- 06 Jun, 2019 1 commit
-
-
Markus Koller authored
In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization.
-
- 04 Jun, 2019 5 commits
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
John Skarbek authored
Prepare 11.11.2 release See merge request gitlab-org/gitlab-ce!28679
-
Thong Kuah authored
Fix project settings not being able to update Closes #62708 See merge request gitlab-org/gitlab-ce!29097
-
Stan Hu authored
-
- 03 Jun, 2019 10 commits
-
-
John T Skarbek authored
-
Yorick Peterse authored
Fix migration failure when groups are missing route Closes #58714 See merge request gitlab-org/gitlab-ce!29022 (cherry picked from commit 0488c26e) a52cbf6b Fix migration failure when groups are missing route
-
Mayra Cabrera authored
Stop two-step rebase from hanging when errors occur See merge request gitlab-org/gitlab-ce!29060
-
Zeger-Jan van de Weg authored
This change makes sure Gitaly includes a fix to make rebase work again properly. Part of: https://gitlab.com/gitlab-org/gitlab-ce/issues/62353
-
Mayra Cabrera authored
Disable two_step_rebase feature flag See merge request gitlab-org/gitlab-ce!28778 (cherry picked from commit 715d1057) 8104eef0 Disable two_step_rebase feature flag dd1fa0c2 Apply suggestion to changelogs/unreleased/dm-disable-two-step-rebase.yml
-
Ash McKenzie authored
Use source ref in pipeline webhook Closes #61553 See merge request gitlab-org/gitlab-ce!28772 (cherry picked from commit 2714f85c) 7e05f3b7 Use source ref for pipeline webhook
-
Douglas Barbosa Alexandre authored
Fix OmniAuth OAuth2Generic strategy not loading Closes #62216 See merge request gitlab-org/gitlab-ce!28680 (cherry picked from commit 7b5cc7b4) bf8f4c13 Fix OmniAuth OAuth2Generic strategy not loading
-
Lin Jen-Shin authored
Fix display of promote to group label Closes #62200 See merge request gitlab-org/gitlab-ce!28637 (cherry picked from commit 9c2d0d87) f9a55f93 Fix display of promote to group label 52764ec5 Apply suggestion to spec/helpers/labels_helper_spec.rb 58dc21e7 Apply suggestion to spec/features/projects/labels/user_promotes_label_spec.rb
-
Kamil Trzciński authored
Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVEL Closes #62179 See merge request gitlab-org/gitlab-ce!28607 (cherry picked from commit 2ae642f8) 31e181f8 Update SAST.gitlab-ci.yml - Add SAST_GITLEAKS_ENTROPY_LEVEL
-
Filipa Lacerda authored
Fix height of input groups Closes #61304, #61303, #59254, and #60778 See merge request gitlab-org/gitlab-ce!28495 (cherry picked from commit 52758b92) 360646ea Fix height of input groups
-
- 30 May, 2019 4 commits
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3130
-
Oswaldo Ferreira authored
-
- 29 May, 2019 3 commits
-
-
Oswaldo Ferreira authored
-
Yorick Peterse authored
Fix the overriding of EE import params See merge request gitlab/gitlabhq!3129
-
Igor Drozdov authored
-
- 28 May, 2019 12 commits
-
-
GitLab Release Tools Bot authored
Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3105
-
Robert Speicher authored
Persistent XSS in note objects See merge request gitlab/gitlabhq!3127
-
Tiger authored
-
GitLab Release Tools Bot authored
Fix url redaction for issue links See merge request gitlab/gitlabhq!3092
-
GitLab Release Tools Bot authored
Disallow invalid MR branch name See merge request gitlab/gitlabhq!3095
-
GitLab Release Tools Bot authored
Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3099
-
GitLab Release Tools Bot authored
Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3102
-
GitLab Release Tools Bot authored
Handling password on import by url page See merge request gitlab/gitlabhq!3109
-
GitLab Release Tools Bot authored
Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3110
-
GitLab Release Tools Bot authored
Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3113
-
GitLab Release Tools Bot authored
Update Gitaly to fix GetArchive vulnerability See merge request gitlab/gitlabhq!3118
-
GitLab Release Tools Bot authored
Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!3121
-
- 27 May, 2019 1 commit
-
-
Kerri Miller authored
First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
-
- 24 May, 2019 1 commit
-
-
Filipa Lacerda authored
Replaces a hard-coded date in the job app spec Closes #62283 See merge request gitlab-org/gitlab-ce!28709
-
- 23 May, 2019 2 commits
-
-
James Edwards-Jones authored
-
Patrick Bajao authored
-
- 22 May, 2019 1 commit
-
-
Douwe Maan authored
Gitlab::HTTP now resolves the hostname only once, verifies the IP is not blocked, and then uses the same IP to perform the actual request, while passing the original hostname in the `Host` header and SSL SNI field.
-