| Age | Commit message (Collapse) | Author |
|---|
|
Upgrade Rails to 4.2.7.1 for security fixes.
Upgrades Rails from 4.2.7 to 4.2.7.1 for security fixes.
For more information: http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-have-been-released/
This should be backported to all currently-supported releases.
See merge request !5781
|
|
Update RedCloth to 4.3.2 for CVE-2012-6684
## What does this MR do?
To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2.
## Are there points in the code the reviewer needs to double check?
No.
## Why was this MR needed?
Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software.
## What are the relevant issue numbers?
Closes #19169
cf. !2037, !2071
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [n/a] API support added
- Tests
- [n/a] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !4929
(cherry picked from commit 95336861e97eb72fba8c3034deb2b9b61c9ec961)
|
|
Update omniauth-saml to 1.6.0 to address a security vulnerability in ruby-saml
## What does this MR do?
Updates `omniauth-saml` to bring in the new `ruby-saml` dependency that addresses [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
Fixes #19206
See merge request !4951
|
|
Update mail_room to 0.8.0 to resolve #13357
Update mail_room to 0.8.0 to resolve #13357
Which includes the fix from:
https://github.com/tpitale/mail_room/pull/73
See merge request !4835
|
|
Update browser gem to 2.2.0
A user with a certain browser would hit an Error 500:
```
ArgumentError: invalid value for Float(): "0."
from browser/accept_language.rb:45:in `Float'
from browser/accept_language.rb:45:in `quality'
from browser/accept_language.rb:15:in `each'
from browser/accept_language.rb:15:in `sort_by'
from browser/accept_language.rb:15:in `parse'
from browser/base.rb:13:in `initialize'
from browser.rb:125:in `new'
from browser.rb:125:in `block in new'
from browser.rb:125:in `map'
from browser.rb:125:in `new'
from browser/action_controller.rb:15:in `browser'
from abstract_controller/helpers.rb:67:in `browser'
from app/views/layouts/_head.html.haml:38:in `_app_views_layouts__head_html_haml__1626593241142487258_59224880'
```
The root cause when the `Accept-Language` header would contain a float for the quality value (e.g. en-GB,en;q=0.v5).
Fixes https://github.com/fnando/browser/issues/241
Seen today via Sentry: https://sentry.gitlap.com/gitlab/gitlabcom/issues/7644/
See merge request !4811
|
|
Export project functionality
This is a MR for the export functionality of https://gitlab.com/gitlab-org/gitlab-ce/issues/3050, which adds the ability to export single projects.
- [x] members
- DB data
- [x] issues
- [x] issue comments
- [x] merge requests
- [x] merge request diff
- [x] merge request comments
- [x] labels
- [x] milestones
- [x] snippets
- [x] releases
- [x] events
- [x] commit statuses
- [x] CI builds
- File system data
- [x] Git repository
- [x] wiki
- [x] uploads
- [ ] ~~CI build traces~~
- [ ] ~~CI build artifacts~~
- [ ] ~~LFS objects~~
- DB configuration
- [x] services
- [x] web hooks
- [x] protected branches
- [x] deploy keys
- [x] CI variables
- [x] CI triggers
See merge request !3114
|
|
Use gitlab-git 10.2.0
Closes #18741
See merge request !4722
|
|
Replace raphael-rails with raphael.js and split it from the rest of the JS
## What does this MR do?
Removes raphael.js and its related libraries from the default JS bundle.
It also removes raphael-rails because the gem is unmaintained and – for whatever reason – didn't want to cooperate with the way I was trying to require it.
This brings the default (compressed and minified) application.js from 354KB after the d3 MR (!4394) down to 324KB.
## Are there points in the code the reviewer needs to double check?
That tests pass and that there aren't errors on any pages (especially the Network page).
## Why was this MR needed?
It's only used on the Network page and was using way too much bandwidth for just one page.
## What are the relevant issue numbers?
#14372 #13165
Follow-up to !4394 and !4516.
cc: @jschatz1
See merge request !4519
|
|
|
|
|
|
Removes a few dependencies.
Changelog: https://github.com/presidentbeef/brakeman/blob/master/CHANGES
|
|
Add fog-azure to supported backup list
!4396 left out Azure by accident.
See merge request !4444
|
|
|
|
Closes #18210
|
|
|
|
# Conflicts:
# .gitlab-ci.yml
|
|
License finder gem
Every time a gem is added to the Gemfile, or a gem is updated with a new dependency or change of license, LicenseFinder will check to ensure that the license in use has been whitelisted for use in the project. GPLv2 and GPLv3 libraries are not allowed to be linked-to from non-GPL projects (e.g. the MIT-licensed GitLab CE or proprietary EE), otherwise we're violating the license.
https://github.com/pivotal/LicenseFinder
See also: gitlab-com/operations#164
See merge request !3775
|
|
|
|
In order to rehost all our gems in our own gem host, we need to have the legal rights to do so for every gem should they be taken down from RubyGems. License Finder automates checking of gems to ensure that we're in the clear legally.
Approved the MIT License because it essentially allows us to do "whatever" with those gems.
I am not a lawyer.
https://github.com/pivotal/LicenseFinder
|
|
- Need the `mobile?` detection (that the new version provides) for the
U2F registration/ authentication flow
|
|
- To hold registrations from U2F devices, and to authenticate them.
- Previously, `User#two_factor_enabled` was aliased to the
`otp_required_for_login` column on `users`.
- This commit changes things a bit:
- `User#two_factor_enabled` is not a method anymore
- `User#two_factor_enabled?` checks both the
`otp_required_for_login` column, as well as `U2fRegistration`s
- Change all instances of `User#two_factor_enabled` to
`User#two_factor_enabled?`
- Add the `u2f` gem, and implement registration/authentication at the
model level.
|
|
Colorize is a gem licensed under the GPLv2, so we can’t use it in GitLab without relicensing GitLab under the terms of the GPL. Rainbow is licensed under the MIT license and does the exact same thing as Colorize, so Rainbow was added in place of Colorize.
The syntax is slightly different for Rainbow vs. Colorize, and was updated in accordance.
The gem is still a dependency of Spinach, so it’s included in the development/test environments, but won’t be packaged with the actual product, and therefore doesn’t require we relicense the product.
An attempt at relicensing Colorize was made, but didn’t succeed as the library owner never responded.
Rainbow library: https://github.com/sickill/rainbow
Relevant issue regarding licensing in GitLab's gems: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3775
|
|
|
|
|
|
|
|
Reduce number of fog gem dependencies
Currently supported:
* AWS
* Azure
* OpenStack
* Google
* local storage
Closes #15352
See merge request !4396
|
|
Upgrade devise, devise-two-factor, and attr_encrypted
Devise 4 includes support for Rails 5, working towards #14286. devise-async doesn't support Devise 4.0 and in 4.1 the bug that was blocking using Devise's built-in ActiveJob integration was fixed. So devise-async is removed. devise-two-factor 3.0.0 is required for Devise 4 support.
attr_encrypted and encryptor are optional but recommended upgrades for devise-two-factor 3.0.0. The mode and algorithm will need to be changed in order to update to attr_encrypted 4.x in the future.
See merge request !4216
|
|
Closes #15352
|
|
Changelog: https://github.com/amatsuda/kaminari/blob/master/CHANGELOG.rdoc#0170
Deprecates num_pages in favor of total_pages and includes Rails 5 support.
|
|
attr_encrypted (1.3.4 => 3.0.1) Changelog:
https://github.com/attr-encrypted/attr_encrypted/blob/master/CHANGELOG.m
d
attr_encrypted 2.x included a vulnerability, so that major version is
skipped. 3.x requires that the algorithm and mode used by each
encrypted attribute is specified explicitly.
`nil` is no longer a valid value for the encrypted_value_iv field, so
it’s changed to a randomly generated string.
|
|
Devise (3.5.4 => 4.1.1) Changelog:
https://github.com/plataformatec/devise/blob/master/CHANGELOG.md
devise-two-factor (2.0.1 => 3.0.0) Changelog:
https://github.com/tinfoil/devise-two-factor/blob/master/CHANGELOG.md
These are reliant on each other, so they have to be upgraded together.
devise-async is no longer necessary as Devise 4.1 fixes a bug with the
ActiveJob integration.
|
|
POC: Updated contrib calendar
In an effort to cut down the JS file size - i've removed the heatmap calendar used for the contributing calendar on users profiles. We already have d3 on the page so why not use it instead of using a library which uses it?
cc. @jschatz1
See merge request !3944
|
|
No changelog, see commits: https://github.com/state-machines/state_machines-activerecord/commits/master
Includes Rails 5 support.
|
|
Almost all cops are starting as disabled until we can fix their
violations.
|
|
|
|
Changelog: https://github.com/rails/activerecord-session_store/releases/tag/v1.0.0
Includes Rails 5 support.
|
|
|
|
# Conflicts:
# config/initializers/1_settings.rb
|
|
Remove activerecord-deprecated_finders gem
We don’t use any of the deprecated finders, so it should be safe to remove.
See https://github.com/rails/activerecord-deprecated_finders#active-record-deprecated-finders for more information.
Resolves #17015.
See merge request !3981
|
|
# Conflicts:
# db/schema.rb
|
|
We don’t use any of the deprecated finders, so it should be safe to
remove.
Resolves #17015.
|
|
Instead the script is now included directly from the vendor directory.
Resolves #17166.
|
|
|
|
|
|
|
|
In 8278b763d96ef10c6494409b18b7eb541463af29 the default behaviour of annotation
has changes, which was causing a lot of noise in diffs. We decided in #17382
that it is better to get rid of the whole annotate gem, and instead let people
look at schema.rb for the columns in a table.
Fixes: #17382
|
|
|
|
Revert "Remove the Devise Async gem."
This reverts commit 1cc614f2bdd30b4fce35ee9e680f9272b9012978.
It was causing the ActiveJob integration to fail, so unfortunately we'll have to add the gem again.
Resolves #17250.
See merge request !4027
|
|
This reverts commit 1cc614f2bdd30b4fce35ee9e680f9272b9012978.
It was causing the ActiveJob integration to fail, so unfortunately we'll have to add the gem again.
|
|
|
