[ci skip]

[ci skip]

Protect OAuth endpoints from brute force/password stuffing

See merge request gitlab-org/security/gitlab!843

[ci skip]

[ci skip]

[ci skip]

Security check validity of repository mirror urls

See merge request gitlab-org/security/gitlab!860

Add scopes presence validation on OAuth Application creation

See merge request gitlab-org/security/gitlab!905

George Koltsov authored 4 years ago and Drew Blessing committed 4 years ago

- Update OAuth Applications controllers to disallow empty scopes
  application creation

2FA requirement bypass using the API

See merge request gitlab-org/security/gitlab!874

Set maximum limit for profile events

See merge request gitlab-org/security/gitlab!877

GitLab Runner version upgrade

See merge request gitlab-org/security/gitlab!884

Malicious user can block gitlab.com users by exploiting 2FA inheritance logic

See merge request gitlab-org/security/gitlab!856

Previously created sessions remain active after activating 2FA

See merge request gitlab-org/security/gitlab!858

Delete members invites created by users being deleted

See merge request gitlab-org/security/gitlab!859

Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts

See merge request gitlab-org/security/gitlab!857

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

See merge request gitlab-org/security/gitlab!887

Improper Access Control on Deploy-Key

See merge request gitlab-org/security/gitlab!890

Validate Snippet global id in GraphQL destroy mutation

See merge request gitlab-org/security/gitlab!839

Merge branch 'security-220-dblessing-revoke-remember-me-on-session-revocation-13-3' into '13-3-stable-ee'

Invalidate remember me when an active session is revoked

See merge request gitlab-org/security/gitlab!853

Rate limit on webhooks testing feature

See merge request gitlab-org/security/gitlab!842

Upgrade jQuery to v3.5

See merge request gitlab-org/security/gitlab!836

Don't expose epic for users without permissions

See merge request gitlab-org/security/gitlab!862

Prevent OmniAuth from rendering arbitrary error messages

See merge request gitlab-org/security/gitlab!847

Invalidate two factor sign-in when user password changes

See merge request gitlab-org/security/gitlab!844

Prevent stale otp_user_id from signing-in incorrect user

See merge request gitlab-org/security/gitlab!850

Previously if the import URL contained passwords that may look like
hostnames or ports when unescaped, `Addressable::URI` would fail to
parse.

Since we really don't care about the username/password component, remove
them from Gitlab::UrlSanitizer and then check the resulting value.

Security websocket extensions update

See merge request gitlab-org/security/gitlab!881

Prevent project maintainers from editing group badges

See merge request gitlab-org/security/gitlab!868

Change conan api to use proper workhorse validation

See merge request gitlab-org/security/gitlab!861

Allow tokens only from running jobs for API auth

See merge request gitlab-org/security/gitlab!866

Marius Bobin authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Adds a finder class used for authentication with CI job tokens.
It checks that the job's status is `running` and that the project
is not removed.

Sanitize vulnerability history comment

See merge request gitlab-org/security/gitlab!825

Persist EKS External ID before presenting it to the user

See merge request gitlab-org/security/gitlab!841