| Age | Commit message (Collapse) | Author |
|---|
|
Do not allow localhost url redirection in GitHub Integration
See merge request gitlab/gitlabhq!3206
|
|
Server Side Request Forgery mitigation bypass
See merge request gitlab/gitlabhq!3213
|
|
Extract SanitizeNodeLink and apply to WikiLinkFilter
See merge request gitlab/gitlabhq!3222
|
|
Removing API and frontend interactions that allowed
users to take ownership of a trigger token.
Removed mentions from the documentation.
|
|
|
|
The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.
On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.
|
|
When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.
We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.
That's why we have to use some signalign mechanism outside the scope
of the specs.
|
|
Prevent Billion Laughs attack
See merge request gitlab/gitlabhq!3146
|
|
Fix MR head pipeline leak
See merge request gitlab/gitlabhq!3154
|
|
'12-0-stable'
Expose merge requests count based on user access
See merge request gitlab/gitlabhq!3167
|
|
Fix DOS when rendering issue/MR comments
See merge request gitlab/gitlabhq!3171
|
|
'12-0-stable'
Fix type authorizations in GraphQL
See merge request gitlab/gitlabhq!3172
|
|
Silence backup warnings when CRON=1 in use
Closes #63703
See merge request gitlab-org/gitlab-ce!30033
(cherry picked from commit d6c7d4c48db51fdc3eb479e53d40ce4358695218)
ad3abd1d Silence backup warnings when CRON=1 in use
|
|
'63513-ensure-gitlab-jsoncache-includes-the-gitlab-version-in-the-cache-key' into 'master'
Include the GitLab version in the cache key for Gitlab::JsonCache
See merge request gitlab-org/gitlab-ce!29938
(cherry picked from commit c6f54ab12b5b276dadda0639ea647e9a2b4c1781)
94d9e335 Include the GitLab version in the cache key for Gitlab::JsonCache
1b7e7dde Add CHANGELOG entry
|
|
'master'
Gitlab::JsonCache#parse_value ensure string
Closes #63510
See merge request gitlab-org/gitlab-ce!29885
(cherry picked from commit 788690304a495aa6c4d3e2fa163753f28fbdb82f)
03220c00 Gitlab::JsonCache#parse_value ensure string
|
|
Fix label serialisation in issue and note hooks
Closes #63473
See merge request gitlab-org/gitlab-ce!29850
(cherry picked from commit 88c8d177f835983a0a47796529906c69376d159d)
da470249 Fix label serialisation in issue and note hooks
4189ffe2 Added labels_hook_attrs method
|
|
Do not rewrite relative links for system notes
Closes #63162
See merge request gitlab-org/gitlab-ce!29825
(cherry picked from commit 51df2ca5c5a1b18155b7bba9bdc26c165533428b)
35a39c1d Do not rewrite relative links for system notes
|
|
Fix missing API notification flags for Microsoft Teams
See merge request gitlab-org/gitlab-ce!29824
(cherry picked from commit 51267258d1c39835c995eaaf29b7df678334ded1)
d5d2f8fb 59702 Fix API notification flags for MS Teams
f7658c0f 59702 Add changelog entry
1ce2c4dc Add missing test for Microsoft Teams notify_only_default_branch flag
|
|
0. Add authorize to LabelType and NamespaceType.
1. Make sure that authorizations on non-nullable fields are also
executed.
|
|
Adds missing class in collapsible sections
Closes #63417
See merge request gitlab-org/gitlab-ce!29804
(cherry picked from commit 22755a4aa2d2884629ef9050227ef461574d9d94)
d3a1468b Adds missing class
|
|
Feature flag default on catfile cache
Closes gitaly#1712
See merge request gitlab-org/gitlab-ce!29556
(cherry picked from commit 14d46afd9b3ee7482fa8be7bc6782b19e960ce45)
968674e4 Move Gitaly feature flag logic to Feature::Gitaly
4dfaaf40 Turn on Cat-File cache by default
|
|
|
|
Count issues related merge requests based on user access level. And
issue can have related MRs from projects where user does not have
access so the number of related merge requests should be adjusted
based on user's ability to access the related MRs.
https://gitlab.com/gitlab-org/gitlab-ce/issues/59581
|
|
Expose currently supported events properly on services API
Closes #56737
See merge request gitlab-org/gitlab-ce!29736
|
|
Refresh service_account_token for kubernetes_namespaces
See merge request gitlab-org/gitlab-ce!29657
|
|
Add collapsible sections to job log
See merge request gitlab-org/gitlab-ce!28642
|
|
|
|
This backports all EE schema changes to CE, including EE migrations,
ensuring both use the same schema.
== Updated tests
A spec related to ghost and support bot users had to be modified to make
it pass. The spec in question assumes that the "support_bot" column
exists when defining the spec. In the single codebase setup this is not
the case, as the column is backported in a later migration. Any attempt
to use a different schema version or use of "around" blocks to
conditionally disable specs won't help, as reverting the backport
migration would also drop the "support_bot" column. Removing the
"support_bot" tests entirely appears to be the only solution.
We also need to update some foreign key tests now that we have
backported the EE columns. Fortunately, these changes are very minor.
== Backporting migrations
This commit moves EE specific migrations (except those for the Geo
tracking database) and related files to CE, and also removes any traces
of the ee/db directory.
Some migrations had to be modified or removed, as they no longer work
with the schema being backported. These migrations were all quite old,
so we opted for removing them where modifying them would take too much
time and effort.
Some old migrations were modified in EE, while also existing in CE. In
these cases we took the EE code, and in one case removed them entirely.
It's not worth spending time trying to merge these changes somehow as we
plan to remove old migrations around the release of 12.0, see
https://gitlab.com/gitlab-org/gitlab-ce/issues/59177 for more details.
|
|
This is necessary for backporting the EE schema to ensure backported
foreign keys use the same key names.
|
|
|
|
|
|
Fix plan stage query and the way it is displayed
|
|
This brings the API permissions in line with the UI permissions
|
|
return boolean from Pipeline::Expression::Lexeme::Matches#evaluate
See merge request gitlab-org/gitlab-ce!29717
|
|
Fix inability to set visibility_level on project via API
Closes #63158
See merge request gitlab-org/gitlab-ce!29578
|
|
|
|
|
|
Expose comments on Noteables in GraphQL
Closes #62825
See merge request gitlab-org/gitlab-ce!29212
|
|
|
|
|
|
https://gitlab.com/gitlab-org/gitlab-ce into generate-spans-for-sections
|
|
|
|
Consider the scenario:
1. The default visibility level is set to internal
2. A user attempts to create a private project within a private group
Previously this would always fail because default_value_for would
overwrite the private visibility setting, no matter what
visibility_level were specified. This was happening because
default_value_for was confused by the default value of 0 specified by
the database schema.
default_value_for attempts to assign the default value in the block by
checking whether the attribute has changed. The problem is that since
the default value by the database was 0, and the user requested 0, this
appeared as though no changes were made. As a result, default_value_for
would always overwrite the user's preference.
To fix this, we remove the use of default_value_for and only set the
visibility level to the default application setting when no preference
has been given at creation time.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63158
|
|
This exposes `Note`s on Issues & MergeRequests using a
`Types::Notes::NoteableType` in GraphQL.
Exposing notes on a new type can be done by implementing the
`NoteableType` interface on the type. The presented object should
be a `Noteable`.
|
|
|
|
See http://asciidoctor.org/docs/user-manual/#include-directive
|
|
Don't import pull request comments from Gitea repos
Closes #63071
See merge request gitlab-org/gitlab-ce!29521
|
|
There seems to be several examples where service_account_token is blank
even in GitLab.com newly created kubernetes_namespaces . We have not
figured out why they are blank but this should hopefully fix some issues
similar to https://gitlab.com/gitlab-org/gitlab-ce/issues/55362
|
|
|
|
Opts to cache a full list of cached dashboards
to better manage removing items from the cache.
This also allows dashboards to be stored in the
cache that don't necessarily correspond to a
single dashboard yml.
|
