Commits · abc23a14bace184532d1d344c4d230d9fc99eba6 · dDenys Mishunov / GitLab

Oct 28, 2021
- Update VERSION files · abc23a14
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.4.1-ee v14.4.1-ee
  
  abc23a14
- Update changelog for 14.4.1 · 00d2da7e
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  00d2da7e
- Update Gitaly version to 14.4.1 · ab9755c3
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  ab9755c3
Oct 27, 2021
- Merge branch... · 38b6d974
  Reuben Pereira authored 3 years ago
  
  Merge branch 'security-518-fix-change-project-visibility-to-restricted-option-14-4' into '14-4-stable-ee' Change project visibility to a restricted option See merge request gitlab-org/security/gitlab!1903
  38b6d974
- Merge branch 'security-337193-14-4' into '14-4-stable-ee' · fbd559f8
  GitLab Release Tools Bot authored 3 years ago
  
  Highlight usage of unicode bidi characters See merge request gitlab-org/security/gitlab!1937
  fbd559f8
- Merge branch 'security-522-scim-token-is-still-viewable-after-creation-14-4' into '14-4-stable-ee' · b5c3e37b
  GitLab Release Tools Bot authored 3 years ago
  
  SCIM token is still Viewable After Creation See merge request gitlab-org/security/gitlab!1906
  b5c3e37b
- Merge branch 'security-28226-redact-groups-shared-with-14-4' into '14-4-stable-ee' · 8cc5788c
  GitLab Release Tools Bot authored 3 years ago
  
  Redact list of groups a project is shared with See merge request gitlab-org/security/gitlab!1910
  8cc5788c
- Redact list of groups a project is shared with · 68a28c50
  Alexis Kalderimis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  68a28c50
- Merge branch 'security-dompurify-normalize-path-14-4' into '14-4-stable-ee' · a2f75186
  GitLab Release Tools Bot authored 3 years ago
  
  Fix path traversal issue with SVG hrefs See merge request gitlab-org/security/gitlab!1929
  a2f75186
- Merge branch 'security-id-workhorse-tiff-14-4' into '14-4-stable-ee' · 6c793290
  GitLab Release Tools Bot authored 3 years ago
  
  Avoid decoding the whole tiff image on isTIFF check See merge request gitlab-org/security/gitlab!1899
  6c793290
- Merge branch 'security-id-limit-uploading-files-14-4' into '14-4-stable-ee' · 4ed45dcc
  GitLab Release Tools Bot authored 3 years ago
  
  Workhorse: Allow uploading only a single file See merge request gitlab-org/security/gitlab!1913
  4ed45dcc
- Merge branch 'security-applications-api-scope-14-4' into '14-4-stable-ee' · cc582abe
  GitLab Release Tools Bot authored 3 years ago
  
  Do not allow Applications API to create apps with blank scopes See merge request gitlab-org/security/gitlab!1922
  cc582abe
- Merge branch 'security-project-group-share-on-group-transfer-14-4' into '14-4-stable-ee' · 0803b160
  GitLab Release Tools Bot authored 3 years ago
  
  Refresh authorizations on transfer of groups having project shares See merge request gitlab-org/security/gitlab!1916
  0803b160
- Merge branch 'security-mr-discussions-locked-fix-14-4' into '14-4-stable-ee' · 1675d679
  GitLab Release Tools Bot authored 3 years ago
  
  Don't allow author to resolve discussions when MR is locked via GraphQL See merge request gitlab-org/security/gitlab!1919
  1675d679
- Merge branch 'security-28074-root-passwork-in-migration-output-14-4' into '14-4-stable-ee' · efd17390
  GitLab Release Tools Bot authored 3 years ago
  
  Do not display the root password by default See merge request gitlab-org/security/gitlab!1909
  efd17390
- Merge branch 'security-516-namespace-path-cleaning-vulnerable-14-4' into '14-4-stable-ee' · c93035de
  GitLab Release Tools Bot authored 3 years ago
  
  Iterate over trailing space regex replacements See merge request gitlab-org/security/gitlab!1912
  c93035de
- Merge branch 'security-297470-fix-public-email-disclosure-14-4' into '14-4-stable-ee' · ea938156
  GitLab Release Tools Bot authored 3 years ago
  
  Prevent private e-mail from being shown in webhook data See merge request gitlab-org/security/gitlab!1927
  ea938156
- Merge branch 'security-335191-use-verified-emails-to-avoid-bypass-14.4' into '14-4-stable-ee' · f3763f55
  GitLab Release Tools Bot authored 3 years ago
  
  Match with verified_email? rather than any_email? See merge request gitlab-org/security/gitlab!1926
  f3763f55
- Merge branch 'security-guest-update-incident-severity-14-4' into '14-4-stable-ee' · 86384c7c
  GitLab Release Tools Bot authored 3 years ago
  
  Disallow guests to change severity on incidents See merge request gitlab-org/security/gitlab!1902
  86384c7c
- Disallow guests to change severity on incidents · 7459bcb9
  Peter Leitzen authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  7459bcb9
- Merge branch 'security-337824-set-pipeline-schedule-default-14-4' into '14-4-stable-ee' · 677e5935
  GitLab Release Tools Bot authored 3 years ago
  
  Set imported PipelineSchedules to inactive See merge request gitlab-org/security/gitlab!1911
  677e5935
- Merge branch 'security-remove-external-webhook-token-from-export-14-4' into '14-4-stable-ee' · b792e18e
  GitLab Release Tools Bot authored 3 years ago
  
  Remove external_webhook_token from exported project See merge request gitlab-org/security/gitlab!1872
  b792e18e
Oct 26, 2021

Highlight usage of unicode bidi characters · cef762a2

Robert May authored 3 years ago

Adds markup around unicode bidi characters when highlighting
code. These are used primarily for text direction in
right-to-left languages, but can be used as an exploit.

Changelog: security

cef762a2

Fix dompurify.js to prevent path traversal attacks · 9a891cbe

Dheeraj Joshi authored 3 years ago

This fixes an issue with SVGs href sanitization
which was bypassable using path traversal

Changelog: security

9a891cbe

Oct 25, 2021

Refresh authorizations on transfer of groups having project shares · bdf8b6e9

Manoj M J authored 3 years ago

This change makes sure that when a group that
has any project-group shares is transferred,
it refresh authorizations of projects that are
shared to the group.

Changelog: security

bdf8b6e9

Oct 21, 2021

Update VERSION files · 19c719fe
GitLab Release Tools Bot authored 3 years ago
```
[merge-train skip]
```
View commits for tag v14.4.0-ee v14.4.0-ee

19c719fe
Update changelog for 14.4.0 · 821af607
GitLab Release Tools Bot authored 3 years ago
```
[ci skip]
```
821af607
Update Gitaly version to 14.4.0 · b73f60e4
GitLab Release Tools Bot authored 3 years ago
```
[ci skip]
```
b73f60e4
Update VERSION files · eaac9f42
GitLab Release Tools Bot authored 3 years ago
```
[merge-train skip]
```
View commits for tag v14.4.0-rc45-ee v14.4.0-rc45-ee

eaac9f42
Update VERSION files · efccd246
GitLab Release Tools Bot authored 3 years ago
```
[merge-train skip]
```
View commits for tag v14.4.0-rc44-ee v14.4.0-rc44-ee

efccd246

Adding a '[redacted]' to mask private email addresses · 324fe628

Gary Holtz authored 3 years ago

Making public_email = email a trait for a factory

This also fixes some specs that were relying on private email in
the user's `hook_attrs`

Changelog: security

Unverified

324fe628

Match with verified_email? rather than any_email? · 5f9b4eb1

Kerri Miller authored 3 years ago

Matching against any_email? potentially allows users to avoid required
code ownership rules by adding a code owner's email address that to
their own as a secondary email address.

Changelog: fixed
EE: true

Cleanup typos in comments (thanks @Vij)

5f9b4eb1

Iterate over trailing space regex replacements · c76cc17b

E'zeki&el Kigbo authored 3 years ago

Changelog: security

Use chomp for path trimming

Minor refactor chomped calls into a loop
and fixes a rubocop lint.

Add PATH_TRAILING_VIOLATIONS constant

c76cc17b

Do not allow Applications API to create apps with blank scopes · 4e2c4d2a

Manoj M J authored 3 years ago

This change makes sure that the using the
Applications API, admins cannot create
an app with a “blank” scope. At least one scope
should be explicitly specified in the params while
making the “POST” request to create an application.

Changelog: security

4e2c4d2a

Update VERSION files · a526602b
GitLab Release Tools Bot authored 3 years ago
```
[merge-train skip]
```
View commits for tag v14.4.0-rc43-ee v14.4.0-rc43-ee

a526602b

Merge branch 'cherry-pick-' into '14-4-stable-ee' · 45cef9b5

Reuben Pereira authored 3 years ago

Merge branch 'sarnold-qurantine-flakey-rotation-dst-specs' into '14-4-stable-ee'

See merge request gitlab-org/gitlab!72767

45cef9b5

Merge branch 'sarnold-qurantine-flakey-rotation-dst-specs' into 'master' · d6f94694

Luke Duncalfe authored 3 years ago

Quarantine flaky DST specs

See merge request gitlab-org/gitlab!72748

(cherry picked from commit a0d10fed)

a1f862dd Quarantine flaky DST spec
ac843eeb Apply 1 suggestion(s) to 1 file(s)

d6f94694

Don't allow author to resolve discussions when MR is locked via GraphQL · 34ffcb55

Patrick Bajao authored 3 years ago

We don't allow non-project members to resolve discussions via UI
but the discussionToggleResolve GraphQL mutation allows it.

This fixes it by modifying `ResolvableDiscussions#can_resolve?` to
call appropriate policy check.

Changelog: security

34ffcb55

Workhorse: Allow uploading only a single file · 0aee710d

Igor Drozdov authored 3 years ago

Gitlab Rails doesn't have endpoints that require uploading
multiple files.

Let's limit it to prevent performance issues and proceed with
a proper solution out of Security Release

Changelog: security

0aee710d

Oct 20, 2021
- Set PipelineSchedules to inactive · de405edc
  Igor Frenkel authored 3 years ago
  
  Set imported Ci::PipelineSchedules to inactive. Changelog: security
  de405edc

Admin message

Admin message