- Nov 26, 2019
-
-
Ho Tuan Duong authored
-
GitLab Release Tools Bot authored
Prevent guests from seeing commits for cycle analytics See merge request gitlab/gitlabhq!3533
-
GitLab Release Tools Bot authored
Related Branches Visible to Guests in Issue Activity See merge request gitlab/gitlabhq!3539
-
GitLab Release Tools Bot authored
GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext See merge request gitlab/gitlabhq!3542
-
GitLab Release Tools Bot authored
Escape namespace in label references See merge request gitlab/gitlabhq!3551
-
GitLab Release Tools Bot authored
Check permissions before showing a forked project's source See merge request gitlab/gitlabhq!3556
-
GitLab Release Tools Bot authored
Ensure attributes that end in `_ids` are cleaned See merge request gitlab/gitlabhq!3559
-
Imre (Admin) authored
-
This prevents an issue where you can steal other projects objects by asking for ids that don't belong to you in import.
-
GitLab Bot authored
-
- Nov 25, 2019
-
-
Nick Thomas authored
-
Arturo Herrero authored
We had concerns about the cached values on Redis with the previous two releases strategy: First release (this commit): - Create new encrypted fields in the database. - Start populating new encrypted fields, read the encrypted fields or fallback to the plaintext fields. - Backfill the data removing the plaintext fields to the encrypted fields. Second release: - Remove the virtual attribute (created in step 2). - Drop plaintext columns from the database (empty columns after step 3). We end up with a better strategy only using migration scripts in one release: - Pre-deployment migration: Add columns required for storing encrypted values. - Pre-deployment migration: Store the encrypted values in the new columns. - Post-deployment migration: Remove the old unencrypted columns
-
Heinrich Lee Yu authored
When referencing cross-namespace labels, we append the namespace name to the rendered label. This MR escapes the name to prevent XSS attacks.
-
- Nov 21, 2019
-
-
Arturo Herrero authored
This is the plan to encrypt the plaintext tokens: First release (this commit): 1. Create new encrypted fields in the database. 2. Start populating new encrypted fields, read the encrypted fields or fallback to the plaintext fields. 3. Backfill the data removing the plaintext fields to the encrypted fields. Second release: 4. Remove the virtual attribute (created in step 2). 5. Drop plaintext columns from the database (empty columns after step 3).
-
- Nov 20, 2019
-
-
Kerri Miller authored
Notes related to branch creation should not be shown in an issue's activity feed when the user doesn't have access to :download_code.
-
Default number of items is 3. If this is not the case, then increase the column width of the summary items to cater for 2 items plus the date filter.
-
Aakriti Gupta authored
- if the user has access level lower than REPORTER, don't include commit count in summary
-
- Nov 18, 2019
-
-
GitLab Release Tools Bot authored
[ci skip]
- Nov 15, 2019
-
-
GitLab Bot authored
-
- Nov 04, 2019
-
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Bot authored
- Oct 30, 2019
-
-
GitLab Release Tools Bot authored
-
- Oct 28, 2019
-
-
GitLab Release Tools Bot authored
[ci skip]
- Oct 25, 2019
-
-
GitLab Release Tools Bot authored
Mask Sentry auth token See merge request gitlab/gitlabhq!3504
-
GitLab Release Tools Bot authored
Private/internal repository enumeration via bruteforce on a vulnerable URL See merge request gitlab/gitlabhq!3491
-
GitLab Release Tools Bot authored
Return 404 on LFS request if project doesn't exist See merge request gitlab/gitlabhq!3506
-
Igor Drozdov authored
-
- Oct 24, 2019
-
-
GitLab Release Tools Bot authored
Only assign merge params when allowed See merge request gitlab/gitlabhq!3487
-
GitLab Release Tools Bot authored
Pass all wiki markup formats through our Banzai pipeline filters See merge request gitlab/gitlabhq!3485
-
GitLab Release Tools Bot authored
Require Maintainer permission on group where project is transferred to See merge request gitlab/gitlabhq!3486
-
GitLab Release Tools Bot authored
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue. See merge request gitlab/gitlabhq!3488
-
GitLab Release Tools Bot authored
Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-4' into '12-4-stable' Labels visible despite no access to issues & repositories See merge request gitlab/gitlabhq!3489
-
GitLab Release Tools Bot authored
Project path reveals labels from Private project if the issue is moved to public project See merge request gitlab/gitlabhq!3490
-
GitLab Release Tools Bot authored
Nested GraphQL query with circular relationship can cause Denial of Service See merge request gitlab/gitlabhq!3492
-
GitLab Release Tools Bot authored
Filter out search results based on permissions to avoid bugs leaking data See merge request gitlab/gitlabhq!3496
-
GitLab Release Tools Bot authored
Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable' Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3497
-
GitLab Release Tools Bot authored
Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-4' into '12-4-stable' Hide private members in project member autocomplete See merge request gitlab/gitlabhq!3503
-