| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3454
|
|
|
|
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
|
|
|
|
Remove code related to object hierarchy and MySQL
Closes #65056 and #65055
See merge request gitlab-org/gitlab-ce!31095
|
|
These are not required because MySQL is not
supported anymore
|
|
Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
These are backend changes.
Use Vue for the import feature UI for "githubish"
providers (GitHub and Gitea).
Add "Go to project" button after a successful import.
Use CI-style status icons and improve spacing of the
table and its component.
Adds ETag polling to the github and gitea import
jobs endpoint.
|
|
|
|
Updates specs to use new rails5 format.
The old format:
`get :show, { some: params }, { some: headers }`
The new format:
`get :show, params: { some: params }, headers: { some: headers }`
|
|
[master] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request"
See merge request gitlab/gitlabhq!2583
|
|
Some browsers insert a trailing whitespace after pasting the
token into the field. This should help reduce confusion.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/46588
|
|
There's no need to add a redundant message to the errors if the
model is invalid. This cleans up the message as well for the importer.
|
|
Importing a project from GitHub for a project namespace that already exists
would show an unhelpful error, "An error occurred while importing project."
We now add the base message from Projects::CreateService when this fails.
Closes #47365
|
|
Refactor OmniauthCallbacksController to remove duplication
Closes #26559
See merge request gitlab-org/gitlab-ce!16694
|
|
|
|
Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml
|
|
|
|
[10.4] Fix GH namespace security issue
|
|
|
|
Prior to this MR there were two GitHub related importers:
* Github::Import: the main importer used for GitHub projects
* Gitlab::GithubImport: importer that's somewhat confusingly used for
importing Gitea projects (apparently they have a compatible API)
This MR renames the Gitea importer to Gitlab::LegacyGithubImport and
introduces a new GitHub importer in the Gitlab::GithubImport namespace.
This new GitHub importer uses Sidekiq for importing multiple resources
in parallel, though it also has the ability to import data sequentially
should this be necessary.
The new code is spread across the following directories:
* lib/gitlab/github_import: this directory contains most of the importer
code such as the classes used for importing resources.
* app/workers/gitlab/github_import: this directory contains the Sidekiq
workers, most of which simply use the code from the directory above.
* app/workers/concerns/gitlab/github_import: this directory provides a
few modules that are included in every GitHub importer worker.
== Stages
The import work is divided into separate stages, with each stage
importing a specific set of data. Stages will schedule the work that
needs to be performed, followed by scheduling a job for the
"AdvanceStageWorker" worker. This worker will periodically check if all
work is completed and schedule the next stage if this is the case. If
work is not yet completed this worker will reschedule itself.
Using this approach we don't have to block threads by calling `sleep()`,
as doing so for large projects could block the thread from doing any
work for many hours.
== Retrying Work
Workers will reschedule themselves whenever necessary. For example,
hitting the GitHub API's rate limit will result in jobs rescheduling
themselves. These jobs are not processed until the rate limit has been
reset.
== User Lookups
Part of the importing process involves looking up user details in the
GitHub API so we can map them to GitLab users. The old importer used
an in-memory cache, but this obviously doesn't work when the work is
spread across different threads.
The new importer uses a Redis cache and makes sure we only perform
API/database calls if absolutely necessary. Frequently used keys are
refreshed, and lookup misses are also cached; removing the need for
performing API/database calls if we know we don't have the data we're
looking for.
== Performance & Models
The new importer in various places uses raw INSERT statements (as
generated by `Gitlab::Database.bulk_insert`) instead of using Rails
models. This allows us to bypass any validations and callbacks,
drastically reducing the number of SQL queries and Gitaly RPC calls
necessary to import projects.
To ensure the code produces valid data the corresponding tests check if
the produced rows are valid according to the model validation rules.
|
|
|
|
|
|
|
|
This reverts commit b0498c176fa134761d899c9b369be12f1ca789c5
|
|
|
|
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
The reason is that Gitea plan to be GitHub-compatible so it makes sense
to just modify GitHubImport a bit for now, and hopefully we can change
it to GitHubishImport once Gitea is 100%-compatible.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
