Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-04-12 | Add latest changes from gitlab-org/gitlab@14-9-stable-ee | GitLab Bot | |
2022-03-18 | Add latest changes from gitlab-org/gitlab@14-9-stable-eev14.9.0-rc42 | GitLab Bot | |
2022-02-03 | Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee | GitLab Bot | |
2022-01-10 | Add latest changes from gitlab-org/security/gitlab@14-6-stable-ee | GitLab Bot | |
2021-11-18 | Add latest changes from gitlab-org/gitlab@14-5-stable-eev14.5.0-rc42 | GitLab Bot | |
2021-02-01 | Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee | GitLab Bot | |
2020-11-19 | Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42 | GitLab Bot | |
2020-03-31 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2020-03-16 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-10-04 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-09-13 | Add latest changes from gitlab-org/gitlab@master | GitLab Bot | |
2019-09-05 | Allow not resolvable urls when rebinding setting is disabled | Francisco Javier López | |
Now, when the dns rebinging setting is disabled, we will allow urls that are not resolvable. | |||
2019-07-29 | Fix broken master because of security merge | Francisco Javier López | |
2019-07-29 | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq | Robert Speicher | |
2019-07-24 | [ADD] outbound requests whitelist | Reuben Pereira | |
Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com> | |||
2019-07-15 | Fix Server Side Request Forgery mitigation bypass | Francisco Javier López | |
When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs. | |||
2019-07-12 | Don't use bang method when there is no safe method | Reuben Pereira | |
https://github.com/rubocop-hq/ruby-style-guide#dangerous-method-bang | |||
2019-05-30 | Add DNS rebinding protection settings | Oswaldo Ferreira | |
2019-05-30 | Protect Gitlab::HTTP against DNS rebinding attack | Douwe Maan | |
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field. | |||
2019-04-11 | Align UrlValidator to validate_url gem implementation. | Thong Kuah | |
Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement. Make use of the options attribute of the parent class ActiveModel::EachValidator. Add more options: allow_nil, allow_blank, message. Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator. | |||
2019-01-07 | Add table and model for error tracking settings | Reuben Pereira | |
2018-12-06 | Allow URLs to be validated as ascii_only | James Edwards-Jones | |
Restricts unicode characters and IDNA deviations which could be used in a phishing attack | |||
2018-11-29 | Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5' | Steve Azzopardi | |
[11.5] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2611 | |||
2018-11-29 | Merge branch 'security-fj-crlf-injection' into 'master' | Cindy Pallares | |
[master] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2627 | |||
2018-11-29 | Merge branch 'security-stored-xss-for-environments' into 'master' | Cindy Pallares | |
[master] Stored XSS for Environments Closes #2727 See merge request gitlab/gitlabhq!2594 | |||
2018-10-25 | Merge branch 'sh-block-other-localhost' into 'master' | Thiago Presa | |
Block additional localhost addresses in UrlBlocker See merge request gitlab/gitlabhq!2487 | |||
2018-10-22 | Enable frozen string for lib/gitlab/*.rb | gfyoung | |
2018-09-06 | Block loopback addresses in UrlBlocker | Stan Hu | |
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/51128 | |||
2018-08-13 | Block link-local addresses in URLBlocker | Stan Hu | |
Closes https://gitlab.com/gitlab-com/migration/issues/766 | |||
2018-06-11 | Avoid checking the user format in every url validation | Francisco Javier López | |
2018-06-01 | Add validation to webhook and service URLs to ensure they are not blocked ↵ | Francisco Javier López | |
because of SSRF | |||
2018-04-02 | Rename allow_private_networks to allow_local_network | Douwe Maan | |
2018-04-02 | Make error messages even more descriptive | Douwe Maan | |
2018-04-02 | Raise more descriptive errors when URLs are blocked | Douwe Maan | |
2018-03-21 | Merge branch 'fj-15329-services-callbacks-ssrf' into 'security-10-6' | Douwe Maan | |
Server Side Request Forgery in Services and Web Hooks See merge request gitlab/gitlabhq!2337 | |||
2017-11-09 | Merge branch 'ssrf-protections-round-2' into 'security-10-1' | Douwe Maan | |
Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions See merge request gitlab/gitlabhq!2219 (cherry picked from commit 4a1e73783d5480aa514db7b53e10c075f95580b5) 1bffa0c3 Replace SSRF resolver with Addrinfo.getaddrinfo to include alternative localhost versions | |||
2017-08-10 | Merge branch 'rs-alphanumeric-ssh-params' into 'security-9-4' | James Edwards-Jones | |
Ensure user and hostnames begin with an alnum character in UrlBlocker See merge request !2138 | |||
2017-03-21 | Merge branch 'ssrf' into 'security' | Rubén Dávila | |
nil check for url_blocker? See merge request !2076 | |||
2017-03-21 | Merge branch 'ssrf' into 'security' | Douwe Maan | |
Protect server against SSRF in project import URLs See merge request !2068 |