| Age | Commit message (Collapse) | Author |
|---|
|
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
disable markdown in comments when referencing disabled features
fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548
This MR prevents the following references when tool is disabled:
- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones
This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.
See merge request !2011
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/18096
|
|
|
|
Add group level labels
## What does this MR do?
Add group level labels.
## Are there points in the code the reviewer needs to double check?
* `LabelsFinder`
* `Gitlab::Gfm::ReferenceRewriter`
* `Banzai::Filter::LabelReferenceFilter`
## Why was this MR needed?
We'll be adding more feature that allow you to do cross-project management of issues.
## Screenshots (if relevant)
* Group Labels
* Project Labels
* Expanded references for group labels when moving issue to another project
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [ ] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- [x] API support added
- Tests
- [x] Added for this feature/bug
- [ ] All builds are passing
- [ ] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [ ] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
## What are the relevant issue numbers?
#19997
See merge request !6425
|
|
Prevent wrong markdown on issue ids when project has Jira service activated
fixes gitlab-org/gitlab-ee#828
See merge request !6728
|
|
|
|
|
|
fix: commit messages being double-escaped in activities tab
See merge request !6937
|
|
Ensure that external URLs with non-lowercase protocols will be attributed
with 'nofollow noreferrer' and open up in a new window.
Covers the edge cases to skip:
- HTTPS schemes
- relative links
Closes #22782
|
|
|
|
|
|
|
|
|
|
This commit alters views for the following models to use the markdown cache if
present:
* AbuseReport
* Appearance
* ApplicationSetting
* BroadcastMessage
* Group
* Issue
* Label
* MergeRequest
* Milestone
* Project
At the same time, calls to `escape_once` have been moved into the `single_line`
Banzai pipeline, so they can't be missed out by accident and the work is done
at save, rather than render, time.
|
|
See !6474.
|
|
|
|
|
|
|
|
|
|
|
|
Do not look up commit again when it is passed to RelativeLinkFilter
## What does this MR do?
Use `context[:commit]` in RelativeLinkFilter instead of looking up commit using `context[:ref]`.
## Why was this MR needed?
Even though the commit object was already passed, unnecessary I/O is done to retrieve the commit object.
## What are the relevant issue numbers?
Fixes #20026
See merge request !5455
|
|
Enable some Rubocop cops related to new lines
## What does this MR do?
This MR enabled two additional Rubocop cops:
Keeps track of empty lines around block bodies.
`Style/EmptyLinesAroundBlockBody`
Keeps track of empty lines around method bodies.
` Style/EmptyLinesAroundMethodBody`
See merge request !5637
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
Handle videos in:
- MD preview in notes: commit, issue/MR, MR diff
- New notes in: commit, issue/MR, MR diff
- Persisted notes in: commit, issue/MR, MR diff
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
Also, always add a link to download videos since video playback is
tricky. Also, it solves the issue with email client not supporting
videos.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
* Registered video MIME types
* Currently supporting browser-supported formats with extensions that match the mime type
|
|
original html string.
|
|
|
|
since we've eliminated #block_code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IssueReferenceFilter will end up processing internal issue references
when a project uses an external issues tracker while still using
internal issue references (in the form of `#\d+`). This commit ensures
that these links are rendered as external issue links, regardless of
whether the project one currently views uses an internal or external
issues tracker.
Fixes gitlab-org/gitlab-ce#19036, gitlab-com/performance#16
|
|
Add max-height to prevent images from displaying larger than the provided screen size.
Also fix a failing test and add a new one.
|
|
Handle external issues in IssueReferenceFilter
Handling of external issues was broken when I refactored
`IssueReferenceFilter` to use fewer SQL queries.
Fixes #18827
See merge request !4789
|
|
In the past this class would use Project#get_issue to retrieve an issue
by its ID. This method would automatically determine whether to return
an Issue or ExternalIssue.
This commit changes IssueReferenceFilter to handle external issues again
and in a somewhat more explicit manner than before.
Fixes gitlab-org/gitlab-ce#18827
|
|
A lot of git operations were being repeated, for example, to build a url
you would ask if the path was a Tree, which would call a recursive routine
in Gitlab::Git::Tree#where, then ask if the path was a Blob, which would
call a recursive routine at Gitlab::Git::Blob#find, making reference to
the same git objects several times. Now we call Rugged::Tree#path, which
allows us to determine the type of the path in one pass.
Some other minor improvement added, like saving commonly used references
instead of calculating them each time.
|
|
Fix RangeError exceptions when referring to issues or merge requests outside of max database values
When using #XYZ in Markdown text, if XYZ exceeds the maximum value of a signed 32-bit integer, we get an exception when the Markdown render attempts to run `where(iids: XYZ)`. Introduce a method that will throw out out-of-bounds values.
Closes #18777
See merge request !4777
|
|
of max database values
When using #XYZ in Markdown text, if XYZ exceeds the maximum value of a signed 32-bit integer, we
get an exception when the Markdown render attempts to run `where(iids: XYZ)`. Introduce a method
that will throw out out-of-bounds values.
Closes #18777
|
|
1. An exception would be raised if the filter was called with an invalid
URI. Mainly because we weren't catching the `Addressable` exception.
2. This commit fixes it and adds a spec for the filter.
|
