Commits · 02dc7fbfa40f9df03590b8f01ee2da4464d8437b · nexedi / gitlab-ce

29 May, 2019 1 commit
- Fix the overriding of EE import params · 02dc7fbf
  Igor Drozdov authored May 29, 2019
  
  02dc7fbf
28 May, 2019 12 commits
- Merge branch 'security-60143-address-xss-issue-in-wiki-links' into '11-11-stable' · 5dd3b753
  GitLab Release Tools Bot authored May 28, 2019
```
Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3105
```
  5dd3b753
- Merge branch 'security-58856-persistent-xss-11-11' into '11-11-stable' · affb2b0d
  Robert Speicher authored May 28, 2019
```
Persistent XSS in note objects

See merge request gitlab/gitlabhq!3127
```
  affb2b0d
- Fix persistent XSS in note objects · fb59eed0
  Tiger authored May 28, 2019
  
  fb59eed0
- Merge branch 'security-fix-project-existence-disclosure-11-11' into '11-11-stable' · 516aeaca
  GitLab Release Tools Bot authored May 28, 2019
```
Fix url redaction for issue links

See merge request gitlab/gitlabhq!3092
```
  516aeaca
- Merge branch 'security-60039-11-11' into '11-11-stable' · 07e56f3d
  GitLab Release Tools Bot authored May 28, 2019
```
Disallow invalid MR branch name

See merge request gitlab/gitlabhq!3095
```
  07e56f3d
- Merge branch 'security-unsubscribing-from-issue-11-11' into '11-11-stable' · 0e84bfd7
  GitLab Release Tools Bot authored May 28, 2019
```
Hide issue title on unsubscribe for anonymous users

See merge request gitlab/gitlabhq!3099
```
  0e84bfd7
- Merge branch 'security-fix-confidential-issue-label-visibility-11-11' into '11-11-stable' · ef228322
  GitLab Release Tools Bot authored May 28, 2019
```
Fix confidential issue label disclosure on milestone view

See merge request gitlab/gitlabhq!3102
```
  ef228322
- Merge branch 'security-id-leaked-password-in-import-url-frontend-11-11' into '11-11-stable' · 60edec1f
  GitLab Release Tools Bot authored May 28, 2019
```
Handling password on import by url page

See merge request gitlab/gitlabhq!3109
```
  60edec1f
- Merge branch 'security-fix_milestones_search_api_leak-11-11' into '11-11-stable' · 2d0c3178
  GitLab Release Tools Bot authored May 28, 2019
```
Resolve: Milestones leaked via search API

See merge request gitlab/gitlabhq!3110
```
  2d0c3178
- Merge branch 'security-http-hostname-override-11-11' into '11-11-stable' · eee1eb3b
  GitLab Release Tools Bot authored May 28, 2019
```
Protect Gitlab::HTTP against DNS rebinding attack

See merge request gitlab/gitlabhq!3113
```
  eee1eb3b
- Merge branch 'security-pb-fix-get-archive-11-11' into '11-11-stable' · 13213f7d
  GitLab Release Tools Bot authored May 28, 2019
```
Update Gitaly to fix GetArchive vulnerability

See merge request gitlab/gitlabhq!3118
```
  13213f7d
- Merge branch 'security-jej/prevent-web-sign-in-bypass-11-11' into '11-11-stable' · 32a64720
  GitLab Release Tools Bot authored May 28, 2019
```
Prevent password sign in restriction bypass

See merge request gitlab/gitlabhq!3121
```
  32a64720
27 May, 2019 1 commit

Reject slug+uri concat if slug is deemed unsafe · d71a4d5c

Kerri Miller authored May 20, 2019

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.

d71a4d5c

24 May, 2019 1 commit

Merge branch '62283-fix-job-app-spec' into 'master' · c22ab474

Filipa Lacerda authored May 24, 2019

Replaces a hard-coded date in the job app spec

Closes #62283

See merge request gitlab-org/gitlab-ce!28709

c22ab474

23 May, 2019 2 commits
- Prevent password sign in restriction bypass · 88de1681
  James Edwards-Jones authored Dec 12, 2018
  
  88de1681
- Update Gitaly to fix GetArchive vulnerability · 7961a5dc
  Patrick Bajao authored May 23, 2019
  
  7961a5dc
22 May, 2019 3 commits
- Protect Gitlab::HTTP against DNS rebinding attack · 4b221ff8
  Douwe Maan authored Apr 21, 2019
```
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.
```
  4b221ff8
- Update VERSION to 11.11.0 · 3e8ca2fb
  GitLab Release Tools Bot authored May 22, 2019
  
  3e8ca2fb
- Update CHANGELOG.md for 11.11.0 · 23088798
  GitLab Release Tools Bot authored May 22, 2019
```
[ci skip]
```
  23088798
21 May, 2019 16 commits

Update VERSION to 11.11.0-rc5 · 783283f0
GitLab Release Tools Bot authored May 21, 2019

783283f0
Merge branch '11-11-stable-prepare-rc5' into '11-11-stable' · 9742e6ef
Yorick Peterse authored May 21, 2019
```
Prepare 11.11.0-rc5 release

See merge request gitlab-org/gitlab-ce!28537
```
9742e6ef

Merge branch 'docs/minor-edit-of-unintall-apps-docs' into 'master' · 9f7af69b

Achilleas Pipinellis authored May 20, 2019

Slight edit of text from earlier merge

Closes #61447

See merge request gitlab-org/gitlab-ce!28511

(cherry picked from commit 890fe4ea)

208dc117 Slight edit of text from earlier merge

9f7af69b

Merge branch 'update-docs-alert-bot' into 'master' · 109d9ece

Achilleas Pipinellis authored May 21, 2019

Add to docs sentence about alertbot opening issues

See merge request gitlab-org/gitlab-ce!28503

(cherry picked from commit 5396b2a8)

afcbebd9 Add to docs sentence about alertbot opening issues

109d9ece

Merge branch 'docs-play-all-manual-jobs-in-a-stage' into 'master' · bb5339fc

Achilleas Pipinellis authored May 20, 2019

Adds documentation for 'Play all manual' button

See merge request gitlab-org/gitlab-ce!28502

(cherry picked from commit 7a9a65e5)

32a99c6c Adds documentation for stage button
4ec9f042 Apply suggestion to doc/ci/pipelines.md
062844cc Apply suggestion to doc/ci/pipelines.md
ecc7b72a Apply suggestion to doc/ci/pipelines.md
c4bcf858 Apply suggestion to doc/ci/pipelines.md
b0b16210 Apply suggestion to doc/ci/pipelines.md

bb5339fc

Merge branch 'sh-fix-rugged-get-tree-entries-recursive' into 'master' · b2e14050

Douglas Barbosa Alexandre authored May 20, 2019

API: Fix recursive flag not working with Rugged get_tree_entries flag

Closes #61979

See merge request gitlab-org/gitlab-ce!28494

(cherry picked from commit d951f047)

c1827f1c API: Fix recursive flag not working with Rugged get_tree_entries flag

b2e14050

Merge branch 'revert-' into 'master' · e392de23

Grzegorz Bizon authored May 21, 2019

Revert "Merge branch '55127-add-delay-after-mr-creation-for-async-tasks-to-complete' into 'master'"

See merge request gitlab-org/gitlab-ce!28492

(cherry picked from commit a5f810c9)

c04ea583 Revert "Merge branch '55127-add-delay-after-mr-creation-for-async-tasks-to-complete' into 'master'"

e392de23

Merge branch '62038-chevron-down' into 'master' · 234a91c9

Phil Hughes authored May 21, 2019

Adds arrow icons to select menu in CI/CD settings

Closes #62038

See merge request gitlab-org/gitlab-ce!28476

(cherry picked from commit 3c8bc807)

64f040e2 Adds arrow icons to select option in CI/CD settings

234a91c9

Merge branch 'tr-update-group-security-dashboard-docs' into 'master' · ff7e929f

Achilleas Pipinellis authored May 20, 2019

Update group security dashboard docs - CE backport

See merge request gitlab-org/gitlab-ce!28471

(cherry picked from commit d9877120)

6afda6d6 Update group security dashboard screenshot

ff7e929f

Merge branch 'docs/clarify-defaulting-behaviour-pipelines-for-mr' into 'master' · 610e394f

Achilleas Pipinellis authored May 20, 2019

Fix content to not contradict

Closes #61270

See merge request gitlab-org/gitlab-ce!28456

(cherry picked from commit 0bf8204a)

ec3e0da8 Fix content to not contradict
19b05a42 Apply suggestion to doc/ci/merge_request_pipelines/index.md

610e394f

Merge branch 'docs-instance_level_clusters' into 'master' · 929a4f8b

Evan Read authored May 20, 2019

Initial instance level cluster docs

See merge request gitlab-org/gitlab-ce!27873

(cherry picked from commit 961a5f72)

96cec8bf Initial instance level cluster docs
a951adb6 Apply suggestion to doc/user/project/clusters/index.md
719b7a07 Apply suggestion to doc/user/group/clusters/index.md

929a4f8b

Merge branch 'fl-fix-next-flag-for-good-rc5' into '11-11-stable-prepare-rc5' · 249213a9
Yorick Peterse authored May 21, 2019
```
Port for RC5 of Next badge must be visible when canary flag is true

See merge request gitlab-org/gitlab-ce!28540
```
249213a9
Resolve: Milestones leaked via search API · fcc2bc3b
Felipe Artur authored May 20, 2019
```
Fix milestone titles being leaked using search API
when users cannot read milestones
```
fcc2bc3b
Handling password on import by url page · 731ec33a
Sam Bigelow authored Apr 13, 2019

731ec33a
Next badge must be visible when canary flag is true · aa583f10
Filipa Lacerda authored May 20, 2019

aa583f10
Hide password on import by url form · f7fa349e
Igor Drozdov authored Apr 11, 2019

f7fa349e

20 May, 2019 4 commits

Update VERSION to 11.11.0-rc4 · 406fe0e9
GitLab Release Tools Bot authored May 20, 2019

406fe0e9
Merge branch '11-11-stable-prepare-rc4' into '11-11-stable' · 0905e21c
Robert Speicher authored May 20, 2019
```
Prepare 11.11.0-rc4 release

See merge request gitlab-org/gitlab-ce!28479
```
0905e21c

Merge branch 'revert-' into 'master' · 8e236916

Yorick Peterse authored May 20, 2019

Revert "Merge branch '56850-add-new-unicorn-metrics' into 'master'"

See merge request gitlab-org/gitlab-ce!28483

(cherry picked from commit c775e88c)

2334b077 Revert "Merge branch '56850-add-new-unicorn-metrics' into 'master'"

8e236916

Merge branch 'dz-improve-ci-id-migration' into 'master' · 0ba5e978

Sean McGivern authored May 17, 2019

Add extra checks for ci_id migration

See merge request gitlab-org/gitlab-ce!28404

(cherry picked from commit 30a60ee4)

5786de36 Add extra checks for ci_id migration

0ba5e978