[ci skip]

[ci skip]

Do not set fallback mirror user

See merge request gitlab-org/security/gitlab!624

Mario de la Ossa authored 4 years ago and Thong Kuah committed 4 years ago

- Notify owners and maintainers when mirror disabled. They should have
some notification if the mirror was disabled due to the mirror user
being deleted

- Do not send mirror disabled email if user is deleted. It is possible
to schedule a mail to a user while the user is being deleted in another
worker. So we do a check that the user exists first.

[ci skip]

[ci skip]

Prevent fetching repository code with unauthorized ci token

See merge request gitlab-org/security/gitlab!588

Users have ability to fetch other projects' code via gitlab-ci-token.
This permission is controlled by "build_download_code".
However, this permission is not prevented when "repository_disabled"
for the users. This commit fixes this.

Fix expired SSL cert in PagesDomain test

See merge request gitlab-org/gitlab!33462

[ci skip]

[ci skip]

Fix failing user spec

See merge request gitlab-org/security/gitlab!553

Assures that user.emails is not empty

Added data integrity check before update

See merge request gitlab-org/security/gitlab!475

Display only verified emails on notifications page

See merge request gitlab-org/security/gitlab!548

Limit resources when processing artifacts metadata - gitlab-rails

See merge request gitlab-org/security/gitlab!534

Substitute variables using gsub in Prometheus proxy API

See merge request gitlab-org/security/gitlab!471

Fix email confirmation bug when soft email confirmation is enabled

See merge request gitlab-org/security/gitlab!517

Require confirmed email address for GitLab OAuth authentication

See merge request gitlab-org/security/gitlab!538

Merge branch 'security-fix-group-domain-allowed-email-should-be-verified-12-9' into '12-9-stable-ee'

Allow only verified user to be members of group with domain restriction

See merge request gitlab-org/security/gitlab!544

Respect forked projects permissions

See merge request gitlab-org/security/gitlab!438

Do not auto-confirm email in Trial registration

See merge request gitlab-org/security/gitlab!512

Hide EKS secret key in admin integrations settings

See merge request gitlab-org/security/gitlab!547

Fix file enuming using Group Import

See merge request gitlab-org/security/gitlab!486

Fix security issue in mermaid markdown

See merge request gitlab-org/security/gitlab!477

Prevent XSS in the monitoring dashboard

See merge request gitlab-org/security/gitlab!452

Jose Ivan Vargas Lopez authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

This prevents the branch name from the duplicate
dashboard modal to execute XSS scripts

Do not expose Kubernetes cluster token

See merge request gitlab-org/security/gitlab!505

Disable caching on repo/blobs/[sha]/raw endpoint

See merge request gitlab-org/security/gitlab!398

Change the mirror user along with pull mirror settings

See merge request gitlab-org/security/gitlab!497

Instead of rendering the key and masking it from the UI,
don't render it at all.