Commits · 3e776d83389c706fb81973736e57ca6a6fb952fc · dDenys Mishunov / GitLab

Oct 28, 2021
- Update VERSION files · 3e776d83
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.3.4-ee v14.3.4-ee
  
  3e776d83
- Update changelog for 14.3.4 · e8044719
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  e8044719
- Update Gitaly version to 14.3.4 · d7e97149
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  d7e97149
Oct 27, 2021
- Merge branch... · 060bb070
  Reuben Pereira authored 3 years ago
  
  Merge branch 'security-518-fix-change-project-visibility-to-restricted-option-14-3' into '14-3-stable-ee' Change project visibility to a restricted option See merge request gitlab-org/security/gitlab!1904
  060bb070
- Merge branch 'security-337193-14-3' into '14-3-stable-ee' · 9f7cd4f5
  GitLab Release Tools Bot authored 3 years ago
  
  Highlight usage of unicode bidi characters See merge request gitlab-org/security/gitlab!1938
  9f7cd4f5
- Merge branch 'security-522-scim-token-is-still-viewable-after-creation-14-3' into '14-3-stable-ee' · c7951068
  GitLab Release Tools Bot authored 3 years ago
  
  SCIM token is still Viewable After Creation See merge request gitlab-org/security/gitlab!1907
  c7951068
- Merge branch 'security-28226-redact-groups-shared-with-14-3' into '14-3-stable-ee' · 7c690982
  GitLab Release Tools Bot authored 3 years ago
  
  Redact list of groups a project is shared with See merge request gitlab-org/security/gitlab!1798
  7c690982
- Redact list of groups a project is shared with · de22503b
  Alexis Kalderimis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  de22503b
- Merge branch 'security-dompurify-normalize-path-14-3' into '14-3-stable-ee' · 1044ee23
  GitLab Release Tools Bot authored 3 years ago
  
  Fix path traversal issue with SVG hrefs See merge request gitlab-org/security/gitlab!1930
  1044ee23
- Merge branch 'security-id-workhorse-tiff-14-3' into '14-3-stable-ee' · 678e267b
  GitLab Release Tools Bot authored 3 years ago
  
  Avoid decoding the whole tiff image on isTIFF check See merge request gitlab-org/security/gitlab!1900
  678e267b
- Merge branch 'security-id-limit-uploading-files-14-3' into '14-3-stable-ee' · 3e609cdf
  GitLab Release Tools Bot authored 3 years ago
  
  Workhorse: Allow uploading only a single file See merge request gitlab-org/security/gitlab!1914
  3e609cdf
- Merge branch 'security-applications-api-scope-14-3' into '14-3-stable-ee' · fa6cdc06
  GitLab Release Tools Bot authored 3 years ago
  
  Do not allow Applications API to create apps with blank scopes See merge request gitlab-org/security/gitlab!1923
  fa6cdc06
- Merge branch 'security-project-group-share-on-group-transfer-14-3' into '14-3-stable-ee' · 03c9857a
  GitLab Release Tools Bot authored 3 years ago
  
  Refresh authorizations on transfer of groups having project shares See merge request gitlab-org/security/gitlab!1917
  03c9857a
- Merge branch 'security-mr-discussions-locked-fix-14-3' into '14-3-stable-ee' · 2102a66f
  GitLab Release Tools Bot authored 3 years ago
  
  Don't allow author to resolve discussions when MR is locked via GraphQL See merge request gitlab-org/security/gitlab!1920
  2102a66f
- Merge branch 'security-28074-root-passwork-in-migration-output-14-3' into '14-3-stable-ee' · 658838ab
  GitLab Release Tools Bot authored 3 years ago
  
  Never display the root password See merge request gitlab-org/security/gitlab!1803
  658838ab
- Merge branch 'security-516-namespace-path-cleaning-vulnerable-14-3' into '14-3-stable-ee' · 7dc3b63b
  GitLab Release Tools Bot authored 3 years ago
  
  Iterate over trailing space regex replacements See merge request gitlab-org/security/gitlab!1897
  7dc3b63b
- Merge branch 'security-297470-fix-public-email-disclosure-14-3-14-3' into '14-3-stable-ee' · b520ac9d
  GitLab Release Tools Bot authored 3 years ago
  
  Prevent private e-mail from being shown in webhook data See merge request gitlab-org/security/gitlab!1894
  b520ac9d
- Merge branch 'security-335191-use-verified-emails-to-avoid-bypass-14.3' into '14-3-stable-ee' · 0f7edf66
  GitLab Release Tools Bot authored 3 years ago
  
  Match with verified_email? rather than any_email?[RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1882
  0f7edf66
- Merge branch 'security-guest-update-incident-severity-14-3' into '14-3-stable-ee' · a85d89b7
  GitLab Release Tools Bot authored 3 years ago
  
  Disallow guests to change severity on incidents See merge request gitlab-org/security/gitlab!1875
  a85d89b7
- Disallow guests to change severity on incidents · 77677fa8
  Peter Leitzen authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  77677fa8
- Merge branch 'security-337824-set-pipeline-schedule-default-14-3' into '14-3-stable-ee' · 17ce8e9a
  GitLab Release Tools Bot authored 3 years ago
  
  Set imported PipelineSchedules to inactive See merge request gitlab-org/security/gitlab!1879
  17ce8e9a
- Merge branch 'security-remove-external-webhook-token-from-export-14-3' into '14-3-stable-ee' · 764c5dc1
  GitLab Release Tools Bot authored 3 years ago
  
  Remove external_webhook_token from exported project See merge request gitlab-org/security/gitlab!1866
  764c5dc1
Oct 26, 2021

Highlight usage of unicode bidi characters · 0b9bcafa

Robert May authored 3 years ago

Adds markup around unicode bidi characters when highlighting
code. These are used primarily for text direction in
right-to-left languages, but can be used as an exploit.

Changelog: security

0b9bcafa

Fix dompurify.js to prevent path traversal attacks · 6599afd4

Dheeraj Joshi authored 3 years ago

This fixes an issue with SVGs href sanitization
which was bypassable using path traversal

Changelog: security

6599afd4

Oct 25, 2021

Refresh authorizations on transfer of groups having project shares · faad71f4

Manoj M J authored 3 years ago

This change makes sure that when a group that
has any project-group shares is transferred,
it refresh authorizations of projects that are
shared to the group.

Changelog: security

faad71f4

Oct 21, 2021

Do not allow Applications API to create apps with blank scopes · 29393150

Manoj M J authored 3 years ago

This change makes sure that the using the
Applications API, admins cannot create
an app with a “blank” scope. At least one scope
should be explicitly specified in the params while
making the “POST” request to create an application.

Changelog: security

29393150

Merge branch 'cherry-pick-' into '14-3-stable-ee' · 27d25797

Mayra Cabrera authored 3 years ago

Merge branch 'sarnold-qurantine-flakey-rotation-dst-specs' into '14-3-stable-ee'

See merge request gitlab-org/gitlab!72771

27d25797

Merge branch 'sarnold-qurantine-flakey-rotation-dst-specs' into 'master' · f69b4a82

Luke Duncalfe authored 3 years ago

Quarantine flaky DST specs

See merge request gitlab-org/gitlab!72748

(cherry picked from commit a0d10fed)

a1f862dd Quarantine flaky DST spec
ac843eeb Apply 1 suggestion(s) to 1 file(s)

f69b4a82

Don't allow author to resolve discussions when MR is locked via GraphQL · 5027cb2b

Patrick Bajao authored 3 years ago

We don't allow non-project members to resolve discussions via UI
but the discussionToggleResolve GraphQL mutation allows it.

This fixes it by modifying `ResolvableDiscussions#can_resolve?` to
call appropriate policy check.

Changelog: security

5027cb2b

Workhorse: Allow uploading only a single file · c18c2ddf

Igor Drozdov authored 3 years ago

Gitlab Rails doesn't have endpoints that require uploading
multiple files.

Let's limit it to prevent performance issues and proceed with
a proper solution out of Security Release

Changelog: security

c18c2ddf

Oct 20, 2021

Group owners should see SCIM token only once · 3d666446

pshutsin authored 3 years ago

Even group owners should see SCIM token only once after creation.
There is an option to reset the token in case it was lost or
forgotten

Changelog: security
EE: true

3d666446

Respect visibility level settings when updating project via API · 124ca62c

pshutsin authored 3 years ago

When updating project or group visibility settings
we must respect instance level visibility restrictions.

Changelog: security

124ca62c

Avoid decoding the whole tiff image on isTIFF check · 8e6ffd52
Igor Drozdov authored 3 years ago
```
Changelog: security
```
8e6ffd52

Iterate over trailing space regex replacements · 6945731e

E'zeki&el Kigbo authored 3 years ago

Changelog: security

Use chomp for path trimming

Minor refactor chomped calls into a loop
and fixes a rubocop lint.

Add PATH_TRAILING_VIOLATIONS constant

Unverified

6945731e

Oct 19, 2021

Adding a '[redacted]' to mask private email addresses · 6f2a2b22

Gary Holtz authored 3 years ago

Making public_email = email a trait for a factory

This also fixes some specs that were relying on private email in
the user's `hook_attrs`

Changelog: security

Unverified

6f2a2b22

Oct 12, 2021
- Update VERSION files · 6d764ffb
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.3.3-ee v14.3.3-ee
  
  6d764ffb
- Update changelog for 14.3.3 · d22adcce
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  d22adcce
- Update Gitaly version to 14.3.3 · 756a5d28
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  756a5d28
- Do not display the root password by default · 87893548
  Alexis Kalderimis authored 3 years ago
  
  Defaults display_initial_root_password config setting to `false`. The root password can be retrieved with `kubectl get secret` in a production setting (see: https://docs.gitlab.com/charts/installation/deployment.html#initial-login) Changelog: security
  87893548
- Merge branch '14-3-stable-ee-patch-3' into '14-3-stable-ee' · d260a496
  Reuben Pereira authored 3 years ago
  
  Prepare 14.3.3-ee release See merge request gitlab-org/gitlab!72179
  d260a496

Admin message

Admin message