Commits · cdec15d2a57e0e91df125713022bf18a9878edae · Maxime Orefice / GitLab

Aug 03, 2021
- Update VERSION files · cdec15d2
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.12.9-ee v13.12.9-ee
  
  cdec15d2
- Update changelog for 13.12.9 · a3295204
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  a3295204
- Update Gitaly version to 13.12.9 · 20e074ee
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  20e074ee
- Merge branch 'security-validate-project-members-13-12' into '13-12-stable-ee' · 7be43fba
  GitLab Release Tools Bot authored 3 years ago
  
  Don't allow to add users to project with email different than group sett See merge request gitlab-org/security/gitlab!1562
  7be43fba
- Merge branch 'security-nfriend-hide-project-ci-cd-analytics-for-guests-13-12'... · 41617200
  Henri Philipps authored 3 years ago
  
  Merge branch 'security-nfriend-hide-project-ci-cd-analytics-for-guests-13-12' into '13-12-stable-ee' Hide project-level CI/CD Analytics page for Guest users See merge request gitlab-org/security/gitlab!1575
  41617200
- Merge branch... · aceb3915
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-not-allow-to-impersonate-tokens-while-impersonation-is-off-13-12' into '13-12-stable-ee' Block pushing with impersonation token if impersonation is disabled See merge request gitlab-org/security/gitlab!1585
  aceb3915
- Add project member validation for domain limitation · 8aff1815
  mksionek authored 3 years ago
  
  Changelog: security
  8aff1815
- Block impersonation token use if it is not permitted · 99ab170a
  mksionek authored 3 years ago
  
  Changelog: security
  99ab170a
Aug 02, 2021
- Hide project-level CI/CD Analytics for Guests · 740395d9
  Nathan Friend authored 3 years ago
  
  This commit updates the project-level CI/CD Analytics page to not be accessible by Guest users of private projects. Changelog: security
  Unverified
  
  740395d9
- Merge branch 'security-jivanvl-fix-pipeline-show-page-permissions-13-12' into '13-12-stable-ee' · caf32a32
  GitLab Release Tools Bot authored 3 years ago
  
  Add permissions check to pipelines#show action See merge request gitlab-org/security/gitlab!1618
  caf32a32
- Merge branch 'security-email-invite-error-message-13-12' into '13-12-stable-ee' · 654ed4c1
  GitLab Release Tools Bot authored 3 years ago
  
  Do not show email address in error message See merge request gitlab-org/security/gitlab!1598
  654ed4c1
- Merge branch 'security-300265-13-12' into '13-12-stable-ee' · a01ae373
  GitLab Release Tools Bot authored 3 years ago
  
  Misleading username could lead to impersonation in using SSH Certificates See merge request gitlab-org/security/gitlab!1611
  a01ae373
- Merge branch 'security-impersonation-tokens-listed-13-12' into '13-12-stable-ee' · 69b8c77b
  GitLab Release Tools Bot authored 3 years ago
  
  Remove impersonation token from api response for non-admin user See merge request gitlab-org/security/gitlab!1567
  69b8c77b
- Merge branch 'security-security_dblessing_invite_link_any_email-13-12' into '13-12-stable-ee' · 9581f40e
  GitLab Release Tools Bot authored 3 years ago
  
  Only allow invite to be accepted by user with matching email See merge request gitlab-org/security/gitlab!1634
  9581f40e
- Merge branch 'security-security_dblessing_omniauth_logging-13-12' into '13-12-stable-ee' · 286fa310
  GitLab Release Tools Bot authored 3 years ago
  
  Configure OmniAuth to use GitLab AppLogger See merge request gitlab-org/security/gitlab!1617
  286fa310
- Merge branch... · 79578169
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-prevent-guests-from-creating-issues-with-sentry-error-13-12' into '13-12-stable-ee' Prevent Guest users from creating issues linked to Sentry errors See merge request gitlab-org/security/gitlab!1599
  79578169
- Merge branch 'security-oauth-0-5-6-13-12' into '13-12-stable-ee' · 94bd012e
  GitLab Release Tools Bot authored 3 years ago
  
  Updates oauth to 0.5.6 See merge request gitlab-org/security/gitlab!1569
  94bd012e
- Merge branch 'security-fix-protected-environment-access-cleanup-13-12' into '13-12-stable-ee' · 14286036
  GitLab Release Tools Bot authored 3 years ago
  
  Unauthorized User Can Trigger Deployment to the Protected Environment See merge request gitlab-org/security/gitlab!1608
  14286036
- Merge branch 'security-fix-tag-ref-detection-13-12' into '13-12-stable-ee' · 1ddffc54
  GitLab Release Tools Bot authored 3 years ago
  
  Fix tag ref detection for pipelines See merge request gitlab-org/security/gitlab!1549
  1ddffc54
- Merge branch 'security_299039_restrict_access_for_reporter_and_below_13_12' into '13-12-stable-ee' · b8600e1f
  GitLab Release Tools Bot authored 3 years ago
  
  Restrict access to instance-level security features for reporters See merge request gitlab-org/security/gitlab!1540
  b8600e1f
- Restrict access to instance-level security features for reporters · e265df47
  Mehmet Emin Inaç authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  e265df47
- Merge branch 'security/sh-mermaid-avoid-html-injection-13-12' into '13-12-stable-ee' · be032de3
  GitLab Release Tools Bot authored 3 years ago
  
  [13.12] Fix XSS in Mermaid Markdown rendering See merge request gitlab-org/security/gitlab!1487
  be032de3
- Merge branch 'security-282445-read-todo-target-13-12' into '13-12-stable-ee' · 0ed4b547
  GitLab Release Tools Bot authored 3 years ago
  
  Filter todos whose target users no longer have access to [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1555
  0ed4b547
Jul 30, 2021

Only allow invite to be accepted by user with matching email · ae7ade09

Drew Blessing authored 3 years ago

Previously, any user was able to accept an invite even if the
user's email addresses didn't match the invite. A note was
displayed but the invite could still be accepted. With this
change, a user without a matching, confirmed email address
is unable to accept the invite.

Changelog: security

Unverified

ae7ade09

Jul 28, 2021

Configure OmniAuth to use GitLab AppLogger · ed5e7742

Drew Blessing authored 3 years ago

OmniAuth logger was not being configured properly and some logs
were being dropped. This change ensures OmniAuth log messages
are output to `application.log` and/or `application_json.log`
as appropriate depending on configuration.

Changelog: security

Fix Group SAML Spec order dependency

Change `allow/expect_any_instance_of` to
`allow/expect_next_instance_of` to avoid leaking state from other
tests.

Changelog: security

Unverified

ed5e7742

Fix Protected Environment Accesses Cleanup · 79eb0cb1

Shinya Maeda authored 3 years ago

Protected Environment Accesses were not automatically cleaned up
when a user was removed from the project membership.
Also, the leftover user/group entry in the access list
couldn't be removed manually.

This commit fixes these security related bugs.

Changelog: security
EE: true

79eb0cb1

Jul 27, 2021

Add permissions check to pipelines#show action · 1a293b40

Jose Ivan Vargas Lopez authored 3 years ago

This check renders a 404 in case the user trying
to access the pipeline details page doesn't have enough
permissions

Changelog: security

1a293b40

Merge branch 'leipert-browserslist-ugh' into 'master' · 3e2180b0

Jose Ivan Vargas Lopez authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Disable browserslist warning in CI jobs

See merge request gitlab-org/gitlab!66942

(cherry picked from commit 89dec6ec)

61c4eacf Disable browserslist warning in CI jobs

3e2180b0

Prevent impersonation in gitlab-shell SSH certs · 42521d9e
Robert May authored 3 years ago
```
Updates the gitlab-shell version to include a security patch.

Changelog: security
```
42521d9e

Jul 23, 2021
- Prevent guests from linking issues with errors · da799b0c
  Sean Arnold authored 3 years ago
  
  Changelog: security
  da799b0c
Jul 22, 2021
- Do not show email address in error message · 2c3318ed
  Dominic Couture authored 3 years ago
  
  Changelog: security EE: true
  2c3318ed
Jul 12, 2021
- Updates oauth to 0.5.6 · 33df3791
  Andrew Kelly authored 3 years ago
  
  Changelog: security
  33df3791
- Remove impersonation token from api response for non-admin user · b56ae195
  mksionek authored 3 years ago
  
  Changelog: security
  b56ae195
Jul 07, 2021
- Merge remote-tracking branch 'dev/13-12-stable-ee' into 13-12-stable-ee · 5c1ce14f
  GitLab Release Tools Bot authored 3 years ago
  
  5c1ce14f
- Filter todos whose target users no longer have access to · ba613574
  Mario Sebastián Celi Calderón authored 3 years ago
  
  The DB might contain todos for targets a user no longer has access to. As target is exposed via the REST API and Rails app, this change filters out todos the user no longer has access to. Changelog: security
  Unverified
  
  ba613574
- Update VERSION files · 6ab58f00
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.12.8-ee v13.12.8-ee
  
  6ab58f00
- Update changelog for 13.12.8 · 08ddfa23
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  08ddfa23
- Update Gitaly version to 13.12.8 · 34726f7c
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  34726f7c
Jul 06, 2021
- Merge branch '334552-quarantine-flaky-board-spec' into 'master' · 5921f635
  Alexis Kalderimis authored 3 years ago and Mayra Cabrera committed 3 years ago
  
  Quarantine failing group board spec See merge request gitlab-org/gitlab!64809
  5921f635
- Merge branch 'security-disable-filesystem-strategy-for-premailer-13-12' into '13-12-stable-ee' · aaf02571
  Mayra Cabrera authored 3 years ago
  
  Disable filesystem and network premailer strategies See merge request gitlab-org/security/gitlab!1545
  aaf02571

Admin message

Admin message