Commits · 29b13ca3fbfd5c44efe0d95d0fac3d18ea9b4289 · Boxiang Sun / gitlab-ce

07 Jun, 2019 1 commit

Prevent Billion Laughs attack · 29b13ca3

Fabio Pitino authored May 20, 2019

It keeps track of the memory being used when loading the YAML file
as well as the depth of nesting.
Track exception when YAML is too big

29b13ca3

04 Jun, 2019 5 commits
- Update VERSION to 11.11.2 · 0da38977
  GitLab Release Tools Bot authored Jun 04, 2019
  
  0da38977
- Update CHANGELOG.md for 11.11.2 · 6e28e705
  GitLab Release Tools Bot authored Jun 04, 2019
```
[ci skip]
```
  6e28e705
- Merge branch '11-11-stable-patch-1' into '11-11-stable' · aae682a7
  John Skarbek authored Jun 04, 2019
```
Prepare 11.11.2 release

See merge request gitlab-org/gitlab-ce!28679
```
  aae682a7
- Merge branch 'sh-fix-import-url-update' into 'master' · a25ad6e7
  Thong Kuah authored Jun 03, 2019
```
Fix project settings not being able to update

Closes #62708

See merge request gitlab-org/gitlab-ce!29097
```
  a25ad6e7
- Merge branch '11-11-stable' into 11-11-stable-patch-1 · 09221d50
  Stan Hu authored Jun 04, 2019
  
  09221d50
03 Jun, 2019 10 commits

Merge remote-tracking branch 'origin/11-11-stable-patch-2' into 11-11-stable-patch-1 · 3fa68cc6
John T Skarbek authored Jun 03, 2019

3fa68cc6

Merge branch 'sh-fix-issue-58714' into 'master' · b1ea0cc4

Yorick Peterse authored Jun 03, 2019

Fix migration failure when groups are missing route

Closes #58714

See merge request gitlab-org/gitlab-ce!29022

(cherry picked from commit 0488c26e)

a52cbf6b Fix migration failure when groups are missing route

b1ea0cc4

Merge branch 'zj-bump-gitaly' into '11-11-stable-patch-1' · 2cc7155b
Mayra Cabrera authored Jun 03, 2019
```
Stop two-step rebase from hanging when errors occur

See merge request gitlab-org/gitlab-ce!29060
```
2cc7155b

Bump Gitaly version to 1.42.3 · c44d1775

Zeger-Jan van de Weg authored Jun 03, 2019

This change makes sure Gitaly includes a fix to make rebase work again
properly.

Part of: https://gitlab.com/gitlab-org/gitlab-ce/issues/62353

c44d1775

Merge branch 'dm-disable-two-step-rebase' into 'master' · 6953b13c

Mayra Cabrera authored May 27, 2019

Disable two_step_rebase feature flag

See merge request gitlab-org/gitlab-ce!28778

(cherry picked from commit 715d1057)

8104eef0 Disable two_step_rebase feature flag
dd1fa0c2 Apply suggestion to changelogs/unreleased/dm-disable-two-step-rebase.yml

6953b13c

Merge branch 'use-source-ref-name-in-webhook' into 'master' · c5e5d4aa

Ash McKenzie authored May 28, 2019

Use source ref in pipeline webhook

Closes #61553

See merge request gitlab-org/gitlab-ce!28772

(cherry picked from commit 2714f85c)

7e05f3b7 Use source ref for pipeline webhook

c5e5d4aa

Merge branch 'sh-fix-omniauth-generic-strategy' into 'master' · c416e630

Douglas Barbosa Alexandre authored May 23, 2019

Fix OmniAuth OAuth2Generic strategy not loading

Closes #62216

See merge request gitlab-org/gitlab-ce!28680

(cherry picked from commit 7b5cc7b4)

bf8f4c13 Fix OmniAuth OAuth2Generic strategy not loading

c416e630

Merge branch 'jp-label-fix' into 'master' · f5610f59

Lin Jen-Shin authored May 28, 2019

Fix display of promote to group label

Closes #62200

See merge request gitlab-org/gitlab-ce!28637

(cherry picked from commit 9c2d0d87)

f9a55f93 Fix display of promote to group label
52764ec5 Apply suggestion to spec/helpers/labels_helper_spec.rb
58dc21e7 Apply suggestion to spec/features/projects/labels/user_promotes_label_spec.rb

f5610f59

Merge branch 'patch-64' into 'master' · 672941ed

Kamil Trzciński authored May 24, 2019

Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVEL

Closes #62179

See merge request gitlab-org/gitlab-ce!28607

(cherry picked from commit 2ae642f8)

31e181f8 Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVEL

672941ed

Merge branch '60778-input-text-height' into 'master' · b02c9bfe

Filipa Lacerda authored May 24, 2019

Fix height of input groups

Closes #61304, #61303, #59254, and #60778

See merge request gitlab-org/gitlab-ce!28495

(cherry picked from commit 52758b92)

360646ea Fix height of input groups

b02c9bfe

30 May, 2019 4 commits
- Update VERSION to 11.11.1 · ac0d1491
  GitLab Release Tools Bot authored May 30, 2019
  
  ac0d1491
- Update CHANGELOG.md for 11.11.1 · 375e6dfd
  GitLab Release Tools Bot authored May 30, 2019
```
[ci skip]
```
  375e6dfd
- Merge branch 'osw-disable-dns-rebind-protection-settings-11-11' into '11-11-stable' · fc8699ef
  GitLab Release Tools Bot authored May 30, 2019
```
Add DNS rebinding protection settings

See merge request gitlab/gitlabhq!3130
```
  fc8699ef
- Add changelog · f6250d1e
  Oswaldo Ferreira authored May 29, 2019
  
  f6250d1e
29 May, 2019 3 commits
- Add DNS rebinding protection settings · b599fb4f
  Oswaldo Ferreira authored May 29, 2019
  
  b599fb4f
- Merge branch 'id-fix-overriding-of-import-params' into '11-11-stable' · 440c9665
  Yorick Peterse authored May 29, 2019
```
Fix the overriding of EE import params

See merge request gitlab/gitlabhq!3129
```
  440c9665
- Fix the overriding of EE import params · 02dc7fbf
  Igor Drozdov authored May 29, 2019
  
  02dc7fbf
28 May, 2019 12 commits
- Merge branch 'security-60143-address-xss-issue-in-wiki-links' into '11-11-stable' · 5dd3b753
  GitLab Release Tools Bot authored May 28, 2019
```
Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3105
```
  5dd3b753
- Merge branch 'security-58856-persistent-xss-11-11' into '11-11-stable' · affb2b0d
  Robert Speicher authored May 28, 2019
```
Persistent XSS in note objects

See merge request gitlab/gitlabhq!3127
```
  affb2b0d
- Fix persistent XSS in note objects · fb59eed0
  Tiger authored May 28, 2019
  
  fb59eed0
- Merge branch 'security-fix-project-existence-disclosure-11-11' into '11-11-stable' · 516aeaca
  GitLab Release Tools Bot authored May 28, 2019
```
Fix url redaction for issue links

See merge request gitlab/gitlabhq!3092
```
  516aeaca
- Merge branch 'security-60039-11-11' into '11-11-stable' · 07e56f3d
  GitLab Release Tools Bot authored May 28, 2019
```
Disallow invalid MR branch name

See merge request gitlab/gitlabhq!3095
```
  07e56f3d
- Merge branch 'security-unsubscribing-from-issue-11-11' into '11-11-stable' · 0e84bfd7
  GitLab Release Tools Bot authored May 28, 2019
```
Hide issue title on unsubscribe for anonymous users

See merge request gitlab/gitlabhq!3099
```
  0e84bfd7
- Merge branch 'security-fix-confidential-issue-label-visibility-11-11' into '11-11-stable' · ef228322
  GitLab Release Tools Bot authored May 28, 2019
```
Fix confidential issue label disclosure on milestone view

See merge request gitlab/gitlabhq!3102
```
  ef228322
- Merge branch 'security-id-leaked-password-in-import-url-frontend-11-11' into '11-11-stable' · 60edec1f
  GitLab Release Tools Bot authored May 28, 2019
```
Handling password on import by url page

See merge request gitlab/gitlabhq!3109
```
  60edec1f
- Merge branch 'security-fix_milestones_search_api_leak-11-11' into '11-11-stable' · 2d0c3178
  GitLab Release Tools Bot authored May 28, 2019
```
Resolve: Milestones leaked via search API

See merge request gitlab/gitlabhq!3110
```
  2d0c3178
- Merge branch 'security-http-hostname-override-11-11' into '11-11-stable' · eee1eb3b
  GitLab Release Tools Bot authored May 28, 2019
```
Protect Gitlab::HTTP against DNS rebinding attack

See merge request gitlab/gitlabhq!3113
```
  eee1eb3b
- Merge branch 'security-pb-fix-get-archive-11-11' into '11-11-stable' · 13213f7d
  GitLab Release Tools Bot authored May 28, 2019
```
Update Gitaly to fix GetArchive vulnerability

See merge request gitlab/gitlabhq!3118
```
  13213f7d
- Merge branch 'security-jej/prevent-web-sign-in-bypass-11-11' into '11-11-stable' · 32a64720
  GitLab Release Tools Bot authored May 28, 2019
```
Prevent password sign in restriction bypass

See merge request gitlab/gitlabhq!3121
```
  32a64720
27 May, 2019 1 commit

Reject slug+uri concat if slug is deemed unsafe · d71a4d5c

Kerri Miller authored May 20, 2019

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.

d71a4d5c

24 May, 2019 1 commit

Merge branch '62283-fix-job-app-spec' into 'master' · c22ab474

Filipa Lacerda authored May 24, 2019

Replaces a hard-coded date in the job app spec

Closes #62283

See merge request gitlab-org/gitlab-ce!28709

c22ab474

23 May, 2019 2 commits
- Prevent password sign in restriction bypass · 88de1681
  James Edwards-Jones authored Dec 12, 2018
  
  88de1681
- Update Gitaly to fix GetArchive vulnerability · 7961a5dc
  Patrick Bajao authored May 23, 2019
  
  7961a5dc
22 May, 2019 1 commit

Protect Gitlab::HTTP against DNS rebinding attack · 4b221ff8

Douwe Maan authored Apr 21, 2019

Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.

4b221ff8