Commits · 11-9-stable · gpt / large_projects / gitlabhq1

May 30, 2019
- Update VERSION to 11.9.12 · bbb9720e
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v11.9.12 v11.9.12
  
  bbb9720e
- Update CHANGELOG.md for 11.9.12 · 3c8b8ce8
  GitLab Release Tools Bot authored 5 years ago
  
  [ci skip]
  3c8b8ce8
- Merge branch 'osw-disable-dns-rebind-protection-settings-11-9' into '11-9-stable' · c8f8098d
  GitLab Release Tools Bot authored 5 years ago
  
  Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3132
  c8f8098d
- Rename UrlBlocker argument: schemes -> protocols · 64487732
  Stan Hu authored 5 years ago
  
  This was renamed in GitLab 11.11, so the backport needs to use the original name.
  64487732
- Use Rails migration v5.0 for GitLab 11.9 · a1da4104
  Stan Hu authored 5 years ago
  
  a1da4104
- Add changelog · 4781c6da
  Oswaldo Ferreir authored 5 years ago
  
  4781c6da
- Add DNS rebinding protection settings · 831d60aa
  Oswaldo Ferreir authored 5 years ago
  
  831d60aa
May 28, 2019
- Merge branch 'security-60143-address-xss-issue-11.09' into '11-9-stable' · 7c13c20a
  GitLab Release Tools Bot authored 5 years ago
  
  Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3107
  7c13c20a
- Merge branch 'security-http-hostname-override-11-9' into '11-9-stable' · 43f3b64e
  GitLab Release Tools Bot authored 5 years ago
  
  Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3115
  43f3b64e
- Merge branch 'security-58856-persistent-xss-11-9' into '11-9-stable' · 7b39a999
  GitLab Release Tools Bot authored 5 years ago
  
  Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3081
  7b39a999
- Merge branch 'security-fix-project-existence-disclosure-11-9' into '11-9-stable' · 818b0227
  GitLab Release Tools Bot authored 5 years ago
  
  Fix url redaction for issue links See merge request gitlab/gitlabhq!3089
  818b0227
- Merge branch 'security-60039-11-9' into '11-9-stable' · 7bb52f05
  GitLab Release Tools Bot authored 5 years ago
  
  Disallow invalid MR branch name See merge request gitlab/gitlabhq!3093
  7bb52f05
- Merge branch 'security-unsubscribing-from-issue-11-9' into '11-9-stable' · b718cc65
  GitLab Release Tools Bot authored 5 years ago
  
  Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3101
  b718cc65
- Merge branch 'security-fix-confidential-issue-label-visibility-11-9' into '11-9-stable' · 27a42bda
  GitLab Release Tools Bot authored 5 years ago
  
  Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3104
  27a42bda
- Merge branch 'security-fix_milestones_search_api_leak-11-9' into '11-9-stable' · 152dc732
  GitLab Release Tools Bot authored 5 years ago
  
  Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3112
  152dc732
- Merge branch 'security-jej/prevent-web-sign-in-bypass-11-9' into '11-9-stable' · bc89bb7b
  GitLab Release Tools Bot authored 5 years ago
  
  Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!3119
  bc89bb7b
- Merge branch 'security-knative-0.5-11-9' into '11-9-stable' · b6e4fe5e
  GitLab Release Tools Bot authored 5 years ago
  
  Update Knative version due to a security vulnerability See merge request gitlab/gitlabhq!3122
  b6e4fe5e
- Update Knative version due to a security vulnerability · a6ce726b
  Tiger Watson authored 5 years ago
  
  a6ce726b
- Merge branch 'sh-fix-issue-59379-11-9' into '11-9-stable' · f9f4555b
  GitLab Release Tools Bot authored 5 years ago
  
  Fix project visibility level validation See merge request gitlab/gitlabhq!3124
  f9f4555b
May 27, 2019

Reject slug+uri concat if slug is deemed unsafe · f383ad62

Kerri Miller authored 5 years ago

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.

f383ad62

May 24, 2019
- Fix project visibility level validation · 4b4b0777
  Peter Marko authored 5 years ago
  
  4b4b0777
- Merge branch '62283-fix-job-app-spec' into 'master' · b72e1e86
  Filipa Lacerda authored 5 years ago
  
  Replaces a hard-coded date in the job app spec Closes #62283 See merge request gitlab-org/gitlab-ce!28709
  Unverified
  
  b72e1e86
May 23, 2019
- Prevent password sign in restriction bypass · e1ea9b2a
  James Edwards-Jones authored 6 years ago
  
  e1ea9b2a
May 22, 2019

Protect Gitlab::HTTP against DNS rebinding attack · e2051df6

Douwe Maan authored 5 years ago and

Oswaldo Ferreir committed 5 years ago

Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
blocked, and then uses the same IP to perform the actual request, while
passing the original hostname in the `Host` header and SSL SNI field.

e2051df6

May 21, 2019
- Resolve: Milestones leaked via search API · a3758109
  Felipe Artur authored 5 years ago
  
  Fix milestone titles being leaked using search API when users cannot read milestones
  a3758109
May 20, 2019
- Hide issue title on unsubscribe for anonymous users · 214a3b5d
  Alexandru Croitor authored 5 years ago
  
  214a3b5d
May 19, 2019
- Fix confidential issue label disclosure on milestone view · 9504159b
  Patrick Derichs authored 5 years ago
  
  9504159b
May 06, 2019

Validate MR branch names · d27353be

Mark Chao authored 5 years ago

Prevents refspec as branch name, which would bypass branch protection
when used in conjunction with rebase.

HEAD seems to be a special case with lots of occurrence,
so it is considered valid for now.

Another special case is `refs/head/*`, which can be imported.

d27353be

May 03, 2019
- Fix url redaction for issue links · 00bd4d6c
  Patrick Derichs authored 5 years ago
  
  00bd4d6c
May 01, 2019
- Change `prohibited_key` to use regexes · a12aab3b
  Charlie Ablett authored 5 years ago
  
  a12aab3b
- Add `html` to sensitive words · 244794d6
  Charlie Ablett authored 5 years ago
  
  244794d6
Apr 30, 2019
- Update VERSION to 11.9.11 · 36c7ae27
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v11.9.11 v11.9.11
  
  36c7ae27
- Update CHANGELOG.md for 11.9.11 · 49be5365
  GitLab Release Tools Bot authored 5 years ago
  
  [ci skip]
  49be5365
- Add changelog entry · 2e229df7
  Charlie Ablett authored 5 years ago and Ash McKenzie committed 5 years ago
  
  Unverified
  
  2e229df7
- Ensure Issue & MR note_html cannot be imported · 7ba6fdc9
  Ash McKenzie authored 5 years ago
  
  Unverified
  
  7ba6fdc9
- Add newline to AttributeCleaner · f26d70ca
  Charlie Ablett authored 5 years ago
  
  f26d70ca
- Refactor AttributeCleaner` for readability · 466668d4
  Charlie Ablett authored 5 years ago
  
  466668d4
- Refactor AttributeCleaner` for readability · 45c68b5a
  Charlie Ablett authored 5 years ago
  
  45c68b5a
Apr 29, 2019
- Merge branch 'security-disallow-read-user-scope-to-read-project-events-11-9' into '11-9-stable' · c417dd39
  GitLab Release Tools Bot authored 5 years ago
  
  Disallow read user scope to read project events See merge request gitlab/gitlabhq!3088
  c417dd39
Apr 26, 2019
- Update VERSION to 11.9.10 · 6f5448db
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v11.9.10 v11.9.10
  
  6f5448db

Admin message

Admin message