Age | Commit message (Collapse) | Author |
|
|
|
Prevent disclosure of merge request id via email
See merge request gitlab/gitlabhq!3351
|
|
Send TODOs for comments on commits correctly
See merge request gitlab/gitlabhq!3366
|
|
Add method to store session ids by ip
Add new specs for storing session ids
Add cleaning up records after login
Add retrieving anonymous sessions
Add login recaptcha setting
Add new setting to sessions controller
Add conditions for showing captcha
Add sessions controller specs
Add admin settings specs for login protection
Add new settings to api
Add stub to devise spec
Add new translation key
Add cr remarks
Rename class call
Add cr remarks
Change if-clause for consistency
Add cr remarks
Add code review remarks
Refactor AnonymousSession class
Add changelog entry
Move AnonymousSession class to lib
Move store unauthenticated sessions to sessions controller
Move link to recaptcha info
Regenerate text file
Improve copy on the spam page
Change action filter for storing anonymous sessions
Fix rubocop offences
Add code review remarks
Fix schema
Update schema version
|
|
Use image proxy to mitigate stealing ip addresses
See merge request gitlab/gitlabhq!3231
|
|
Limit the size of issuable description and comments
See merge request gitlab/gitlabhq!3271
|
|
Permission fix for MergeRequestsController#pipeline_status
See merge request gitlab/gitlabhq!3278
|
|
Enforce max chars and max render time in markdown math
See merge request gitlab/gitlabhq!3287
|
|
into '12-1-stable'
Fix HTML injection for label description
See merge request gitlab/gitlabhq!3298
|
|
'12-1-stable'
Ensure only authorised users can create notes on merge requests and issues
See merge request gitlab/gitlabhq!3307
|
|
'12-1-stable'
Filter out old system notes for epics in notes api endpoint response
See merge request gitlab/gitlabhq!3310
|
|
Fix DNS rebind vulnerability for JIRA integration
See merge request gitlab/gitlabhq!3311
|
|
'12-1-stable'
Add merge note type as cross reference
See merge request gitlab/gitlabhq!3327
|
|
Project visibility restriction bypass
See merge request gitlab/gitlabhq!3331
|
|
Introduce JobActivity limit for alive jobs
See merge request gitlab/gitlabhq!3342
|
|
'12-1-stable'
Clear reset_password_tokens when login (email or username) change
See merge request gitlab/gitlabhq!3347
|
|
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
See merge request gitlab/gitlabhq!3355
|
|
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3358
|
|
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
|
|
|
|
- Use authorize_admin_group! instead of authorize_admin_pipeline!
- Added role-based permission specs for Groups::RunnersController
|
|
Limiting the size of issuable description and comments to 1_000_000,
which is close to ~1MB of ASCII characters, which represents 99.9% of
all descriptions and comments we have in DB at the moment. This should
help prevent DoS attacks when comments contain refference strings.
Also this change updates regexp matching the namespaces paths by
limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED,
as we allow 20 levels deep groups.
see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
|
|
on Builds
|
|
Do not disclosure merge request id via email for unauthorized users
when closing issues.
|
|
Devise checks before updating any of the authentication_keys if it
needs to clear the reset_password_tokens.
This should fix:
https://gitlab.com/gitlab-org/gitlab-ce/issues/42733 (Weak
authentication and session management)
|
|
This is a port from EE changes where
we introduce a new limit for Plan model.
https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/1182
|
|
User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.
|
|
Add Gitlab::VisibilityLevelChecker that verifies
selected project visibility level (or overridden param)
is not restricted when creating or importing a project
|
|
|
|
- Use set_pipeline_variables to filter for visible pipelines
- Mimic response of nonexistent pipeline if not found
- Provide set_pipeline_variables as a before_filter for other actions
|
|
|
|
Uses Gitlab::HTTP for JIRA requests instead of Net::Http.
Gitlab::Http comes with some built in SSRF protections.
|
|
* Prevent creating notes on inaccessible MRs
This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.
* Prevent creating notes in inaccessible Issues
without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.
* Add CHANGELOG entry
|
|
KaTeX math will now render progressivly and asynchronously. There
are upper limits on the character count of each formula, and on
cumulative render time.
|
|
|
|
Improve job log rendering performance
See merge request gitlab-org/gitlab-ce!31262
(cherry picked from commit eb2d4adf38726da62f62e850d181cedf12c64c5e)
6b45d85e Prevent empty classes in ansi2html conversion
5366c89b Fix deep DOM tree problem in ansi2html
d1f4d8c7 Improve size of rendered job trace
|
|
Add exclusive lease to mergeability check process
See merge request gitlab-org/gitlab-ce!31082
(cherry picked from commit c017dc578dc78729050792d22b449ce0529479cf)
f4cd926c Add exclusive lease to mergeability check process
|
|
|
|
Fix pdf.js rendering pages in the wrong order
Closes #64467
See merge request gitlab-org/gitlab-ce!31222
(cherry picked from commit f039d592aa6203502be487801777167e433ad9d2)
6d3b203d Fix pdf.js rendering pages in the wrong order
5246626d Simplify pdf.js logic
|
|
Fix error rendering submodules in MR diffs when there is no .gitmodules
See merge request gitlab-org/gitlab-ce!31162
(cherry picked from commit 55f99e930e1c147ec191a234ff4881ea7e70ea61)
cfef1e8e Fix error rendering submodules in MR diffs when there is no .gitmodules
|
|
Optimise import performance
Closes #64924
See merge request gitlab-org/gitlab-ce!31045
(cherry picked from commit 0d538e44aff066372ecd9d10ac6786681bc347c9)
8d1e97fc Optimise import performance
|
|
Ensure SubmoduleHelper works outside view context
Closes #64833
See merge request gitlab-org/gitlab-ce!31005
(cherry picked from commit 8b284a51c03d6ab0634f115b38014d5a87f73d57)
26ac53b3 Ensure SubmoduleHelper works outside view context
|
|
'64870-can-t-save-pages-domain-form-with-let-s-encrypt-enabled-if-current-certificate-is-outdated' into 'master'
Resolve "Can't save pages domain form with Let's Encrypt enabled if current certificate is outdated"
Closes #64870
See merge request gitlab-org/gitlab-ce!30995
(cherry picked from commit 8073b0554fc8f7dddc250025aaf5cedd09f423cb)
9c0f4286 Validate certificate chain only if it's changed
|
|
Fix the project auto devops API
See merge request gitlab-org/gitlab-ce!30946
(cherry picked from commit a85a233ffc5a8a06de16fd2a52b3fdb039cfae5b)
74444a93 Fix the project auto devops API
|
|
'11639-improve-discovery-and-navigation-for-gitlab-package-features-ce' into 'master'
Improving packages navigation in project sidebar [CE Backport]
See merge request gitlab-org/gitlab-ce!30256
(cherry picked from commit f64868ccbd88ecd9517554c5817d077d6e12d1e0)
c1698f41 Improving packages navigation in project sidebar
|
|
MergeRequest#all_pipelines
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
|
|
'12-1-stable'
Drop feature to take ownership of a trigger token
See merge request gitlab/gitlabhq!3225
|
|
Queries for Upload should be scoped by model
See merge request gitlab/gitlabhq!3234
|
|
'12-1-stable'
Don't display badges when builds are restricted
See merge request gitlab/gitlabhq!3236
|
|
Filter params in MR build service
See merge request gitlab/gitlabhq!3253
|