[ci skip]

[ci skip]

Stop deploy token being used as user in ProjectPolicy and GroupPolicy

See merge request gitlab-org/security/gitlab!823

Add check for project access on deploy token check

See merge request gitlab-org/security/gitlab!819

This prevents deploy token from getting permissions for users that
happen to have the same id as the deploy token.

Steve Abrams authored 4 years ago and Jaime Martinez committed 4 years ago

When a deploy token is authenticated, project access
is checked and rejected if not allowed.

Auth spec is fixed to properly test this scenario

Update guard clause to allow nil projects to pass for registry access

Update LFS spec - now returns 401 for invalid deploy token

Fixing flaky tests

Add spec for group deploy token as well

[ci skip]

[ci skip]

Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>

Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>

This reverts commit f2bb8f44.

The packages for 13.0.11 could not be built, which we have to fix using
a 13.0.12 release.

[ci skip]

[ci skip]

2FA not enforced on /profile/applications

See merge request gitlab-org/security/gitlab!782

Małgorzata Ksionek authored 4 years ago and mksionek committed 4 years ago

Add one more spec

Add changelog entry

Fix changelog

Move concern to doorkeeper base controller

Add base metal controller

Add new controller

Fix

Remove 2FA from api-endpoints

Add if-clause block around helper method

Add controllers tests

And implement 2FA enforcement in tokens controllers

Remove obsolete let in spec

Fix

Fix

Fix

Fix XSS on jobs view

See merge request gitlab-org/security/gitlab!634

Payton Burdette authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Fix the XSS vulnerablity
on the jobs view.

Revoke OAuth grants when a user revokes an application

See merge request gitlab-org/security/gitlab!758

Add a prohibited branches system

See merge request gitlab-org/security/gitlab!664

Verify confirmed email for OAuth Authorize POST endpoint

See merge request gitlab-org/security/gitlab!742

Add refreshing projects to transfering groups

See merge request gitlab-org/security/gitlab!716

Escape milestone title in sidebar tooltip

See merge request gitlab-org/security/gitlab!735

Only support HTML tooltips for scoped labels

See merge request gitlab-org/security/gitlab!694

Add decompressed archive size validation on Project/Group Import

See merge request gitlab-org/security/gitlab!654

Stop excess logs from invite email when group no longer exists

See merge request gitlab-org/security/gitlab!722

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Currently, when a user revokes OAuth applications only
existing access tokens are revoked. If an application has already
requested a code (grant) to later redeem for an access token, the
grant may remain valid and will generate a valid access token
until expired (10 min expiry). This change ensures both access
tokens *and* grants are revoked when a user revoked the application.

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Similar to the recent change to require email confirmation/verification
for the OAuth Authorize GET (:new) endpoint, require the same
for the OAuth Authorize POST (:create) endpoint. This will prevent
forcing a POST request to authenticate to an external service
with an unconfirmed email address.

Prevents XSS attack in issue and MR sidebars

This was unintentionally added and we only need it for scoped labels
where we add custom HTML to indicate that it's a scoped label.

This led to XSS issues on other references because we weren't escaping
those properly.

Issue: gitlab.com/gitlab-org/gitlab/-/issues/28291