An error occurred fetching the project authors.
  1. 14 Jun, 2016 10 commits
    • Sean McGivern's avatar
      Forbid scripting for wiki files · 1cda245c
      Sean McGivern authored
      Wiki files (not pages - files in the repo) are just sent to the browser
      with whatever content-type the mime_types gem assigns to them based on
      their extension. As this is from the same domain as the GitLab
      application, this is an XSS vulnerability.
      
      Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
      files.
      1cda245c
    • Douwe Maan's avatar
      Merge branch 'fix-markdown-spec' into 'master' · 066020fc
      Douwe Maan authored
      Add whitelisted elements correctly in sanitization
      
      Add whitelisted elements correctly in sanitization
      
      Consider this command:
      
          bundle exec rails r "include GitlabMarkdownHelper
          puts markdown('<span>this is a span</span>', pipeline: :description)
          puts markdown('<span>this is a span</span>')"
      
      And the same in the opposite order:
      
          bundle exec rails r "include GitlabMarkdownHelper
          puts markdown('<span>this is a span</span>')
          puts markdown('<span>this is a span</span>', pipeline: :description)"
      
      Before this change, they would both output:
      
          <p><span>this is a span</span></p>
          <p>this is a span</p>
      
      That's because `span` is added to the list of whitelisted elements in
      the `SanitizationFilter`, but this method tries not to make the same
      changes multiple times. Unfortunately,
      `HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the
      `DescriptionPipeline`, uses the same Ruby objects for all of its hash
      values _except_ `:elements`.
      
      That means that whichever of `DescriptionPipeline` and `GfmPipeline` is
      called first would have `span` in its whitelisted elements, and the
      second wouldn't.
      
      Fix this by adding a special check for modifying `:elements` twice, then
      checking `:transformers` as before.
      
      
      See merge request !4588
      066020fc
    • Douwe Maan's avatar
      Merge branch 'confidential-issues-in-private-projects' into 'master' · 0c0ef7df
      Douwe Maan authored
      Allow users to create confidential issues in private projects
      
      Closes #14787
      
      ## What does this MR do?
      
      Allow users to create confidential issues in private projects, and exclude access to them to project members with `Guest` role.
      
      ## Are there points in the code the reviewer needs to double check?
      
      The query generated by the `User#authorized_projects` method.
      
      ## Why was this MR needed?
      
      Community have been requesting this feature.
      
      ## What are the relevant issue numbers?
      
      https://gitlab.com/gitlab-org/gitlab-ce/issues/14787
      
      https://gitlab.com/gitlab-org/gitlab-ce/issues/3678
      
      ## Screenshots (if relevant)
      
      Not relevant.
      
      ## Todo
      
      - [x] Allow users to create confidential issues in private projects
      - [x] Project members with `Guest` role should not have access to confidential issues
      - [ ] ~~Apply changes in EE + Elasticsearch~~ Will be done in another MR, when this got merged
      
      See merge request !3471
      0c0ef7df
    • Rémy Coutable's avatar
      Merge branch 'bentolor/gitlab-ce-fix/bamboo-service-trigger-auth' into 'master' · 0068ba8d
      Rémy Coutable authored
      Bamboo & TeamCity Services: Fix missing credentials & URL handling
      
      _Note: Originally opened at !4367 by @bentolor_
      
      I've also fixed the URL handling for TeamCity which is very similar to Bamboo implementation-wise.
      
      -----
      
      *Note:* This is a port from my [original pull request on GitHub](https://github.com/gitlabhq/gitlabhq/pull/9428)
      
      ## What does this MR do?
      This improves the Bamboo Service and provides two fixes:
      
      1. One for the situation, where the build trigger won't work because Bamboo is requiring authentication credentials for the trigger GET: 8f25aca307b49ee006172b8c2985a878800aa6b6
      2. One which fixes the way how the configured Bamboo base URL is assembled to the final REST URL. fe9eb30d7ebe4a83eefea7e06f8b69b135dad15d
      
      ### Regarding credentials
      The change now does provide additional HTTP Basic Auth parameters if user credentials were provided and appends an request parameter indicating the HTTP Basic Authentication should be used. This aligns interaction with Bamboo with the other calls this service executes.
      
      ### Regarding URL handling
      If one had configured a `bamboo_url` like http://foo.bar/bamboo in the previous implementation the plugin directed it's request i.e. to http://foo.bar/rest/... instead of http://foo.bar/bamboo/rest/...
      
      
      ## Are there points in the code the reviewer needs to double check?
      The second issues was probably an unwanted side effect of how Ruby's `URI.join` is working. It will only work correctly, if 
      - ... the prefix URL has at least one or more  trailing `/`
      - .. the appendix parts are _not_ prefixed with `/`
      
      I need try & figure it out using the rather lacking, official stdlib documentation and playing around in `irb`. As I'm an absolute Ruby novice I'm unable to add/provide new tests.
      
      ## Why was this MR needed?
      Because Gitlab does not work in our Bamboo-Environment at all: Neither it is able to trigger Bamboo runs nor does the Merge status check work. This MR at least fixes the trigger issues.
      
      ## What are the relevant issue numbers?
      This MR originates from my [original pull request on GitHub](https://github.com/gitlabhq/gitlabhq/pull/9428).
      Sadly the issue, that the merge status is still not working correctly for branches will still not work. But at least the trigger works. 
      
      There happened to be very much discussion about the branch status issue in #1355 and  #2562 though that one is lost as the author retracted his branch. 
      
      See merge request !4408
      0068ba8d
    • Rémy Coutable's avatar
      Merge branch 'issue_14572' into 'master' · a78cd2ec
      Rémy Coutable authored
      Add more information into RSS feed for issues
      
      ## What does this MR do?
      
      This MR adds issue text, labels , milestone, assignee and due date into issues RSS feed.
      
      ## Are there points in the code the reviewer needs to double check?
      
      #14572 requests to add 'weight' among other fields. Seems like issue weight is available
      in enterprise edition only so it is not implemented in this MR. Please correct me if I'm wrong.
      
      ## Why was this MR needed?
      
      This MR is needed because it extends issues RSS feed with useful information requested in
      #14572.
      
      ## What are the relevant issue numbers?
      
      https://gitlab.com/gitlab-org/gitlab-ce/issues/14572
      
      See merge request !4158
      a78cd2ec
    • Rémy Coutable's avatar
      Fix broken URI joining for `teamcity_url` with suffixes · 2f7b2057
      Rémy Coutable authored
      If one had configured a `teamcity_url` like http://foo.bar/teamcity in
      the previous implementation the plugin directed it's request i.e. to
      http://foo.bar/httpAuth/... instead of http://foo.bar/teamcity/httpAuth/...
      
      `URI.join` only works correctly, if the prefix URL has
        - at least one or more  trailing '/'
        - the appended parts are _not_ prefixed with '/'
      
      The current implementation should work with all sorts of TeamCity base
      URLs.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      2f7b2057
    • Rémy Coutable's avatar
    • Benjamin Schmid's avatar
      Fix broken URI joining for `bamboo_url` with suffixes · 46f3cd7c
      Benjamin Schmid authored
      If one had configured a `bamboo_url` like http://foo.bar/bamboo in the
      previous implementation the plugin directed it's request i.e. to
      http://foo.bar/rest/... instead of http://foo.bar/bamboo/rest/...
      
      `URI.join` only works correctly, if the prefix URL has
        - at least one or more  trailing '/'
        - the appended parts are _not_ prefixed with '/'
      
      The current implementation should work with all sorts of Bamboo base URLs.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      46f3cd7c
    • Benjamin Schmid's avatar
      Honor credentials on calling Bamboo CI trigger · 84b07f70
      Benjamin Schmid authored
      This improves the Bamboo Service and provides a fix for situations,
      where the build trigger won't work, because Bamboo is requiring
      authentication also for the trigger GET.
      
      The change now does provide additional HTTP Basic Auth parameters
      if user credentials were provided and appends an request parameter
      indicating the HTTP Basic Authentication should be used.
      This aligns interaction with Bamboo with the other calls this service
      executes.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      84b07f70
    • Rémy Coutable's avatar
      Merge branch 'retry-spinach-tests' into 'master' · 121c6322
      Rémy Coutable authored
      Retry spinach tests in case of failure using rerun reporter
      
      ## What does this MR do?
      
      Fixes Spinach tests to retry on tests on master
      
      
      See merge request !4539
      121c6322
  2. 13 Jun, 2016 30 commits