From 0c872e02b2c822e3397515ec324051ff540f0cd5 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 20 Dec 2022 14:22:11 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-7-stable-ee --- doc/security/crime_vulnerability.md | 2 +- doc/security/password_storage.md | 4 ++-- doc/security/rate_limits.md | 13 +++++++++++++ doc/security/reset_user_password.md | 14 +++++++++++++- doc/security/user_email_confirmation.md | 2 +- 5 files changed, 30 insertions(+), 5 deletions(-) (limited to 'doc/security') diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 463ccb7b629..e5d8d858df2 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -53,7 +53,7 @@ SPDY support earlier than version 4 is advertised. From the report above it is important to note that Nessus is only checking if TLS advertises the SPDY protocol earlier than version 4. It does not perform an attack nor does it check if compression is enabled. The Nessus scanner alone -cannot tell that SPDY's compression is disabled and not subject to the CRIME +cannot tell that SPDY compression is disabled and not subject to the CRIME vulnerability. ## References diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index bd514de6e2c..67ef161e634 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -21,7 +21,7 @@ GitLab uses the [Devise](https://github.com/heartcombo/devise) authentication library to hash user passwords. Created password hashes have these attributes: - **Hashing**: - - **BCrypt**: By default, the [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt) hashing + - **bcrypt**: By default, the [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This cryptographic hashing function is strong and industry-standard. - **PBKDF2+SHA512**: PBKDF2+SHA512 is supported: @@ -29,7 +29,7 @@ library to hash user passwords. Created password hashes have these attributes: - In GitLab 15.6 and later when [FIPS mode](../development/fips_compliance.md) is enabled (feature flags are not required). - **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. By default, GitLab uses a stretching - factor of 10 for BCrypt and 20,000 for PBKDF2 + SHA512. + factor of 10 for bcrypt and 20,000 for PBKDF2 + SHA512. - **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. To increase security, each salt is randomly generated for each diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 20a81ed0c30..929609cd4a4 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -141,6 +141,19 @@ This is to mitigate the risk of misuses, such as mass discovery of usernames in The **rate limit** is 20 calls per minute per IP address. +### Project Jobs API endpoint + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104912) in GitLab 15.7 [with a flag](../administration/feature_flags.md) named `ci_enforce_rate_limits_jobs_api`. Disabled by default. + +FLAG: +On self-managed GitLab, by default this feature is not available. To make it available, +ask an administrator to [enable the feature flag](../administration/feature_flags.md) named `ci_enforce_rate_limits_jobs_api`. +The feature is not ready for production use. + +There is a rate limit for the endpoint `project/:id/jobs`, which is enforced to reduce timeouts when retrieving jobs. + +The **rate limit** is 600 calls per minute per signed-in user. + ## Troubleshooting ### Rack Attack is denylisting the load balancer diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index 248737fc908..38c52912d5c 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -7,7 +7,7 @@ type: howto # Reset a user's password **(FREE SELF)** -You can reset user passwords by using a Rake task, a Rails console, or the +You can reset user passwords by using the UI, a Rake task, a Rails console, or the [Users API](../api/users.md#user-modification). ## Prerequisites @@ -16,6 +16,18 @@ To reset a user password, you must be an administrator of a self-managed GitLab The user's new password must meet all [password requirements](../user/profile/user_passwords.md#password-requirements). +## Use the UI + +To reset a user's password in the UI: + +1. On the top bar, select **Main menu > Admin**. +1. On the left sidebar, select **Overview > Users**. +1. For the user whose password you want to update, select **Edit** (**{pencil-square}**). +1. In the **Password** area, type a password and password confirmation. +1. Select **Save changes**. + +A confirmation is displayed. + ## Use a Rake task > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52347) in GitLab 13.9. diff --git a/doc/security/user_email_confirmation.md b/doc/security/user_email_confirmation.md index ffc537c8f10..c3f19c92f91 100644 --- a/doc/security/user_email_confirmation.md +++ b/doc/security/user_email_confirmation.md @@ -13,7 +13,7 @@ they confirm their email address. 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > General** (`/admin/application_settings/general`). -1. Expand the **Sign-up restrictions** section and look for the **Send confirmation email on sign-up** option. +1. Expand the **Sign-up restrictions** section and look for the **Email confirmation settings** options. ## Confirmation token expiry -- cgit v1.2.3