Commits · fbf71fb8e20d44d71b56e26e8f37bd142e3d6397 · gpt / large_projects / gitlabhq1

Dec 09, 2019
- Backport reliable fetcher · fbf71fb8
  Valery Sizov authored 5 years ago
  
  fbf71fb8
Sep 11, 2019
- Merge remote-tracking branch 'dev/12-0-stable' into 12-0-stable · fff92356
  GitLab Release Tools Bot authored 5 years ago
  
  fff92356
Sep 10, 2019
- Update VERSION to 12.0.9 · 891da142
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v12.0.9 v12.0.9
  
  891da142
- Update CHANGELOG.md for 12.0.9 · 2973d01e
  GitLab Release Tools Bot authored 5 years ago
  
  [ci skip]
  2973d01e
- Merge branch 'security-12-0-bump-pages' into '12-0-stable' · 0811b37d
  GitLab Release Tools Bot authored 5 years ago
  
  Set max-age and secure flag for pages auth cookies See merge request gitlab/gitlabhq!3381
  0811b37d
Sep 09, 2019
- Upgrade pages to 1.6.3 · b1cd838b
  Vladimir Shushlin authored 5 years ago
  
  b1cd838b
Aug 28, 2019
- Update VERSION to 12.0.8 · 36325e12
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v12.0.8 v12.0.8
  
  36325e12
- Update CHANGELOG.md for 12.0.8 · 3672b97a
  GitLab Release Tools Bot authored 5 years ago
  
  [ci skip]
  3672b97a
- Merge branch... · 6d297bf8
  Jan Provaznik authored 5 years ago and John Skarbek committed 5 years ago
  
  Merge branch '66641-broken-master-real-http-connections-are-disabled-unregistered-request' into 'master' Use `stub_full_request` to fix spec failure Closes #66641 See merge request gitlab-org/gitlab-ce!32259
  Unverified
  
  6d297bf8
- Revert "Update CHANGELOG.md for 12.0.7" · dce99389
  John Jarvis authored 5 years ago
  
  This reverts commit 49858350.
  dce99389
- Merge branch 'security-fix-something-went-wrong-on-when-not-logged-in-ce-12-0' into '12-0-stable' · 1b4a88f0
  GitLab Release Tools Bot authored 5 years ago
  
  Return NO_ACCESS if user is nil See merge request gitlab/gitlabhq!3388
  1b4a88f0
- Return NO_ACCESS if user is nil · e15a6bc1
  Patrick Derichs authored 5 years ago
  
  e15a6bc1
Aug 27, 2019
- Update VERSION to 12.0.7 · 7321d0ab
  GitLab Release Tools Bot authored 5 years ago
  
  View commits for tag v12.0.7 v12.0.7
  
  7321d0ab
- Update CHANGELOG.md for 12.0.7 · 49858350
  GitLab Release Tools Bot authored 5 years ago
  
  [ci skip]
  49858350
Aug 26, 2019

Merge branch 'security-exposed-default-branch-12-0' into '12-0-stable' · 49cee936
GitLab Release Tools Bot authored 5 years ago
```
Avoid exposing unaccessible repo data upon GFM post processing

See merge request gitlab/gitlabhq!3384
```
49cee936

Avoid exposing unaccessible repo data upon GFM processing · c559611a

Oswaldo Ferreir authored 5 years ago

When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.

This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.

Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.

c559611a

Merge branch 'security-hide_merge_request_ids_on_emails-12-0' into '12-0-stable' · 34034372
GitLab Release Tools Bot authored 5 years ago
```
Prevent disclosure of merge request id via email

See merge request gitlab/gitlabhq!3352
```
34034372
Merge branch 'security-64711-fix-commit-todos-12-0' into '12-0-stable' · 59813521
GitLab Release Tools Bot authored 5 years ago
```
Send TODOs for comments on commits correctly

See merge request gitlab/gitlabhq!3367
```
59813521
Merge branch 'security-59549-add-capcha-for-failed-logins-12-0' into '12-0-stable' · 94bf7a4b
GitLab Release Tools Bot authored 5 years ago
```
Require a captcha after unique failed logins from the same IP

See merge request gitlab/gitlabhq!3296
```
94bf7a4b

Add captcha if there are multiple failed login attempts · 0d3ab841

mksionek authored 5 years ago

Add method to store session ids by ip

Add new specs for storing session ids

Add cleaning up records after login

Add retrieving anonymous sessions

Add login recaptcha setting

Add new setting to sessions controller

Add conditions for showing captcha

Add sessions controller specs

Add admin settings specs for login protection

Add new settings to api

Add stub to devise spec

Add new translation key

Add cr remarks

Rename class call

Add cr remarks

Change if-clause for consistency

Add cr remarks

Add code review remarks

Refactor AnonymousSession class

Add changelog entry

Move AnonymousSession class to lib

Move store unauthenticated sessions to sessions controller

Move link to recaptcha info

Regenerate text file

Improve copy on the spam page

Change action filter for storing anonymous sessions

Fix rubocop offences

Add code review remarks

Fix specs

Update schema version

0d3ab841

Merge branch 'security-12-0-enable-image-proxy' into '12-0-stable' · d1d67546
GitLab Release Tools Bot authored 5 years ago
```
Use image proxy to mitigate stealing ip addresses

See merge request gitlab/gitlabhq!3192
```
d1d67546
Merge branch 'security-60551-fix-upload-scope-12-0' into '12-0-stable' · f35fce3f
GitLab Release Tools Bot authored 5 years ago
```
Queries for Upload should be scoped by model

See merge request gitlab/gitlabhq!3233
```
f35fce3f
Merge branch 'security-epic-notes-api-reveals-historical-info-ce-12-0' into '12-0-stable' · cfe2f899
GitLab Release Tools Bot authored 5 years ago
```
Filter out old system notes for epics in notes api endpoint response

See merge request gitlab/gitlabhq!3242
```
cfe2f899
Merge branch 'security-fix-html-injection-for-label-description-ce-12-0' into '12-0-stable' · 1a8e7e62
GitLab Release Tools Bot authored 5 years ago
```
Fix HTML injection for label description

See merge request gitlab/gitlabhq!3256
```
1a8e7e62
Merge branch 'security-61974-limit-issue-comment-size-12-0' into '12-0-stable' · 65695cb7
GitLab Release Tools Bot authored 5 years ago
```
Limit the size of issuable description and comments

See merge request gitlab/gitlabhq!3272
```
65695cb7
Merge branch 'security-mr-head-pipeline-leak-12-0' into '12-0-stable' · 61f449f2
GitLab Release Tools Bot authored 5 years ago
```
Permission fix for MergeRequestsController#pipeline_status

See merge request gitlab/gitlabhq!3279
```
61f449f2
Merge branch 'security-katex-dos-12-0' into '12-0-stable' · 90ac6cb8
GitLab Release Tools Bot authored 5 years ago
```
Enforce max chars and max render time in markdown math

See merge request gitlab/gitlabhq!3288
```
90ac6cb8
Merge branch 'security-ssrf-kubernetes-dns-12-0' into '12-0-stable' · 2fa11baf
GitLab Release Tools Bot authored 5 years ago
```
DNS Rebind SSRF in Kubernetes Integration

See merge request gitlab/gitlabhq!3290
```
2fa11baf
Merge branch 'security-2853-prevent-comments-on-private-mrs-12-0' into '12-0-stable' · 54f1b187
GitLab Release Tools Bot authored 5 years ago
```
Ensure only authorised users can create notes on merge requests and issues

See merge request gitlab/gitlabhq!3308
```
54f1b187
Merge branch 'security-fix_jira_ssrf_vulnerability-12-0' into '12-0-stable' · f25dd048
GitLab Release Tools Bot authored 5 years ago
```
Fix DNS rebind vulnerability for JIRA integration

See merge request gitlab/gitlabhq!3312
```
f25dd048
Merge branch 'security-id-filter-timeline-activities-for-guests-12-0' into '12-0-stable' · b8691913
GitLab Release Tools Bot authored 5 years ago
```
Add merge note type as cross reference

See merge request gitlab/gitlabhq!3326
```
b8691913
Merge branch 'security-project-import-bypass-12-0' into '12-0-stable' · fa843570
GitLab Release Tools Bot authored 5 years ago
```
Project visibility restriction bypass

See merge request gitlab/gitlabhq!3332
```
fa843570
Merge branch 'security-bvl-bump-gitaly-12-0' into '12-0-stable' · 40072c1f
GitLab Release Tools Bot authored 5 years ago
```
Bump Gitaly version to 1.47.3

See merge request gitlab/gitlabhq!3335
```
40072c1f
Merge branch 'security-add-job-activity-limit-ce-12-0' into '12-0-stable' · dba5b427
GitLab Release Tools Bot authored 5 years ago
```
Introduce JobActivity limit for alive jobs

See merge request gitlab/gitlabhq!3341
```
dba5b427
Merge branch 'security-sarcila-fix-weak-session-management-12-0' into '12-0-stable' · 29e1df85
GitLab Release Tools Bot authored 5 years ago
```
Clear reset_password_tokens when login (email or username) change

See merge request gitlab/gitlabhq!3348
```
29e1df85
Merge branch 'security-ci-metrics-permissions-12-0' into '12-0-stable' · b4642b84
GitLab Release Tools Bot authored 5 years ago
```
Restrict MergeRequests#test_reports to authenticated users with read-access on Builds

See merge request gitlab/gitlabhq!3356
```
b4642b84
Merge branch 'security-personal-snippets-12-0' into '12-0-stable' · 03477145
GitLab Release Tools Bot authored 5 years ago
```
Add direct upload support for personal snippets

See merge request gitlab/gitlabhq!3357
```
03477145
Merge branch 'security-group-runners-permissions-12-0' into '12-0-stable' · 5f47de31
GitLab Release Tools Bot authored 5 years ago
```
admin_group authorization for Groups::RunnersController

See merge request gitlab/gitlabhq!3364
```
5f47de31
Merge branch 'security-fix-markdown-xss-12-0' into '12-0-stable' · e279f48a
GitLab Release Tools Bot authored 5 years ago
```
Re-escape the whole HTML content when finding HTML references

See merge request gitlab/gitlabhq!3369
```
e279f48a

Aug 23, 2019

Send TODOs for comments on commits correctly · 1e6765db

Nick Thomas authored 5 years ago

At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.

This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.

Verified

1e6765db

Admin message

Admin message