[ci skip]

[ci skip]

Protect OAuth endpoints from brute force/password stuffing

See merge request gitlab-org/security/gitlab!790

[ci skip]

[ci skip]

[ci skip]

Security check validity of repository mirror urls

See merge request gitlab-org/security/gitlab!832

Add scopes presence validation on OAuth Application creation

See merge request gitlab-org/security/gitlab!906

George Koltsov authored 4 years ago and Drew Blessing committed 4 years ago

- Update OAuth Applications controllers to disallow empty scopes
  application creation

2FA requirement bypass using the API

See merge request gitlab-org/security/gitlab!875

Set maximum limit for profile events

See merge request gitlab-org/security/gitlab!878

GitLab Runner version upgrade

See merge request gitlab-org/security/gitlab!885

Malicious user can block gitlab.com users by exploiting 2FA inheritance logic

See merge request gitlab-org/security/gitlab!802

Previously created sessions remain active after activating 2FA

See merge request gitlab-org/security/gitlab!864

Delete members invites created by users being deleted

See merge request gitlab-org/security/gitlab!829

Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts

See merge request gitlab-org/security/gitlab!809

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

See merge request gitlab-org/security/gitlab!888

Improper Access Control on Deploy-Key

See merge request gitlab-org/security/gitlab!891

Validate Snippet global id in GraphQL destroy mutation

See merge request gitlab-org/security/gitlab!775

Merge branch 'security-220-dblessing-revoke-remember-me-on-session-revocation-13-2' into '13-2-stable-ee'

Invalidate remember me when an active session is revoked

See merge request gitlab-org/security/gitlab!854

Rate limit on webhooks testing feature

See merge request gitlab-org/security/gitlab!828

Upgrade jQuery to v3.5

See merge request gitlab-org/security/gitlab!835

Don't expose epic for users without permissions

See merge request gitlab-org/security/gitlab!787

Prevent OmniAuth from rendering arbitrary error messages

See merge request gitlab-org/security/gitlab!848

Invalidate two factor sign-in when user password changes

See merge request gitlab-org/security/gitlab!845

Prevent stale otp_user_id from signing-in incorrect user

See merge request gitlab-org/security/gitlab!851

Previously if the import URL contained passwords that may look like
hostnames or ports when unescaped, `Addressable::URI` would fail to
parse.

Since we really don't care about the username/password component, remove
them from Gitlab::UrlSanitizer and then check the resulting value.

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

Prevent brute force/credential spray attacks on the OAuth
token endpoint by incrementing failed attempts. After the
configured Devise `maximum_attempts` the account will be
locked and further attempts will not succeed. This change also
adds the OAuth token path to Rack Attack protected paths.

Security websocket extensions update

See merge request gitlab-org/security/gitlab!749

Prevent project maintainers from editing group badges

See merge request gitlab-org/security/gitlab!795

Change conan api to use proper workhorse validation

See merge request gitlab-org/security/gitlab!765

Allow tokens only from running jobs for API auth

See merge request gitlab-org/security/gitlab!711

Sanitize vulnerability history comment

See merge request gitlab-org/security/gitlab!684

Persist EKS External ID before presenting it to the user

See merge request gitlab-org/security/gitlab!784

This commit fixes the vulnerability on the deploy key.