1. 10 Jun, 2019 1 commit
  2. 06 Jun, 2019 1 commit
    • John Cai's avatar
      Update Gitaly to 1.42.4 · f71e4a4a
      John Cai authored
      This patch of Gitaly includes a fix of the stderr logger writer to fix a
      panic that occured during an edge case.
      f71e4a4a
  3. 04 Jun, 2019 5 commits
  4. 03 Jun, 2019 10 commits
  5. 30 May, 2019 4 commits
  6. 29 May, 2019 3 commits
  7. 28 May, 2019 12 commits
  8. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · d71a4d5c
      Kerri Miller authored
      First reported:
        https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
      
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
      d71a4d5c
  9. 24 May, 2019 1 commit
  10. 23 May, 2019 2 commits