1. 06 Jun, 2019 1 commit
    • Markus Koller's avatar
      Correctly check permissions when creating snippet notes · 139008dd
      Markus Koller authored
      In the Snippets::NotesController the noteable was resolved and
      authorized through the :snippet_id, so by passing a :target_id for a
      different snippet it was possible to create a note on a snippet
      where the user would be unauthorized to do so otherwise.
      
      This fixes the problem by ignoring the :target_id and :target_type from
      the request, and using the same noteable for creation and authorization.
      139008dd
  2. 04 Jun, 2019 5 commits
  3. 03 Jun, 2019 10 commits
  4. 30 May, 2019 4 commits
  5. 29 May, 2019 3 commits
  6. 28 May, 2019 12 commits
  7. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · d71a4d5c
      Kerri Miller authored
      First reported:
        https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
      
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
      d71a4d5c
  8. 24 May, 2019 1 commit
  9. 23 May, 2019 2 commits
  10. 22 May, 2019 1 commit
    • Douwe Maan's avatar
      Protect Gitlab::HTTP against DNS rebinding attack · 4b221ff8
      Douwe Maan authored
      Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
      blocked, and then uses the same IP to perform the actual request, while
      passing the original hostname in the `Host` header and SSL SNI field.
      4b221ff8