Age | Commit message (Collapse) | Author |
|
|
|
Remove spec/rails_helper.rb
Closes #66741
See merge request gitlab-org/gitlab-ce!32380
|
|
Fixes RelativeLinkFilter for users that don't have access
to the project's repository
|
|
All avatars now visible in commit trailers.
|
|
|
|
rails_helper.rb's only logic was to require
spec_helper.rb.
|
|
Use image proxy to mitigate stealing ip addresses
Closes #2812
See merge request gitlab/gitlabhq!2926
|
|
Limit the size of issuable description and comments
See merge request gitlab/gitlabhq!3267
|
|
Re-escape the whole HTML content when finding HTML references
See merge request gitlab/gitlabhq!3340
|
|
User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.
|
|
When we un-escape HTML text to find references in it, we should then
re-escape the whole text again, not only found matches.
Because we replace matches with milestone/label links (which contain
HTML tags we don't want to escape again), we re-escape HTML text
with placeholders instead of these links and then replace placeholders
in the escaped text.
|
|
Limiting the size of issuable description and comments to 1_000_000,
which is close to ~1MB of ASCII characters, which represents 99.9% of
all descriptions and comments we have in DB at the moment. This should
help prevent DoS attacks when comments contain refference strings.
Also this change updates regexp matching the namespaces paths by
limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED,
as we allow 20 levels deep groups.
see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234
|
|
When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.
This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.
Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.
|
|
https://gitlab.com/gitlab-org/gitlab-ce/issues/62971
Adds support for embedding specific charts from the
metrics dashboard. Expected parameters are dashboard,
title, group, and y_label.
|
|
Removes the feature flag that controls whether
metrics dashboard urls unfurl the metrics dashboard
charts.
|
|
Squash this commit and reword before merging..
|
|
|
|
This ensures this spec is the same in both CE and EE.
|
|
Add frozen_string_literal to spec/lib (part 1)
See merge request gitlab-org/gitlab-ce!31130
|
|
The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.
On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.
|
|
Note that Performance/UnfreezeString recommends unary plus over
"".dup, but unary plus has lower precedence so we have to use
parenthesis
|
|
Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
|
|
These are not required because MySQL is not
supported anymore
|
|
|
|
Adds GFM Pipline filters to insert a placeholder in the generated
HTML from GFM based on the presence of a metrics dashboard link.
The front end should look for the class 'js-render-metrics' to
determine if it should replace the element with metrics charts.
The data element 'data-dashboard-url' should be the endpoint
the front end should hit in order to obtain a dashboard layout
in order to appropriately render the charts.
|
|
Fix DOS when rendering issue/MR comments
See merge request gitlab/gitlabhq!3152
|
|
|
|
|
|
Allow lowercase prefix for Youtrack issue ids
Closes #62661
See merge request gitlab-org/gitlab-ce!29057
|
|
Relates to #42595.
Fixes #62661.
|
|
First reported:
https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.
|
|
When a milestone name contained an HTML entity that would be escaped (&,
<, >), then it wasn't possible to refer to this milestone by name, or
use it in a quick action.
This already worked for labels, but not for milestones. We take care to
re-escape un-matched milestones, too.
|
|
|
|
No leading/trailing spaces when generating heading ids (Fixes #57528)
Closes #57528
See merge request gitlab-org/gitlab-ce!27025
|
|
Change based on comments in MR #27025
|
|
Update based on comments in MR #27025
|
|
That's a straightforward feature flag code removal for 11.10
|
|
into 'master'
Checkbox cannot be checked if preceded by a blockquote
Closes #58717
See merge request gitlab-org/gitlab-ce!26937
|
|
- rewords examples starting with 'should'
- rewords examples starting with 'it'
Note: I had to manually fixup "onlies" to "only"
|
|
Replaces blockquote fences with \n,
keeping the line numbering intact.
|
|
Resolve "Extended tooltip for merge request links"
Closes #54916
See merge request gitlab-org/gitlab-ce!25221
|
|
- Show pipeline status, title, MR Status and project path
- Popover attached to gitlab flavored markdown everywhere, including:
+ MR/Issue Title
+ MR/Issue description
+ MR/Issue comments
+ Rendered markdown files
|
|
Implements the filtering logic for
`suggestion:-x+y` syntax.
|
|
|
|
Fixes gitlab-org/gitlab-ce#42595
|
|
|
|
Remove Redcarpet markdown engine
Closes #51374
See merge request gitlab-org/gitlab-ce!24819
|
|
|
|
This engine was replaced with CommonMarker in 11.4, it was deprecated
since then.
|
|
Such as those with IDN homographs or embedded
right-to-left (RTLO) characters.
Autolinked hrefs should be escaped
|