Prevent guests from seeing commits for cycle analytics

See merge request gitlab/gitlabhq!3535

Related Branches Visible to Guests in Issue Activity

See merge request gitlab/gitlabhq!3540

GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext

See merge request gitlab/gitlabhq!3541

Escape namespace in label references

See merge request gitlab/gitlabhq!3552

Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3557

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3560

DJ Mountney authored 5 years ago and Imre (Admin) committed 5 years ago

This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.

We had concerns about the cached values on Redis with the previous two
releases strategy:

First release (this commit):
  - Create new encrypted fields in the database.
  - Start populating new encrypted fields, read the encrypted fields or
    fallback to the plaintext fields.
  - Backfill the data removing the plaintext fields to the encrypted
    fields.
Second release:
  - Remove the virtual attribute (created in step 2).
  - Drop plaintext columns from the database (empty columns after
    step 3).

We end up with a better strategy only using migration scripts in one
release:
  - Pre-deployment migration: Add columns required for storing encrypted
    values.
  - Pre-deployment migration: Store the encrypted values in the new
    columns.
  - Post-deployment migration: Remove the old unencrypted columns

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.

This is the plan to encrypt the plaintext tokens:

First release (this commit):
  1. Create new encrypted fields in the database.
  2. Start populating new encrypted fields, read the encrypted fields or
     fallback to the plaintext fields.
  3. Backfill the data removing the plaintext fields to the encrypted fields.

Second release:
  4. Remove the virtual attribute (created in step 2).
  5. Drop plaintext columns from the database (empty columns after step 3).

Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.

- if the user has access level lower than REPORTER,
don't include commit count in summary

Brandon Labuschagne authored 5 years ago and Aakriti Gupta committed 5 years ago

Default number of items is 3. If this is not the case,
then increase the column width of the summary items
to cater for 2 items plus the date filter.

[ci skip]

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3498

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3507

Only assign merge params when allowed

See merge request gitlab/gitlabhq!3459

Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-3' into '12-3-stable'

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3430

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3446

Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-3' into '12-3-stable'

Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3447

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3455

Mask sentry auth token

See merge request gitlab/gitlabhq!3463

Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3467

Sanitize search text to prevent XSS

See merge request gitlab/gitlabhq!3468

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3472

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3475

Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3478

Handle Stored XSS for Grafana URL in settings

See merge request gitlab/gitlabhq!3482

- Extend Gitlab::UrlBlocker to allow relative urls (require_absolute
  setting).  The new `require_absolute` setting defaults to true,
  which is the existing behavior.

- Extend AddressableUrlValidator to accept `require_abosolute` and
  default to the existing behavior

- Add validation for ApplicationSetting#grafana_url to validate that
  the URL does not contain XSS but can be a valid relative or absolute
  url.

- In the case of existing stored URLs, validate the stored URL does
  not contain XSS. If the stored URL contains stored XSS or is an
  otherwise invalid URL, return the default database column value.

- Add tests for Gitlab::UrlBlocker to test require_absolute setting

- Add tests for AddressableUrlValidator

- Add tests for ApplicationSetting#grafana_url

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3495

When a user updates a merge request coming from a fork, they should
not be able to set `force_remove_source_branch` if they cannot push
code to the source project.

Otherwise developers of the target project could remove the source
branch of the source project by setting this flag through the API.