | Update CHANGELOG.md for 12.4.5 | GitLab Release Tools Bot | |
[ci skip] | |||
2019-11-27 | Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable | GitLab Release Tools Bot | |
2019-11-27 | Update VERSION to 12.4.4v12.4.4 | GitLab Release Tools Bot | |
2019-11-27 | Update CHANGELOG.md for 12.4.4 | GitLab Release Tools Bot | |
[ci skip] | |||
2019-11-26 | Merge branch 'security-dos-issue-and-commit-comments-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
Fix invalid byte sequence See merge request gitlab/gitlabhq!3548 | |||
2019-11-26 | Merge branch 'security-29660-update-dependencies-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
Update Workhorse and Gitaly to fix a security issue See merge request gitlab/gitlabhq!3500 | |||
2019-11-26 | Merge branch 'security-dns-rebind-ssrf-in-slack-notifications-12-4-ce' into ↵ | GitLab Release Tools Bot | |
'12-4-stable' Use Gitlab::HTTP for all chat notifications See merge request gitlab/gitlabhq!3516 | |||
2019-11-26 | Merge branch 'security-33712-ce-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
Fix private comment Elasticsearch leak See merge request gitlab/gitlabhq!3524 | |||
2019-11-26 | Merge branch 'security-aws-secret-key-2937-ce-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
Hide AWS secret on Admin Integration page See merge request gitlab/gitlabhq!3526 | |||
2019-11-26 | Hide AWS secret on Admin Integration page | Justin Ho Tuan Duong | |
2019-11-26 | Merge branch 'security-ag-cycle-analytics-guest-permissions-12-4' into ↵ | GitLab Release Tools Bot | |
'12-4-stable' Prevent guests from seeing commits for cycle analytics See merge request gitlab/gitlabhq!3533 | |||
2019-11-26 | Merge branch 'security-filter-related-branches-from-activity-feed-12.4' into ↵ | GitLab Release Tools Bot | |
'12-4-stable' Related Branches Visible to Guests in Issue Activity See merge request gitlab/gitlabhq!3539 | |||
2019-11-26 | Merge branch 'security-2943-encrypt-plaintext-tokens-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext See merge request gitlab/gitlabhq!3542 | |||
2019-11-26 | Merge branch 'security-fix-xss-in-label-namespace-12-4' into '12-4-stable' | GitLab Release Tools Bot | |
Escape namespace in label references See merge request gitlab/gitlabhq!3551 | |||
2019-11-26 | Merge branch 'security-28802-respect-fork-parent-visibility-12-4' into ↵ | GitLab Release Tools Bot | |
'12-4-stable' Check permissions before showing a forked project's source See merge request gitlab/gitlabhq!3556 | |||
2019-11-26 | Merge branch 'security-exclude_ids_attribute_cleaning-12-4-ce' into ↵ | GitLab Release Tools Bot | |
'12-4-stable' Ensure attributes that end in `_ids` are cleaned See merge request gitlab/gitlabhq!3559 | |||
2019-11-26 | Spec to ensure `_ids` are cleaned by ImportExport::AttributeCleaner | Imre Farkas | |
2019-11-26 | Ensure attributes that end in `_ids` are cleaned | DJ Mountney | |
This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import. | |||
2019-11-26 | Add latest changes from gitlab-org/gitlab@12-4-stable-ee | GitLab Bot | |
2019-11-25 | Check permissions before showing a forked project's source | Nick Thomas | |
2019-11-25 | Encrypt application settings with pre and post deployments | Arturo Herrero | |
We had concerns about the cached values on Redis with the previous two releases strategy: First release (this commit): - Create new encrypted fields in the database. - Start populating new encrypted fields, read the encrypted fields or fallback to the plaintext fields. - Backfill the data removing the plaintext fields to the encrypted fields. Second release: - Remove the virtual attribute (created in step 2). - Drop plaintext columns from the database (empty columns after step 3). We end up with a better strategy only using migration scripts in one release: - Pre-deployment migration: Add columns required for storing encrypted values. - Pre-deployment migration: Store the encrypted values in the new columns. - Post-deployment migration: Remove the old unencrypted columns | |||
2019-11-25 | Escape namespace in label references | Heinrich Lee Yu | |
When referencing cross-namespace labels, we append the namespace name to the rendered label. This MR escapes the name to prevent XSS attacks. | |||
2019-11-22 | Fix invalid byte sequence | Patrick Derichs | |
2019-11-21 | Encrypt application setting tokens | Arturo Herrero | |
This is the plan to encrypt the plaintext tokens: First release (this commit): 1. Create new encrypted fields in the database. 2. Start populating new encrypted fields, read the encrypted fields or fallback to the plaintext fields. 3. Backfill the data removing the plaintext fields to the encrypted fields. Second release: 4. Remove the virtual attribute (created in step 2). 5. Drop plaintext columns from the database (empty columns after step 3). | |||
2019-11-20 | Restrict branches visible to guests in Issue feed | Kerri Miller | |
Notes related to branch creation should not be shown in an issue's activity feed when the user doesn't have access to :download_code. | |||
2019-11-20 | Ensure that summary items remain aligned | Brandon Labuschagne | |
Default number of items is 3. If this is not the case, then increase the column width of the summary items to cater for 2 items plus the date filter. | |||
2019-11-20 | Prevent guests from seeing commits for cycle analytics | Aakriti Gupta | |
- if the user has access level lower than REPORTER, don't include commit count in summary | |||
2019-11-20 | Update Workhorse and Gitaly to fix a security issue | Nick Thomas | |
2019-11-18 | Update VERSION to 12.4.3v12.4.3refs/environments/review-v12-4-3-8a3gii/deployments/163428 | GitLab Release Tools Bot | |
2019-11-18 | Update CHANGELOG.md for 12.4.3 | GitLab Release Tools Bot | |
[ci skip] | |||
2019-11-15 | Add search_helpers changes from security-33712 | Dylan Griffith | |
2019-11-15 | Fix group created from other test from polluting | Mark Chao | |
2019-11-15 | Test admin for search accessibility | Mark Chao | |
Disabled features are ignored as they are grey areas | |||
2019-11-15 | Internalize private project minimum access level | Mark Chao | |
Some feature allows GUEST to access only if project is not private. This method returns access level when targeting private projects. |