Commits · b55ca7bf33cd6949394615f8bb75f1b5dcacd5a5 · Michał Zając / GitLab

Sep 02, 2020
- Update VERSION to 13.1.9-ee · b55ca7bf
  GitLab Release Tools Bot authored 4 years ago
  
  View commits for tag v13.1.9-ee v13.1.9-ee
  
  b55ca7bf
- Update CHANGELOG.md for 13.1.9 · 08f8a54e
  GitLab Release Tools Bot authored 4 years ago
  
  [ci skip]
  08f8a54e
- Update CHANGELOG-EE.md for 13.1.9-ee · c39c7c43
  GitLab Release Tools Bot authored 4 years ago
  
  [ci skip]
  c39c7c43
- Update GITALY_SERVER_VERSION to 13.1.9 · e7af1beb
  GitLab Release Tools Bot authored 4 years ago
  
  [ci skip]
  e7af1beb
Sep 01, 2020
- Merge branch 'security-check-validity-of-repository-mirror-urls-13.1' into '13-1-stable-ee' · d493a678
  Robert Speicher authored 4 years ago
  
  Security check validity of repository mirror urls See merge request gitlab-org/security/gitlab!833
  d493a678
- Merge branch 'security-add-presence-validation-oauth-apps-13-1' into '13-1-stable-ee' · 633f44b7
  GitLab Release Tools Bot authored 4 years ago
  
  Add scopes presence validation on OAuth Application creation See merge request gitlab-org/security/gitlab!907
  633f44b7
- Mock calls to :update_mirror · 2488cb5d
  Kerri Miller authored 4 years ago
  
  2488cb5d
- Fix import URL validation failing on valid inputs · 3b2bee92
  Stan Hu authored 4 years ago
  
  Previously if the import URL contained passwords that may look like hostnames or ports when unescaped, `Addressable::URI` would fail to parse. Since we really don't care about the username/password component, remove them from Gitlab::UrlSanitizer and then check the resulting value.
  3b2bee92
- Check validity of remote URLs before mirroring · 00507164
  Kerri Miller authored 4 years ago
  
  For security reasons, we need to check the validity of remote URLs to avoid users specifying blocked URLs (such as localhost)
  00507164
- Add scopes presence validation on OAuth Application creation · 9e2b5497
  George Koltsov authored 4 years ago and Drew Blessing committed 4 years ago
  
  - Update OAuth Applications controllers to disallow empty scopes application creation
  Unverified
  
  9e2b5497
- Merge branch 'security-218-prevent-2fa-bypass-using-api-13-1' into '13-1-stable-ee' · 77d6b5bb
  GitLab Release Tools Bot authored 4 years ago
  
  2FA requirement bypass using the API See merge request gitlab-org/security/gitlab!876
  77d6b5bb
- Add separate class for 2fa verification · 7bd292e1
  mksionek authored 4 years ago and GitLab Release Tools Bot committed 4 years ago
  
  Change the way of treating nil current user Add specs to new class Add changelog entry Add specs for new auth method Rename Verificator to verifier Rename method in verifier Add cr remarks Add cr remarks
  7bd292e1
- Merge branch 'security-pb-limit-profile-events-13-1' into '13-1-stable-ee' · 7d7c93f6
  GitLab Release Tools Bot authored 4 years ago
  
  Set maximum limit for profile events See merge request gitlab-org/security/gitlab!879
  7d7c93f6
- Merge branch 'security-update-runner-version-master-13-1' into '13-1-stable-ee' · 27f9e8d6
  GitLab Release Tools Bot authored 4 years ago
  
  GitLab Runner version upgrade See merge request gitlab-org/security/gitlab!886
  27f9e8d6
- Merge branch 'security-199-show-actual-group-13-1' into '13-1-stable-ee' · 39f1feff
  GitLab Release Tools Bot authored 4 years ago
  
  Malicious user can block gitlab.com users by exploiting 2FA inheritance logic See merge request gitlab-org/security/gitlab!801
  39f1feff
- Merge branch 'security-213-delete-other-sessions-when-activating-2fa-13-1' into '13-1-stable-ee' · 893909ad
  GitLab Release Tools Bot authored 4 years ago
  
  Previously created sessions remain active after activating 2FA See merge request gitlab-org/security/gitlab!865
  893909ad
- Merge branch 'security-216-access-to-private-projects-13-1' into '13-1-stable-ee' · 30e5e5cc
  GitLab Release Tools Bot authored 4 years ago
  
  Delete members invites created by users being deleted See merge request gitlab-org/security/gitlab!830
  30e5e5cc
- Merge branch 'security-212-regenerate-2fa-app-code-13-1' into '13-1-stable-ee' · 827cb513
  GitLab Release Tools Bot authored 4 years ago
  
  Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts See merge request gitlab-org/security/gitlab!808
  827cb513
- Merge branch 'security-deploy-token-can-read-disabled-repo-13-1' into '13-1-stable-ee' · 1fc15274
  GitLab Release Tools Bot authored 4 years ago
  
  Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token See merge request gitlab-org/security/gitlab!889
  1fc15274
- Merge branch 'security-improper-access-control-on-deploy-key-13-1' into '13-1-stable-ee' · 065f751f
  GitLab Release Tools Bot authored 4 years ago
  
  Improper Access Control on Deploy-Key See merge request gitlab-org/security/gitlab!892
  065f751f
- Merge branch 'security-graphql-type-check-13-1' into '13-1-stable-ee' · 10fb131f
  GitLab Release Tools Bot authored 4 years ago
  
  Validate Snippet global id in GraphQL destroy mutation See merge request gitlab-org/security/gitlab!730
  10fb131f
- Merge branch... · 8c9ac3eb
  GitLab Release Tools Bot authored 4 years ago
  
  Merge branch 'security-220-dblessing-revoke-remember-me-on-session-revocation-13-1' into '13-1-stable-ee' Invalidate remember me when an active session is revoked See merge request gitlab-org/security/gitlab!855
  8c9ac3eb
- Merge branch 'security-223-webhook-dos-attack-13-1' into '13-1-stable-ee' · 61b6def2
  GitLab Release Tools Bot authored 4 years ago
  
  Rate limit on webhooks testing feature See merge request gitlab-org/security/gitlab!827
  61b6def2
- Merge branch 'security-security/upgrade-jquery-3.5-13-1' into '13-1-stable-ee' · 4649df7c
  GitLab Release Tools Bot authored 4 years ago
  
  Upgrade jQuery to v3.5 See merge request gitlab-org/security/gitlab!834
  4649df7c
- Merge branch 'security-conf-epic-visibility-13-1' into '13-1-stable-ee' · f0e2a6be
  GitLab Release Tools Bot authored 4 years ago
  
  Don't expose epic for users without permissions See merge request gitlab-org/security/gitlab!788
  f0e2a6be
- Merge branch 'security-217-dblessing-safe-omniauth-errors-13-1' into '13-1-stable-ee' · 9cf46826
  GitLab Release Tools Bot authored 4 years ago
  
  Prevent OmniAuth from rendering arbitrary error messages See merge request gitlab-org/security/gitlab!849
  9cf46826
- Merge branch 'security-214-dblessing-revoke-session-on-pw-change-13-1' into '13-1-stable-ee' · 2e8622f4
  GitLab Release Tools Bot authored 4 years ago
  
  Invalidate two factor sign-in when user password changes See merge request gitlab-org/security/gitlab!846
  2e8622f4
- Merge branch 'security-209-dblessing-prevent-stale-otp-user-id-13-1' into '13-1-stable-ee' · f4428461
  GitLab Release Tools Bot authored 4 years ago
  
  Prevent stale otp_user_id from signing-in incorrect user See merge request gitlab-org/security/gitlab!852
  f4428461
Aug 28, 2020
- Merge branch 'security-websocket-extensions-update-13-1' into '13-1-stable-ee' · ddba8b35
  GitLab Release Tools Bot authored 4 years ago
  
  Security websocket extensions update See merge request gitlab-org/security/gitlab!750
  ddba8b35
- Merge branch 'security-projectmaintainer-edit-badges-13-1' into '13-1-stable-ee' · 1d86d5a3
  GitLab Release Tools Bot authored 4 years ago
  
  Prevent project maintainers from editing group badges See merge request gitlab-org/security/gitlab!796
  1d86d5a3
- Merge branch 'security-fix-conan-workhorse-params-13-1' into '13-1-stable-ee' · 796a7cf5
  GitLab Release Tools Bot authored 4 years ago
  
  Change conan api to use proper workhorse validation See merge request gitlab-org/security/gitlab!766
  796a7cf5
- Merge branch 'security-api-auth-use-job-token-for-running-jobs-13-1' into '13-1-stable-ee' · 067e7ca9
  GitLab Release Tools Bot authored 4 years ago
  
  Allow tokens only from running jobs for API auth See merge request gitlab-org/security/gitlab!709
  067e7ca9
- Merge branch 'security-219378-xss-on-vulnerability-history-13-1' into '13-1-stable-ee' · 45d7a0ae
  GitLab Release Tools Bot authored 4 years ago
  
  Sanitize vulnerability history comment See merge request gitlab-org/security/gitlab!682
  45d7a0ae
- Merge branch 'security-prevent-aws-external-id-manipulation-13-1' into '13-1-stable-ee' · b2915d51
  GitLab Release Tools Bot authored 4 years ago
  
  Persist EKS External ID before presenting it to the user See merge request gitlab-org/security/gitlab!785
  b2915d51
- Fix improper access control on deploy key · 000b9f4a
  Shinya Maeda authored 4 years ago
  
  This commit fixes the vulnerability on the deploy key.
  000b9f4a
Aug 27, 2020
- Update websocket-extensions Ruby gem to 0.1.5 · 29436328
  Vitor Meireles De Sousa authored 4 years ago and Vitor Meireles de Sousa committed 4 years ago
  
  29436328
- Prevent Deploy Tokens from accessing resources · 37693d16
  Shinya Maeda authored 4 years ago
  
  This commit prevents it from access when the repository is disabled
  37693d16
- Update GitLab Runner to 13.1.3/0.18.3 · 5569c100
  Georgi Georgiev authored 4 years ago
  
  5569c100
Aug 25, 2020

Set maximum limit for profile events · 90af4d38

Patrick Bajao authored 4 years ago

We are previously allowing to request for profile events with
unlimited `limit`. That can result to possible DoS since a
malicious user can request 1k events and it'll take a while to
respond.

Maximum limit is based on the existing `Kaminari.max_per_page`
setting we have.

90af4d38

Aug 24, 2020

Allow tokens only from running jobs for API auth · 78d07ddb

Marius Bobin authored 4 years ago

Adds a finder class used for authentication with CI job tokens.
It checks that the job's status is `running` and that the project
is not removed.

Unverified

78d07ddb

Admin message

Admin message