| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
[ci skip]
|
|
'12-0-stable'
Don't display badges when builds are restricted
See merge request gitlab/gitlabhq!3185
|
|
Do not allow localhost url redirection in GitHub Integration
See merge request gitlab/gitlabhq!3206
|
|
Server Side Request Forgery mitigation bypass
See merge request gitlab/gitlabhq!3213
|
|
MR pipeline permissions
See merge request gitlab/gitlabhq!3216
|
|
Extract SanitizeNodeLink and apply to WikiLinkFilter
See merge request gitlab/gitlabhq!3222
|
|
'12-0-stable'
Drop feature to take ownership of a trigger token
See merge request gitlab/gitlabhq!3227
|
|
'security-2873-restrict-slash-commands-to-users-who-can-log-in-12-0' into '12-0-stable'
Restrict slash commands to users who can log in
See merge request gitlab/gitlabhq!3238
|
|
Filter params in MR build service
See merge request gitlab/gitlabhq!3254
|
|
Do not show moved issue ids for user not authorized
See merge request gitlab/gitlabhq!3260
|
|
Reusing the existing `IssuableBaseService#filter_params` which uses
the policies to determine what params a user can set, and which values
it can be set to.
This also removed the need for the seperate call to
`IssuableBaseService#ensure_milestone_available`.
The `Issues::BuildService` does not suffer from this because it limits
the params that are assignable to the `title`, `description` and
`milestone_id`.
|
|
Removing API and frontend interactions that allowed
users to take ownership of a trigger token.
Removed mentions from the documentation.
|
|
Fix order-dependent spec failure in appearance_spec.rb
Closes #64083
See merge request gitlab-org/gitlab-ce!30323
|
|
Do not show moved issue id for users that cannot read issue
|
|
|
|
|
|
The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.
On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.
|
|
MergeRequest#all_pipelines
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
|
|
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
|
|
[ci skip]
|
|
'12-0-stable'
Support object storage at FileMover class
See merge request gitlab/gitlabhq!3195
|
|
|
|
|
|
[ci skip]
|
|
Badges were leaked to unauthorized users even when Public Builds
project setting is disabled.
Added guard clause to the controller to check if user can read
build.
|
|
Ability to write a note in a private snippet
See merge request gitlab/gitlabhq!3142
|
|
Prevent Billion Laughs attack
See merge request gitlab/gitlabhq!3146
|
|
Fix MR head pipeline leak
See merge request gitlab/gitlabhq!3154
|
|
'security-prevent-detection-of-merge-request-template-name-12-0' into '12-0-stable'
Guests can know whether merge request template name exists or not
See merge request gitlab/gitlabhq!3161
|
|
Persist tmp snippet uploads at users
See merge request gitlab/gitlabhq!3162
|
|
'12-0-stable'
Expose merge requests count based on user access
See merge request gitlab/gitlabhq!3167
|
|
Fix DOS when rendering issue/MR comments
See merge request gitlab/gitlabhq!3171
|
|
'12-0-stable'
Fix type authorizations in GraphQL
See merge request gitlab/gitlabhq!3172
|
|
Fix color validation regex causing DoS
See merge request gitlab/gitlabhq!3176
|
|
Disable Rails SQL query cache when applying service templates
See merge request gitlab/gitlabhq!3179
|
|
[Backport] Add how to migrate deployments for deploy boards
See merge request gitlab-org/gitlab-ce!30059
|
|
When the SQL query cache is active, the SELECT query for finding
projects to apply service templates returns the same values. This causes
an infinite loop because even though bulk INSERT queries are made, the
cached results never reflect that progress. To fix this, we call
`Project.uncached` around the query to ensure new data is retrieved.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63595
|
|
|
|
|
|
[ci skip]
|
|
Prepare 12.0.2 release
See merge request gitlab-org/gitlab-ce!30045
|
|
Silence backup warnings when CRON=1 in use
Closes #63703
See merge request gitlab-org/gitlab-ce!30033
(cherry picked from commit d6c7d4c48db51fdc3eb479e53d40ce4358695218)
ad3abd1d Silence backup warnings when CRON=1 in use
|
|
Prevent EE backport migrations from running if CE is not migrated
Closes #63612
See merge request gitlab-org/gitlab-ce!30002
(cherry picked from commit 34df0b303eed0cee83d8c0ec6178d3c575a0b555)
1b063778 Prevent EE backport migrations from running if CE is not migrated
|
|
Refactor and add version text to variable syntax
See merge request gitlab-org/gitlab-ce!29964
(cherry picked from commit 4ec1720fdbf6b4fb4ae5dc91bc0f5974717e6caf)
7d93954e Refactor and add version text to variable syntax
|
|
Remove Gemnasium dead link from docs
See merge request gitlab-org/gitlab-ce!29942
(cherry picked from commit 76f49de4e772c4101bcb8df801ad9b7a78adcea7)
a84a7233 Remove Gemnasium dead link from docs
|
|
'63513-ensure-gitlab-jsoncache-includes-the-gitlab-version-in-the-cache-key' into 'master'
Include the GitLab version in the cache key for Gitlab::JsonCache
See merge request gitlab-org/gitlab-ce!29938
(cherry picked from commit c6f54ab12b5b276dadda0639ea647e9a2b4c1781)
94d9e335 Include the GitLab version in the cache key for Gitlab::JsonCache
1b7e7dde Add CHANGELOG entry
|
|
Omit issues links in merge request entity API response
Closes #63546
See merge request gitlab-org/gitlab-ce!29917
(cherry picked from commit f47e4d025247509ab73e16c3db248b0f9ccb662c)
1b7ab11f Omit issues links in merge request entity API response
|
|
Fix notes email with group-level notification email
Closes #63355
See merge request gitlab-org/gitlab-ce!29889
(cherry picked from commit 480eb370a477c3a230cec1ff43a71066ab5be6f9)
bf73ecd7 Fix notes email with group-level notification email
8eb2d7bb Apply suggestion to spec/support/helpers/email_helpers.rb
|
