Related Branches Visible to Guests in Issue Activity

See merge request gitlab/gitlabhq!3539

GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext

See merge request gitlab/gitlabhq!3542

Escape namespace in label references

See merge request gitlab/gitlabhq!3551

Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3556

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3559

DJ Mountney authored 5 years ago and Imre (Admin) committed 5 years ago

This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.

We had concerns about the cached values on Redis with the previous two
releases strategy:

First release (this commit):
  - Create new encrypted fields in the database.
  - Start populating new encrypted fields, read the encrypted fields or
    fallback to the plaintext fields.
  - Backfill the data removing the plaintext fields to the encrypted
    fields.
Second release:
  - Remove the virtual attribute (created in step 2).
  - Drop plaintext columns from the database (empty columns after
    step 3).

We end up with a better strategy only using migration scripts in one
release:
  - Pre-deployment migration: Add columns required for storing encrypted
    values.
  - Pre-deployment migration: Store the encrypted values in the new
    columns.
  - Post-deployment migration: Remove the old unencrypted columns

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.

This is the plan to encrypt the plaintext tokens:

First release (this commit):
  1. Create new encrypted fields in the database.
  2. Start populating new encrypted fields, read the encrypted fields or
     fallback to the plaintext fields.
  3. Backfill the data removing the plaintext fields to the encrypted fields.

Second release:
  4. Remove the virtual attribute (created in step 2).
  5. Drop plaintext columns from the database (empty columns after step 3).

Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.

[ci skip]

[ci skip]

[ci skip]

Mask Sentry auth token

See merge request gitlab/gitlabhq!3504

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3491

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3506

Only assign merge params when allowed

See merge request gitlab/gitlabhq!3487

Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3485

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3486

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3488

Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable'

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3489

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3490

Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3492

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3496

Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable'

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3497

Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-4' into '12-4-stable'

Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3503

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.

- Include new types in SystemNoteMetadata
- Add Label and Milestone reference_pattern to
Mentionable::ReferenceRegexes to be checked for cross references

Aakriti Gupta authored 5 years ago and mksionek committed 5 years ago

in a project members' list. Add tests for possible scenarios

Re-factor and remove N + 1 queries

Remove author from changelog

Don't use memoisation when not needed

Include users part of parents of project's group

Re-factor tests

Create and add users according to roles

Re-use group created earlier

Add incomplete test for ancestoral groups

Rename method to clarify category of groups

Skip pending test, remove comments not needed

Remove extra line

Include ancestors from invited groups as well

Add specs for participants service

Add more specs

Add more specs

use  instead of

Use public group owner instead of project maintainer to test owner acess

Remove tests that have now been moved into participants_service_spec

Use :context instead of :all

Create nested group instead of creating an ancestor separately

Add comment explaining doubt on the failing spec

Imrpove test setup

Optimize sql queries

Refactor specs file

Add rubocop disablement

Add special case for project owners

Add small refactor

Add explanation to the docs

Fix wording

Refactor group check

Add small changes in specs

Add cr remarks

Add cr remarks

Add specs

Add small refactor

Add code review remarks

Refactor for better database usage

Fix failing spec

Remove rubocop offences

Add cr remarks