[ci skip]

[ci skip]

Do not show activity for users with private profiles

See merge request gitlab-org/security/gitlab!689

Check access when sending TODOs related to merge requests

See merge request gitlab-org/security/gitlab!674

Disable caching for wiki attachments

See merge request gitlab-org/security/gitlab!660

Fix null byte error in upload path

See merge request gitlab-org/security/gitlab!574

Resolve "Cross-Site Scripting In BitbucketServer Import"

See merge request gitlab-org/security/gitlab!259

Fix note author name rendering

See merge request gitlab-org/security/gitlab!661

Fixed group deploy token API authorizations

See merge request gitlab-org/security/gitlab!675

Change from hybrid to JSON cookies serializer

See merge request gitlab-org/security/gitlab!693

Drew Blessing authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

JSON has been the default serializer since Rails 4.1. Hybrid
serializer was meant to allow backward compatibility when
upgrading pre-Rails 4.1. It's been some time since we upgraded
to Rails 4.1 so now we don't need the hybrid serializer anymore.
This also causes security concerns since the previous serializer
was Marshal.

Stored XSS on the Error Tracking page

See merge request gitlab-org/security/gitlab!627

Upgrade swagger-ui to solve XSS issues

See merge request gitlab-org/security/gitlab!637

Validate group names with Rails HTML sanitizer

See merge request gitlab-org/security/gitlab!631

Fix XSS in Banzai's `#data_attributes_for`

See merge request gitlab-org/security/gitlab!603

Update permissions for time tracking endpoints

See merge request gitlab-org/security/gitlab!620

Update Kaminari gem

See merge request gitlab-org/security/gitlab!671

Make sure user info is sanitized when rendered

See merge request gitlab-org/security/gitlab!596

Merge branch 'security-fix_project_authorizations_for_security_dashboard-12-10' into '12-10-stable-ee'

Security fix project authorizations for security dashboard

See merge request gitlab-org/security/gitlab!584

Fixes pypi XSS

See merge request gitlab-org/security/gitlab!558

Michelle Gill authored 4 years ago and Nick Thomas committed 4 years ago

Showing events is a mistake when the user has a private profile

[ci skip]

[ci skip]

Document correct registry port to test SSL

See merge request gitlab-org/gitlab!35043

Katrin Leinweber authored 4 years ago and Mayra Cabrera committed 4 years ago

This commit backports 9079f503

Correctly count wiki pages in sidebar

See merge request gitlab-org/gitlab!34174

We were allowing users to store XSS in `#data_attributes_for` by not
dealing with HTML Entities. We now escape HTML entities out, thus fixing
the problem.

Updated authorizations for group deploy tokens API.
Updated rspec accordingly.

These were served with `Content-Disposition: inline` in some situations,
which led to a Stored XSS attack using SVG files.

Workhorse has protections specifically against SVG files and will
rewrite the `Content-Disposition` header to `attachment`, but this
processing is skipped for cached 304 responses.

By disabling caching we force Workhorse to always rewrite this header.

Drew Blessing authored 4 years ago and Drew Blessing committed 4 years ago

GitLab currently uses a regex to validate group names.
It has proved difficult to prevent XSS problems. In trying to
chase XSS issues we've tightened the regex and don't allow
some completely benign characters on their own, such as
parentheses. This results in a worse user experience and may not
really protect from XSS. Instead, this now uses the
Rails::Html::FullSanitizer to validate group names.