[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prevent Denial of Service Attack on gitlab-shell

See merge request gitlab-org/security/gitlab!1199

Merge branch 'security-respect-analytics-enabled-rule-for-project-level-analytics-features-13-7' into '13-7-stable-ee'

Respect analytics_enabled policy rule

See merge request gitlab-org/security/gitlab!1228

Always perform SSL verification for FortiTokenCloud Integration

See merge request gitlab-org/security/gitlab!1189

Prevent SSRF requests for Prometheus when secured by Google IAP

See merge request gitlab-org/security/gitlab!1234

Change authorization policy for /lint

See merge request gitlab-org/security/gitlab!1212

Security check user access on API mr read actions

See merge request gitlab-org/security/gitlab!1206

Prevent exposure of confidential issue titles in file browser

See merge request gitlab-org/security/gitlab!1222

Cancel alive jobs on project deletion [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/security/gitlab!1246

Allison Browne authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

To avoid using runner resources on deleted projects we
cancel all cancelable jobs as the first step in deletion

Geo-GL-ID should be passed in JWT token so it's protected properly

See merge request gitlab-org/security/gitlab!1217

Limit number of invitations for Free tier groups and projects

See merge request gitlab-org/security/gitlab!1183

Strip the `token_credential_uri` key from user-provided JSON.

Respect analytics_enabled rule when resolving policies for project level
analytics features.

Merge branch 'fix-hardcoded-ids-in-projects-spec' into 'master'

See merge request gitlab-org/security/gitlab!1229

Mikołaj Wawrzyniak authored 4 years ago and Adam Hegyi committed 4 years ago

Fix hardcoded ids in projects API tests

See merge request gitlab-org/gitlab!53036

Fixes some datetime dependent spec tests [RUN ALL RSPEC]

See merge request gitlab-org/gitlab!53380

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Sanitize target branch

See merge request gitlab-org/security/gitlab!1202

Add routes for unmatched url for not-get requests

See merge request gitlab-org/security/gitlab!1126

Fix DNS rebinding protection for Outbound Requests

See merge request gitlab-org/security/gitlab!1192

Filter sensitive variables from GraphQL logs

See merge request gitlab-org/security/gitlab!1186

Sanitize XSS in Epic milestone due date

See merge request gitlab-org/security/gitlab!1160

Remove Kubernetes IP address from errors returned in Threat Monitoring

See merge request gitlab-org/security/gitlab!1158

Avoid exposing release links when the user cannot read git-tag/repository

See merge request gitlab-org/security/gitlab!1170

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/227040

* Remove general cache for `fetch_logs`
* Add cache for `repository.tree` call
* Add cache for `repository.list_last_commits_for_tree` call
* Add additional tests

it will protect the parameter from tampering

* For /projects/ci/id/lint, change policy to create_pipelinen
* For /ci/lint - enforces user authenication if registration is disabled
* Adds a changelog

There are a number of places where we were not checking for user access
rights (or assuming that authors automatically have them) so we were
potentially in situations where a user could create a merge request,
have their access rights revoked, and they would still be able to access
information or take actions related to their MR. This is potentially a
security issue, so we need to block this potential leak.

Sanitized the target branch to prevent XSS

Free plan on .com will limit invites to 20 per day.