From 325527e6ca7635aeeea8e0beb7523c3892e21bf6 Mon Sep 17 00:00:00 2001 From: Patrick Bajao Date: Mon, 28 Jan 2019 14:16:58 +0800 Subject: Add changelog for security fix --- changelogs/unreleased/security-commit-private-related-mr.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-commit-private-related-mr.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-commit-private-related-mr.yml b/changelogs/unreleased/security-commit-private-related-mr.yml new file mode 100644 index 00000000000..c4de200b0d8 --- /dev/null +++ b/changelogs/unreleased/security-commit-private-related-mr.yml @@ -0,0 +1,5 @@ +--- +title: Don't allow non-members to see private related MRs. +merge_request: +author: +type: security -- cgit v1.2.3 From d5c858cd4032b3bf37c6fbe47340ccea825503bc Mon Sep 17 00:00:00 2001 From: Alessio Caiazza Date: Fri, 8 Feb 2019 16:11:37 +0000 Subject: Prevent Releases links API to leak tag existance --- changelogs/unreleased/security-tags-oracle.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-tags-oracle.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml new file mode 100644 index 00000000000..eb8ad6f646c --- /dev/null +++ b/changelogs/unreleased/security-tags-oracle.yml @@ -0,0 +1,5 @@ +--- +title: Prevent releases links API to leak tag existance +merge_request: +author: +type: security -- cgit v1.2.3 From 5dc047dc72c08a64aaf4f4a0c9fe0fba2742b905 Mon Sep 17 00:00:00 2001 From: Heinrich Lee Yu Date: Mon, 11 Feb 2019 18:51:53 +0800 Subject: Disable board policies when issues are disabled Board list policies are also included --- changelogs/unreleased/security-2798-fix-boards-policy.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-2798-fix-boards-policy.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml new file mode 100644 index 00000000000..10e8ac3a787 --- /dev/null +++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml @@ -0,0 +1,5 @@ +--- +title: Disable issue boards API when issues are disabled +merge_request: +author: +type: security -- cgit v1.2.3 From 30ab6ee416783cd9481085f021603383eeb4f317 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jarka=20Ko=C5=A1anov=C3=A1?= Date: Mon, 14 Jan 2019 11:46:39 +0100 Subject: Check issue milestone availability Add project when creating milestone in specs We validate milestone is from the same project/parent group as issuable -> we need to set project in specs correctly Improve methods names and specs organization --- changelogs/unreleased/51971-milestones-visibility.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/51971-milestones-visibility.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/51971-milestones-visibility.yml b/changelogs/unreleased/51971-milestones-visibility.yml new file mode 100644 index 00000000000..818f0071e6c --- /dev/null +++ b/changelogs/unreleased/51971-milestones-visibility.yml @@ -0,0 +1,5 @@ +--- +title: Check if desired milestone for an issue is available +merge_request: +author: +type: security -- cgit v1.2.3 From 8ad127083ef28cfea389ec00a6f7ebf39e15c431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jarka=20Ko=C5=A1anov=C3=A1?= Date: Mon, 11 Feb 2019 11:31:30 +0100 Subject: Show only MRs visible to user on milestone detail --- changelogs/unreleased/security-2797-milestone-mrs.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-2797-milestone-mrs.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-2797-milestone-mrs.yml b/changelogs/unreleased/security-2797-milestone-mrs.yml new file mode 100644 index 00000000000..5bb104ec403 --- /dev/null +++ b/changelogs/unreleased/security-2797-milestone-mrs.yml @@ -0,0 +1,5 @@ +--- +title: Show only merge requests visible to user on milestone detail page +merge_request: +author: +type: security -- cgit v1.2.3 From 9d046c8704c0e7df18d2f9e380e987d22b9a0b2e Mon Sep 17 00:00:00 2001 From: Mark Chao Date: Mon, 18 Feb 2019 11:51:56 +0800 Subject: Fix git clone revealing private repo's presence Ensure redirection to path with .git suffix regardless whether project exists or not. --- changelogs/unreleased/security-50334.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-50334.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-50334.yml b/changelogs/unreleased/security-50334.yml new file mode 100644 index 00000000000..828ef82b517 --- /dev/null +++ b/changelogs/unreleased/security-50334.yml @@ -0,0 +1,5 @@ +--- +title: Fix git clone revealing private repo's presence +merge_request: +author: +type: security -- cgit v1.2.3 From fc8c1a77d36003795586fe076243b6eb90db6f03 Mon Sep 17 00:00:00 2001 From: Tiger Date: Wed, 13 Feb 2019 11:11:28 +1100 Subject: Validate session key when authorizing with GCP to create a cluster It was previously possible to link a GCP account to another user's GitLab account by having them visit the callback URL, as there was no check that they were the initiator of the request. We now reject the callback unless the state parameter matches the one added to the initiating user's session. --- changelogs/unreleased/security-kubernetes-google-login-csrf.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-kubernetes-google-login-csrf.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml new file mode 100644 index 00000000000..2f87100a8dd --- /dev/null +++ b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml @@ -0,0 +1,5 @@ +--- +title: Validate session key when authorizing with GCP to create a cluster +merge_request: +author: +type: security -- cgit v1.2.3 From 38f3c2e18684f94f75ab52e5039203e8321ed7d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jarka=20Ko=C5=A1anov=C3=A1?= Date: Wed, 13 Feb 2019 11:50:24 +0100 Subject: Remove link after issue move when no permissions Don't show new issue link after move when a user does not have permissions to display the new issue --- changelogs/unreleased/security-2799-emails.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-2799-emails.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-2799-emails.yml b/changelogs/unreleased/security-2799-emails.yml new file mode 100644 index 00000000000..dbf1207810e --- /dev/null +++ b/changelogs/unreleased/security-2799-emails.yml @@ -0,0 +1,5 @@ +--- +title: Don't show new issue link after move when a user does not have permissions +merge_request: +author: +type: security -- cgit v1.2.3 From 211c4e5985bf40afe7cf2391c76a6cfde153fb49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C5=82gorzata=20Ksionek?= Date: Tue, 12 Feb 2019 13:29:47 +0100 Subject: Change policy regarding group visibility --- ...y-add-public-internal-groups-as-members-to-your-project-idor.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml b/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml new file mode 100644 index 00000000000..27ad151cd06 --- /dev/null +++ b/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml @@ -0,0 +1,6 @@ +--- +title: Remove the possibility to share a project with a group that a user is not a member + of +merge_request: +author: +type: security -- cgit v1.2.3 From b11d018bd59a3c94086dbeb11f38db81e441a1e2 Mon Sep 17 00:00:00 2001 From: Luke Duncalfe Date: Thu, 7 Feb 2019 12:46:41 +1300 Subject: Add changelog entry --- changelogs/unreleased/security-protect-private-repo-information.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-protect-private-repo-information.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-protect-private-repo-information.yml b/changelogs/unreleased/security-protect-private-repo-information.yml new file mode 100644 index 00000000000..8b1a528206d --- /dev/null +++ b/changelogs/unreleased/security-protect-private-repo-information.yml @@ -0,0 +1,5 @@ +--- +title: Fix leaking private repository information in API +merge_request: +author: +type: security -- cgit v1.2.3 From d72b1cd0b5b01d6fec6b93d9dfe84f8302083072 Mon Sep 17 00:00:00 2001 From: Mark Chao Date: Wed, 13 Feb 2019 16:24:26 +0800 Subject: Check snippet attached file to be moved is within designated directory Previously one could move any temp/ sub folder around. --- changelogs/unreleased/security-56348.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-56348.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-56348.yml b/changelogs/unreleased/security-56348.yml new file mode 100644 index 00000000000..a289e4e9077 --- /dev/null +++ b/changelogs/unreleased/security-56348.yml @@ -0,0 +1,5 @@ +--- +title: Check snippet attached file to be moved is within designated directory +merge_request: +author: +type: security -- cgit v1.2.3 From af16fd687e2e5b15a63e6e51d76847512ae8ee72 Mon Sep 17 00:00:00 2001 From: Thong Kuah Date: Wed, 13 Feb 2019 09:46:59 +1300 Subject: Do not allow local urls in Kubernetes form Use existing `public_url` validation to block various local urls. Note that this validation will allow local urls if the "Allow requests to the local network from hooks and services" admin setting is enabled. Block KubeClient from using local addresses It will also respect `allow_local_requests_from_hooks_and_services` so if that is enabled KubeClinet will allow local addresses --- changelogs/unreleased/security-kubernetes-local-ssrf.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-kubernetes-local-ssrf.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-kubernetes-local-ssrf.yml b/changelogs/unreleased/security-kubernetes-local-ssrf.yml new file mode 100644 index 00000000000..7a2ad092339 --- /dev/null +++ b/changelogs/unreleased/security-kubernetes-local-ssrf.yml @@ -0,0 +1,5 @@ +--- +title: Block local URLs for Kubernetes integration +merge_request: +author: +type: security -- cgit v1.2.3 From 7e83acb8a2f7fe4a0c0acd6769114e0593c677bb Mon Sep 17 00:00:00 2001 From: Felipe Artur Date: Fri, 22 Feb 2019 11:31:02 -0300 Subject: Prevent disclosing project milestone titles Prevent unauthorized users having access to milestone titles through autocomplete endpoint. --- changelogs/unreleased/security-issue_54789_2.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-issue_54789_2.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-issue_54789_2.yml b/changelogs/unreleased/security-issue_54789_2.yml new file mode 100644 index 00000000000..8ecb72a2ae3 --- /dev/null +++ b/changelogs/unreleased/security-issue_54789_2.yml @@ -0,0 +1,5 @@ +--- +title: Do not disclose milestone titles for unauthorized users +merge_request: +author: +type: security -- cgit v1.2.3 From 4537fbb87e9bc1edd0eaaf34d5b361009c056a7a Mon Sep 17 00:00:00 2001 From: Oswaldo Ferreira Date: Tue, 26 Feb 2019 01:09:01 -0300 Subject: Add changelog --- changelogs/unreleased/security-osw-stop-linking-to-packages.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-osw-stop-linking-to-packages.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-osw-stop-linking-to-packages.yml b/changelogs/unreleased/security-osw-stop-linking-to-packages.yml new file mode 100644 index 00000000000..078f06140fe --- /dev/null +++ b/changelogs/unreleased/security-osw-stop-linking-to-packages.yml @@ -0,0 +1,5 @@ +--- +title: Stop linking to unrecognized package sources +merge_request: 55518 +author: +type: security -- cgit v1.2.3 From 0ea350965d2a0fea0dbc1cfa433729dc865acfc6 Mon Sep 17 00:00:00 2001 From: Rajat Jain Date: Fri, 22 Feb 2019 13:42:25 +0530 Subject: Limit number of characters allowed in mermaidjs --- changelogs/unreleased/security-mermaid.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-mermaid.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-mermaid.yml b/changelogs/unreleased/security-mermaid.yml new file mode 100644 index 00000000000..ec42b5a1615 --- /dev/null +++ b/changelogs/unreleased/security-mermaid.yml @@ -0,0 +1,5 @@ +--- +title: Limit mermaid rendering to 5K characters +merge_request: +author: +type: security -- cgit v1.2.3 From 038d530565bc64729706bbd9afad275699be459d Mon Sep 17 00:00:00 2001 From: Imre Farkas Date: Mon, 25 Feb 2019 14:52:40 +0100 Subject: Remove ability to revoke active session Session ID is used as a parameter for the revoke session endpoint but it should never be included in the HTML as an attacker could obtain it via XSS. --- changelogs/unreleased/57534_filter_impersonated_sessions.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelogs/unreleased/57534_filter_impersonated_sessions.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/57534_filter_impersonated_sessions.yml b/changelogs/unreleased/57534_filter_impersonated_sessions.yml new file mode 100644 index 00000000000..80aea0ab1bc --- /dev/null +++ b/changelogs/unreleased/57534_filter_impersonated_sessions.yml @@ -0,0 +1,6 @@ +--- +title: Do not display impersonated sessions under active sessions and remove ability + to revoke session +merge_request: +author: +type: security -- cgit v1.2.3 From 3a321c80031630c3687cfdc08699bb0824a3dbfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C5=82gorzata=20Ksionek?= Date: Mon, 11 Feb 2019 12:53:58 +0100 Subject: Secure vulerability and add specs --- changelogs/unreleased/security-shared-project-private-group.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-shared-project-private-group.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-shared-project-private-group.yml b/changelogs/unreleased/security-shared-project-private-group.yml new file mode 100644 index 00000000000..3b21daa5491 --- /dev/null +++ b/changelogs/unreleased/security-shared-project-private-group.yml @@ -0,0 +1,5 @@ +--- +title: Fixed ability to see private groups by users not belonging to given group +merge_request: +author: +type: security -- cgit v1.2.3 From ebf16ada856efb85424a98848c141f21e609886a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francisco=20Javier=20L=C3=B3pez?= Date: Mon, 4 Mar 2019 18:36:34 +0000 Subject: Arbitrary file read via MergeRequestDiff --- changelogs/unreleased/security-fj-diff-import-file-read-fix.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-fj-diff-import-file-read-fix.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml b/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml new file mode 100644 index 00000000000..e98d4e89712 --- /dev/null +++ b/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml @@ -0,0 +1,5 @@ +--- +title: Fix arbitrary file read via diffs during import +merge_request: +author: +type: security -- cgit v1.2.3 From 50591efc75e465c1b626c1bb2d4d65447ee9a726 Mon Sep 17 00:00:00 2001 From: Reuben Pereira Date: Mon, 4 Mar 2019 18:36:43 +0000 Subject: Check validity of prometheus_service before query Check validity before querying so that if the dns entry for the api_url has been changed to something invalid after the model was saved and checked for validity, it will not query. This is to solve a toctou (time of check to time of use) issue. --- .../unreleased/security-55468-check-validity-before-querying.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-55468-check-validity-before-querying.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-55468-check-validity-before-querying.yml b/changelogs/unreleased/security-55468-check-validity-before-querying.yml new file mode 100644 index 00000000000..8bb11a97f52 --- /dev/null +++ b/changelogs/unreleased/security-55468-check-validity-before-querying.yml @@ -0,0 +1,5 @@ +--- +title: Fix blind SSRF in Prometheus integration by checking URL before querying +merge_request: +author: +type: security -- cgit v1.2.3 From 5169dafccf70bf50d780bfdbeea0802f094520cc Mon Sep 17 00:00:00 2001 From: Igor Drozdov Date: Mon, 4 Mar 2019 18:37:08 +0000 Subject: Forbid creating discussions for users with restricted access --- .../unreleased/security-id-restricted-access-to-private-repo.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/security-id-restricted-access-to-private-repo.yml (limited to 'changelogs') diff --git a/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml b/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml new file mode 100644 index 00000000000..7d7478d297b --- /dev/null +++ b/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml @@ -0,0 +1,5 @@ +--- +title: Forbid creating discussions for users with restricted access +merge_request: +author: +type: security -- cgit v1.2.3