[merge-train skip]

[ci skip]

[ci skip]

Prevent GraphQL API access by deactivated users

See merge request gitlab-org/security/gitlab!1526

Forbid GET requests with mutations

See merge request gitlab-org/security/gitlab!1529

Bump rails gem version to 6.0.3.7

See merge request gitlab-org/security/gitlab!1515

Copy feature visibility settings to a fork

See merge request gitlab-org/security/gitlab!1523

Update rdoc to 6.3.1

See merge request gitlab-org/security/gitlab!1534

Add new username validation

See merge request gitlab-org/security/gitlab!1495

Avoid disclosing project in web IDE

See merge request gitlab-org/security/gitlab!1512

Clipboard DOM-based XSS in Markdown [RUN AS-IF-FOSS]

See merge request gitlab-org/security/gitlab!1453

Add sanitizing for name field

See merge request gitlab-org/security/gitlab!1490

Fix XSS in release Edits

See merge request gitlab-org/security/gitlab!1486

Fix XSS on audit log for feature flag actions

See merge request gitlab-org/security/gitlab!1474

Update Nokogiri to 1.11.4

See merge request gitlab-org/security/gitlab!1479

Add omniauth_user check when verifying user cap

See merge request gitlab-org/security/gitlab!1502

Add total http read timeout

See merge request gitlab-org/security/gitlab!1427

Some users can push to Protected Branch with Deploy keys

See merge request gitlab-org/security/gitlab!1478

Fix merge request diff display issue with unsupported encoding

See merge request gitlab-org/security/gitlab!1424

Igor Drozdov authored 3 years ago and Thong Kuah committed 3 years ago

It contains multiple security fixes.

One of them prevents string polymorphic route arguments and
causes some additional changes to be made along with just bumping
gem version

Changelog: security

Created a fork because rdoc 6.3.1 is missing a file.

Changelog: security

Changelog: security

Verify that mutations are forbidden in GET requests

This ensures that GET requests do not execute mutations.

Changelog: security

When a public project with a private feature is forked,
it's expected that the fork will also have the feature private

For example, forking a public project with private repo might
accidently lead to a repository code exposure

Changelog: security

Checking user identities presence in that check.
Also added related rspecs.

Changelog: added
EE: true

In this commit we avoid disclosing project info
through the web IDE by checking if the user
can read the project.

Changelog: security

[merge-train skip]

[ci skip]

[ci skip]

Prepare 13.12.5-ee release

See merge request gitlab-org/gitlab!64488

Fix failing spec

See merge request gitlab-org/gitlab!64499

Changelog: fixed

Matthias Käppler authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63764

EE: true
Changelog: fixed

Michael Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/63466

Changelog: fixed

Michael Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Only update required instance ci template when the parameter is present

See merge request gitlab-org/gitlab!63344

(cherry picked from commit 304aff34)

63077d2d Only update required instance ci template when the parameter is present
9bc395a3 Apply suggestion to use .empty instead of .blank
43f87431 Apply suggestion to fix failing test
c1dfd2c3 Add test spec for required_instance_ci_template setting when no parameter key is provided

Changelog: security

Changelog: security

[merge-train skip]

[ci skip]