Age | Commit message (Collapse) | Author |
|
DNS Rebind SSRF in Kubernetes Integration
See merge request gitlab/gitlabhq!3268
|
|
Use image proxy to mitigate stealing ip addresses
See merge request gitlab/gitlabhq!3333
|
|
'12-2-stable'
Require a captcha after unique failed logins from the same IP
See merge request gitlab/gitlabhq!3349
|
|
Add direct upload support for personal snippets
See merge request gitlab/gitlabhq!3359
|
|
Fix "ERR value is not an integer or out of range" errors
Closes #66449
See merge request gitlab-org/gitlab-ce!32126
(cherry picked from commit 8832aa9522476d9d244211856f4ac7fe545a0c97)
6bda359b Fix "ERR value is not an integer or out of range" errors
|
|
|
|
Add method to store session ids by ip
Add new specs for storing session ids
Add cleaning up records after login
Add retrieving anonymous sessions
Add login recaptcha setting
Add new setting to sessions controller
Add conditions for showing captcha
Add sessions controller specs
Add admin settings specs for login protection
Add new settings to api
Add stub to devise spec
Add new translation key
Add cr remarks
Rename class call
Add cr remarks
Change if-clause for consistency
Add cr remarks
Add code review remarks
Refactor AnonymousSession class
Add changelog entry
Move AnonymousSession class to lib
Move store unauthenticated sessions to sessions controller
Move link to recaptcha info
Regenerate text file
Improve copy on the spam page
Change action filter for storing anonymous sessions
Fix rubocop offences
Add code review remarks
|
|
Update qa/Dockerfile to be built from the project root context
See merge request gitlab-org/gitlab-ce!31533
(cherry picked from commit 4d4e88df01554336daf245a68653b80ca00989a5)
6aa215aa Support X_if_ee methods for QA tests
b601cfcf Update qa/Dockerfile to be built from the project root context
9a4dcd8d Update the 'build-qa-image' job to be built from project root context
|
|
|
|
Kubeclient uses rest-client. We hack into to access the net/http object
so that we can patch to connect to the resolved IP + set
hostname_override.
Add specs for discord. The discord integration also uses rest-client, so
since we patched rest-client, spec that the DNS rebinding protection
works
|
|
User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.
|
|
'47003-user-onboarding-replace-current-email-confirmation-flow-with-a-soft-email-confirmation-flow' into 'master'
Soft email confirmation flow
Closes #47003
See merge request gitlab-org/gitlab-ce!31245
|
|
Resolve "Multi selection for delete on registry page"
Closes #24705
See merge request gitlab-org/gitlab-ce!30837
|
|
Remove duplicate -/users/terms routes
See merge request gitlab-org/gitlab-ce!31812
|
|
CE-specific changes for:
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/15129
Co-Authored-By: Alex Kalderimis <akalderimis@gitlab.com>
Co-Authored-By: Luke Duncalfe <lduncalfe@eml.cc>
|
|
'46548-open-source-alternative-to-recaptcha-for-gitlab-com-registration' into 'master'
Open source alternative to reCAPTCHA for GitLab.com registration
See merge request gitlab-org/gitlab-ce!31625
|
|
Elasticsearch versioned schema for Snippet
See merge request gitlab-org/gitlab-ce!31465
|
|
|
|
|
|
Remove concerns from eager load paths
See merge request gitlab-org/gitlab-ce!31649
|
|
'63942-remove-config-action_dispatch-use_authenticated_cookie_encryption-configuration' into 'master'
Remove `config.action_dispatch.use_authenticated_cookie_encryption` configuration
Closes #63942
See merge request gitlab-org/gitlab-ce!31463
|
|
Old cookies are still valid and are automatically
upgraded by Rails
|
|
Querying all counts for the different search results in the same request
led to timeouts, so we now only calculate the count for the *current*
search results, and request the others in separate asynchronous calls.
|
|
When we hit our app with the initial request, in `warmup`,
some metrics already being created as well as corresponding files.
If we do `multiproc_file_dir` cleanup after that, we delete the files
from the dir while keeping them in memory which leads to the incorrect
behavior: the metric is being updated in in-memory, while is not present
in the db, not sent to Prometheus as the result.
|
|
|
|
With a time treshold of 4 seconds
and a firstname and lastname honeypot
input fields when signing up
|
|
Splits auto-refreshing of MR widget into 2 requests:
- the one which uses etag-caching and invalidates the fields on change
- the one without caching
The idea is to gradually move all the fields to etag-cached endpoint
|
|
This will help identify Sidekiq jobs that invoke excessive number of
filesystem access.
The timing data is stored in `RequestStore`, but this is only active
within the middleware and is not directly accessible to the Sidekiq
logger. However, it is possible for the middleware to modify the job
hash to pass this data along to the logger.
|
|
Filter title, description, and body from logs
Closes #64460 and #60365
See merge request gitlab-org/gitlab-ce!31274
|
|
|
|
to 30 days
|
|
|
|
|
|
Add support for Content-Security-Policy
Closes #65330
See merge request gitlab-org/gitlab-ce!31402
|
|
A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.
To support this, we need to change all `:javascript` HAML filters to the
following form:
```
= javascript_tag nonce: true do
:plain
...
```
We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.
|
|
These were disabled in production mode, but that also broke the rest of
the performance bar. As they were only enabled in development mode, we
can just remove them for now.
|
|
This is the first step in providing a fault-tolerant and distributed
Redis caching store. We disable compression to avoid introducing a
change that could have an adverse effect in production.
Note that we won't be able to take advantage of the fault-tolerance and
distributed features yet until we solve
https://gitlab.com/gitlab-org/gitlab-ce/issues/64829.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/64794
|
|
CE Backport for gitlab-ee!14741 (Fix design management router)
See merge request gitlab-org/gitlab-ce!31090
|
|
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14741
|
|
This reverts merge request !31379
|
|
Support X_if_ee methods for QA tests
See merge request gitlab-org/gitlab-ce!31379
|
|
Previously, both InfluxSampler and RubySampler were relying on the
`GC::Profiler.total_time` data which is the sum over the list
of captured GC events. Also, both samplers asynchronously called
`GC::Profiler.clear` which led to incorrect metric data because
each sampler has the wrong assumption it is the only object who calls
`GC::Profiler.clear` and thus could rely on the gathered results between
such calls.
We should ensure that `GC::Profiler.total_time` is called only in one
place making it possible to rely on accumulated data between such wipes.
Also, we need to track the amount of profiler reports we lost.
|
|
Introducing Docker Registry replication
|
|
For the QA tests to use the new injection methods, we must require the
initializer and ensure that the "constantize" method is available.
|
|
- After uninstalling the knative helm chart it's necessary to also
remove some leftover resources to allow the cluster to be clean
and knative to be reinstalleable.
- Adds knative uninstall disclaimer
- Uninstall ksvc before uninstalling knative
Make list of Knative and Ingres resources explicit
- To avoid deleting unwanted resources we are listing exact
which resources will be deleted rather than simply deleting any
resource that contains istio or knative words.
|
|
Use file-loader for sprite icons within icon.vue
See merge request gitlab-org/gitlab-ce!31257
|
|
|
|
This adds the methods prepend_if_ee, extend_if_ee, and include_if_ee
that can be used to inject EE specific modules in EE.
These methods are exposed as an initializer that is loaded as soon as
possible. For tests that use fast_spec_helper.rb we must load this
initializer manually, as the Rails environment is not loaded. This is
not the most pretty setup, but unfortunately there is no alternative
that we can use.
|
|
These can contain sensitive content.
|
|
1. The output isn't great. It can be hard to find hotspots and, even
when you do find them, to find why those are hotspots.
2. It uses some jQuery-specific frontend code which we can remove now
that we don't have this any more.
3. It's only possible to profile the initial request, not any subsequent
AJAX requests.
|