Age | Commit message (Collapse) | Author |
|
fix/project-import_url
|
|
* 'master' of dev.gitlab.org:gitlab/gitlabhq:
Make sessions controller specs more explicit
Fix 2FA authentication spoofing vulnerability
Add specs for sessions controller including 2FA
|
|
Fix 2FA authentication spoofing
## Summary
This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.
Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.
It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.
## Fix
This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.
Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.
## Further work
Current 2FA code is a bit tricky, so it probably needs some refactoring.
See merge request !1947
|
|
|
|
Expire caches after project creation to ensure a consistent state
See merge request !3586
|
|
Only update main language if it is not already set
Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much.
cc @yorickpeterse @ayufan how does this look?
See merge request !3556
|
|
This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.
|
|
API: Ability to filter milestones by state
Ability to filter milestones by `active` and `closed` state.
* Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931
See merge request !3566
|
|
Expose badges
This MR exposes badge somewhere in visible place.
![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png)
Closes #13801
See merge request !3326
|
|
Fixes #14638.
The SQL query was ambiguous and in this case we want to filter projects.
See merge request !3462
|
|
Closes #14961
|
|
Closes #14994
|
|
Allow SAML to identify external users and set them as such
Related to #4009
Fixes #14577
This allows SAML to retrieve group information form the `SAML Response`
and match that to a setting that will flag all matching users as external.
See merge request !3530
|
|
Wiki preview URL converting problem [via Markdown]
Current implementation when rendering the preview, thinks relative links are for project repository files.
We are creating a new preview route that will define correct context data to render for wikis instead.
Fixes #2380, #1184
See merge request !3461
|
|
|
|
|
|
Unblocks user when active_directory is disabled and it can be found
We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242.
That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.
Fixes #14253, #13179, #13259, #13959
See merge request !3550
|
|
Fix header link rendering when containing numbers
This fixes the problem where Markdown such as:
### 31st
Would get rendered as a link tag pointing to issue number 31 inside a
header tag.
See gitlab-org/gitlab-ce#14936 for more information.
cc @rspeicher
See merge request !3568
|
|
to use the proper attribute type
|
|
|
|
This reverts commit 7f287c9136d5d1cdda8df170c6e772ca82aad1e9.
|
|
|
|
|
|
|
|
|
|
Fix missing filters on status tab when user swithches to another state
closes #14769
![fixi](/uploads/7733ec714b70b2157104af4b039953c3/fixi.gif)
See merge request !3482
|
|
Support for measuring Ruby blocks using GitLab performance monitoring
This adds support for measuring timings of arbitrary Ruby blocks.
Fixes #14710
See merge request !3515
|
|
The SQL query was ambiguous and in this case we want to filter projects.
|
|
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
This allows measuring of timings of arbitrary Ruby blocks, this allows
for more fine grained performance monitoring. Custom values and tags can
also be attached to a block.
|
|
|
|
This fixes the problem where Markdown such as:
### 31st
Would get rendered as a link tag pointing to issue number 31 inside a
header tag.
See gitlab-org/gitlab-ce#14936 for more information.
|
|
|
|
This also contains specs for a bug described in #14900
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix Error 500 after renaming a project path
Renaming the path of a project would result in an Error 500 due to `@repository` being memoized with the old path. An Error 500 would result:
```
Started GET "/testing2/test1" for 127.0.0.1 at 2016-04-04 12:42:30 +0000
Processing by ProjectsController#show as HTML
Parameters: {"namespace_id"=>"testing2", "id"=>"test1"}
Completed 200 OK in 637ms (Views: 194.2ms | ActiveRecord: 111.8ms)
Started GET "/testing2/test1/edit" for 127.0.0.1 at 2016-04-04 12:42:33 +0000
Processing by ProjectsController#edit as HTML
Parameters: {"namespace_id"=>"testing2", "id"=>"test1"}
Completed 200 OK in 594ms (Views: 183.8ms | ActiveRecord: 87.4ms)
Started PATCH "/testing2/test1" for 127.0.0.1 at 2016-04-04 12:42:41 +0000
Processing by ProjectsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "project"=>{"nam
e"=>"test123", "path"=>"test123"}, "namespace_id"=>"testing2", "id"=>"test1"}
Completed 500 Internal Server Error in 1852ms (ActiveRecord: 124.0ms)
ActionView::Template::Error (no repository for such path):
2: %legend
3: Builds:
4:
5: - unless @repository.gitlab_ci_yml
6: .form-group
7: .col-sm-offset-2.col-sm-10
8: %p Builds need to be configured before you can begin using Contin
uous Integration.
app/models/repository.rb:59:in `block in empty?'
lib/repository_cache.rb:19:in `fetch'
app/models/repository.rb:59:in `empty?'
app/models/repository.rb:471:in `gitlab_ci_yml'
app/views/projects/_builds_settings.html.haml:5:in `_app_views_projects__build
s_settings_html_haml__782034335636359229_73397600'
app/views/projects/edit.html.haml:87:in `block in _app_views_projects_edit_htm
l_haml___2388082585934859365_47390860'
app/views/projects/edit.html.haml:8:in `_app_views_projects_edit_html_haml___2
388082585934859365_47390860'
app/controllers/projects_controller.rb:54:in `block (2 levels) in update'
app/controllers/projects_controller.rb:43:in `update'
lib/gitlab/middleware/go.rb:16:in `call'
```
Closes #14885
See merge request !3528
|
|
Premailer shouldn't remove script tags from our emails
Closes #14943.
See merge request !3552
|
|
Closes #14943.
|
|
Fix data check in update issue response
See merge request !3548
|
|
|
|
|
|
Notes form design update
Part of #3401
See merge request !3442
|
|
Closes #14885
|
|
Check permissions when importing project members
Closes #14899
See merge request !3535
|
|
Update language after doing all other operations
See merge request !3533
|