[merge-train skip]

[ci skip]

[ci skip]

Add authorization checks to import status endpoint

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3513



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Approved-by: Luke Duncalfe <lduncalfe@gitlab.com>
Co-authored-by: bmarjanovic <bmarjanovic@gitlab.com>

Bojan Marjanović authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-415117-confidential-issue-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3513

Changelog: security

Update commonmarker to 0.23.10

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3507



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mario Celi <mcelicalderon@gitlab.com>
Co-authored-by: Brett Walker <bwalker@gitlab.com>

Brett Walker authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-update-commonmarker-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3507

Changelog: security

Remove DAST secret variables when URL is updated

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3498



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Approved-by: Himanshu Kapoor <info@fleon.org>
Co-authored-by: Dheeraj Joshi <djoshi@gitlab.com>

Dheeraj Joshi authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-dast-reset-secrets-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3498

Changelog: security

Maintainer can leak sentry token by changing the configured URL

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3516



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Allen Cook <acook@gitlab.com>
Co-authored-by: bmarjanovic <bmarjanovic@gitlab.com>

Bojan Marjanović authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-422134-confidential-issue-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3516

Changelog: security

Merge branch 'security-smriti-417664/external_user_escalated_service_account-16-3' into '16-3-stable-ee'

Service account users are external by default

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3501



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Smriti Garg authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-smriti-417664/external_user_escalated_service_account-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3501

Changelog: security

Additional permission check when editing label

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3504



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mark Chao <mchao@gitlab.com>
Co-authored-by: Brett Walker <bwalker@gitlab.com>

Brett Walker authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-reporter-group-labels-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3504

Changelog: security

Fix ReDOS in bulk_imports endpoint params

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3510



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bojan Marjanovic <bmarjanovic@gitlab.com>
Co-authored-by: Luke Duncalfe <lduncalfe@eml.cc>

Luke Duncalfe authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-415067-redos-in-bulk_imports-api-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3510

Changelog: security

Merge branch 'security-prevent-namespace-level-banned-users-from-accessing-api-16-3' into '16-3-stable-ee'

Prevent namespace level banned users from accessing API

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3519



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Kassio Borges <kborges@gitlab.com>
Co-authored-by: Alex Buijs <abuijs@gitlab.com>

Alex Buijs authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-prevent-namespace-level-banned-users-from-accessing-api-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3519

Changelog: security

Check prohibit_outer_forks in fork relationship api

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3479



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Alexandru Croitor <acroitor@gitlab.com>
Co-authored-by: ghinfeydesktop <ghinfey@gitlabdesktop.com>

Gavin Hinfey authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-415338-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3479

Changelog: security

Prevent traversal for `path` parameter in refs/switch endpoint

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3491



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Thong Kuah <tkuah@gitlab.com>

Thong Kuah authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-refs-switch-redirect-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3491

Changelog: security

Gitaly keyset pager when pagination none only with tree view

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3495



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dmitry Gruzd <dgruzd@gitlab.com>
Co-authored-by: Patrick Cyiza <jpcyiza@gitlab.com>

Patrick Cyiza authored 1 year ago and GitLab Release Tools Bot committed 1 year ago

Merge branch 'security-414502-confidential-gitaly-keyset-16-3' into '16-3-stable-ee'

See merge request gitlab-org/security/gitlab!3495

Changelog: security

Backport LicenseScanning fix for AutoDevOps

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129971



Merged-by: Brian Williams <bwilliams@gitlab.com>
Approved-by: Brian Williams <bwilliams@gitlab.com>
Co-authored-by: Tetiana Chupryna <tchupryna@gitlab.com>
Co-authored-by: Mayra Cabrera <mcabrera@gitlab.com>

Tetiana Chupryna authored 1 year ago and Brian Williams committed 1 year ago

Fix AutoDevOps for projects that configured license scanning job

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129658



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Adam Cohen <acohen@gitlab.com>
Reviewed-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Oscar Tovar <otovar@gitlab.com>

(cherry picked from commit dfc7ae92)

36c3ea86 Fix AutoDevOps for projects that configured license scanning job

CSP: disable LFS url when not using object storage

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130200



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Joe Woodward <jwoodward@gitlab.com>
Approved-by: Jason Plum <jplum@gitlab.com>
Co-authored-by: Jason Plum <jplum@gitlab.com>

Disable the `allow_lfs` when object storage is not enabled for LFS.

1. When using local storage, the path will come from within GitLab's
primary URL
2. When using local storage, Fog/CarrierWave will fail, unless user
always supplies a bogus `connection` hash.
    - Omnibus leave this empty unless provided.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/422936

Backport "Geo: Resync direct upload object stored artifacts" to 16.3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129882



Merged-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Approved-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>

Add .net to context selector to skip live envs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129922



Merged-by: Steve Abrams <sabrams@gitlab.com>
Approved-by: Steve Abrams <sabrams@gitlab.com>
Approved-by: Reuben Pereira <2967854-rpereira2@users.noreply.gitlab.com>
Co-authored-by: Mark Lapierre <mlapierre@gitlab.com>

Revert migration to backfill archived in wikis

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129910



Merged-by: Dmitry Gruzd <dgruzd@gitlab.com>
Approved-by: Dmitry Gruzd <dgruzd@gitlab.com>
Co-authored-by: rkumar555 <rkumar@gitlab.com>

Mark Lapierre authored 1 year ago and Nailia Iskhakova committed 1 year ago

Add .net to context selector to skip live envs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129803



Merged-by: Mark Lapierre <mlapierre@gitlab.com>
Approved-by: Mark Lapierre <mlapierre@gitlab.com>
Co-authored-by: Nailia Iskhakova <niskhakova@gitlab.com>

(cherry picked from commit eccba26d)

b9ba3763 Add .net to context selector to skip live envs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/128939



Merged-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Co-authored-by: Mike Kozono <mkozono@gitlab.com>

(cherry picked from commit eaa8da04)

33f2f25d Resync direct upload object stored artifacts
15737ede Perform update queries in Sidekiq job

Changelog: fixed
EE: true

Remove unified URL limitation for GitLab chart (16.3 backport)

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129854



Merged-by: Steve Abrams <sabrams@gitlab.com>
Approved-by: Steve Abrams <sabrams@gitlab.com>
Co-authored-by: Achilleas Pipinellis <axil@gitlab.com>

Remove unified URL limitation for GitLab chart

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129816



Merged-by: Achilleas Pipinellis <axil@gitlab.com>
Approved-by: Achilleas Pipinellis <axil@gitlab.com>
Co-authored-by: Clemens Beck <cbeck@gitlab.com>

(cherry picked from commit a2464020)

b04ff137 Remove unified URL limitation for GitLab chart

[merge-train skip]

[ci skip]

[ci skip]