Age | Commit message (Collapse) | Author |
|
'12-1-stable'
Check that SAML identity linking validates the origin of the request
See merge request gitlab/gitlabhq!3376
|
|
Gitlab XSS in markdown preview page
See merge request gitlab/gitlabhq!3400
|
|
'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-1' into '12-1-stable'
Display only participants that user has permission to see
See merge request gitlab/gitlabhq!3403
|
|
'12-1-stable'
Prevent Bypassing Email Verification using Salesforce
See merge request gitlab/gitlabhq!3407
|
|
Only render fixed number of mermaid blocks
See merge request gitlab/gitlabhq!3413
|
|
'security-12718-project-milestones-disclosed-via-groups-12-1-ce' into '12-1-stable'
Hide disabled project milestones in project settings on group level
See merge request gitlab/gitlabhq!3416
|
|
Redirect user to root path after unsubscribing from private resource
See merge request gitlab/gitlabhq!3418
|
|
'security-12630-private-system-note-disclosed-in-graphql-12-1-ce' into '12-1-stable'
Add policy check if cross reference system notes are accessible
See merge request gitlab/gitlabhq!3428
|
|
Cancel all running CI jobs when user is blocked
See merge request gitlab/gitlabhq!3438
|
|
Filter not accessible label events
See merge request gitlab/gitlabhq!3442
|
|
|
|
|
|
Add argument to catch
See merge request gitlab-org/gitlab-ee!15911
|
|
Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.
|
|
This prevents a MITM attack where attacker could
still access Git repository if any jobs were
running long enough.
|
|
|
|
If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.
https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
|
|
|
|
This `ignore_column` was present for a while but recently removed, but
to ensure we don't get error 500s let's keep it for a while.
|
|
If the request wasn't initiated by gitlab we shouldn't add the new
identity to the user, and instead show that we weren't able to link
the identity to the user.
This should fix: https://gitlab.com/gitlab-org/gitlab-ce/issues/56509
|
|
Fix rubocop offences and add changelog
Add email_verified key for feature specs
Add code review remarks
Add code review remarks
Fix specs
|
|
Update mermaid to avoid xss surface area. The newer release
restricts script tags to be embedded in mermaid blocks.
|
|
|
|
Prevent disclosure of merge request id via email
See merge request gitlab/gitlabhq!3351
|
|
Send TODOs for comments on commits correctly
See merge request gitlab/gitlabhq!3366
|
|
Add method to store session ids by ip
Add new specs for storing session ids
Add cleaning up records after login
Add retrieving anonymous sessions
Add login recaptcha setting
Add new setting to sessions controller
Add conditions for showing captcha
Add sessions controller specs
Add admin settings specs for login protection
Add new settings to api
Add stub to devise spec
Add new translation key
Add cr remarks
Rename class call
Add cr remarks
Change if-clause for consistency
Add cr remarks
Add code review remarks
Refactor AnonymousSession class
Add changelog entry
Move AnonymousSession class to lib
Move store unauthenticated sessions to sessions controller
Move link to recaptcha info
Regenerate text file
Improve copy on the spam page
Change action filter for storing anonymous sessions
Fix rubocop offences
Add code review remarks
Fix schema
Update schema version
|
|
Use image proxy to mitigate stealing ip addresses
See merge request gitlab/gitlabhq!3231
|
|
Limit the size of issuable description and comments
See merge request gitlab/gitlabhq!3271
|
|
Permission fix for MergeRequestsController#pipeline_status
See merge request gitlab/gitlabhq!3278
|
|
Enforce max chars and max render time in markdown math
See merge request gitlab/gitlabhq!3287
|
|
into '12-1-stable'
Fix HTML injection for label description
See merge request gitlab/gitlabhq!3298
|
|
'12-1-stable'
Ensure only authorised users can create notes on merge requests and issues
See merge request gitlab/gitlabhq!3307
|
|
'12-1-stable'
Filter out old system notes for epics in notes api endpoint response
See merge request gitlab/gitlabhq!3310
|
|
Fix DNS rebind vulnerability for JIRA integration
See merge request gitlab/gitlabhq!3311
|
|
'12-1-stable'
Add merge note type as cross reference
See merge request gitlab/gitlabhq!3327
|
|
Project visibility restriction bypass
See merge request gitlab/gitlabhq!3331
|
|
Introduce JobActivity limit for alive jobs
See merge request gitlab/gitlabhq!3342
|
|
'12-1-stable'
Clear reset_password_tokens when login (email or username) change
See merge request gitlab/gitlabhq!3347
|
|
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds
See merge request gitlab/gitlabhq!3355
|
|
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3358
|
|
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
|
|
|
|
- Use authorize_admin_group! instead of authorize_admin_pipeline!
- Added role-based permission specs for Groups::RunnersController
|
|
Limiting the size of issuable description and comments to 1_000_000,
which is close to ~1MB of ASCII characters, which represents 99.9% of
all descriptions and comments we have in DB at the moment. This should
help prevent DoS attacks when comments contain refference strings.
Also this change updates regexp matching the namespaces paths by
limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED,
as we allow 20 levels deep groups.
see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
|
|
on Builds
|
|
Do not disclosure merge request id via email for unauthorized users
when closing issues.
|
|
Devise checks before updating any of the authentication_keys if it
needs to clear the reset_password_tokens.
This should fix:
https://gitlab.com/gitlab-org/gitlab-ce/issues/42733 (Weak
authentication and session management)
|
|
This is a port from EE changes where
we introduce a new limit for Plan model.
https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/1182
|
|
User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.
|
|
Add Gitlab::VisibilityLevelChecker that verifies
selected project visibility level (or overridden param)
is not restricted when creating or importing a project
|