[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.11.4-ee release

See merge request gitlab-org/gitlab!61736

Stan Hu authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Omit trailing slash when checking allowed requests in the read-only middleware [RUN ALL RSPEC]

See merge request gitlab-org/gitlab!61641

(cherry picked from commit 205ac619)

128f7287 Omit trailing slash when checking allowed requests
94c80317 Add CHANGELOG entry

Nick Thomas authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Omit trailing slash when proxying pre-authorized routes with no suffix

See merge request gitlab-org/gitlab!61638

(cherry picked from commit fe7e3723)

79fc9f2b Omit trailing slash when proxying pre-authorized routes with no suffix

Robert Speicher authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix N+1 SQL queries in  PipelinesController#show

See merge request gitlab-org/gitlab!60794

(cherry picked from commit ced23566)

035856f8 Fix N+1 SQL queries in PipelinesController#show

Clarify notification emails docs

See merge request gitlab-org/gitlab!60932

Reapply changes from MR https://gitlab.com/gitlab-org/gitlab/-/merge_requests/60293

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.11.3-ee release

See merge request gitlab-org/gitlab!60669

Andrew Fontaine authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix Instance-level Project Integration Management page for GitLab FOSS [RUN ALL RSPEC] [RUN-AS-IF-FOSS]

See merge request gitlab-org/gitlab!60354

(cherry picked from commit 8ff4aa03)

037ce621 Initialize Integrations table for admins on FOSS

John Jarvis authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Revert "Merge branch 'update-auto-build-image-to-0-6-0' into 'master'"

See merge request gitlab-org/gitlab!59775

(cherry picked from commit 9bc0602b)

822f39db Revert "Merge branch 'update-auto-build-image-to-0-6-0' into 'master'"

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Do not expose pull mirror username and password

See merge request gitlab-org/security/gitlab!1365

Merge branch 'security-disallow-changing-timestamps-on-issue-create-update-13-11' into '13-11-stable-ee'

Prevent non-owners to set system_note_timestamp

See merge request gitlab-org/security/gitlab!1358

Merge branch 'security-322500-disable-gitaly-branch-pagination-ff-by-default-13-11' into '13-11-stable-ee'

Disable keyset pagination for branches by default

See merge request gitlab-org/security/gitlab!1366

Restrict the dependency proxy auth service

See merge request gitlab-org/security/gitlab!1369

Bump Carrierwave gem to v1.3.2

See merge request gitlab-org/security/gitlab!1357

Merge branch 'security-327155-prevent-mutation-execution-with-read-api-tokens-13-11' into '13-11-stable-ee'

Prevent mutation execution with read api tokens

See merge request gitlab-org/security/gitlab!1374

Verify that read_api tokens cannot run mutations.

Also: adds tests use of OAuth tokens for GraphQL

We make some changes to the sessionless_authentication module
in order to capture the request_authenticator, so that we can access
the token scopes, without making any extra queries.

We ensure we always authorize the mutation, which, like all resolvers,
needs to opt in to the check.

Unlike resolvers, mutations should always raise. So
`BaseMutation.authorized?` raises on failure.

Logic for handling scopes is pushed down to the `ObjectAuthorization`
class, and encapsulated in the `ScopeValidator`, which limits the
methods that can be called by resolvers.

Any objects other than `User` (such as `DeployToken`) are not allowed

Changelog: security

It seems that with this feature flag enabled, pagination doesn't work
correctly in conjunction with a search. The FF is already disabled on
GitLab.com, but disabling it in the YAML file means that self-managed
instances will also be protected from the security issue (unless they
explicitly opt-in to some beta code, of course).

Changelog: security

When an issue is created or updated though API for import
purposes we allow providing created_at and updated_at params
these would then be reflected also in system notes. Only admins
and project owners should be able to set these dates.

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/230864

* Remove password value from the pull mirror form
* Hide username from mirror url

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.11.1-ee release

See merge request gitlab-org/gitlab!60045

Ash McKenzie authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Change search string that does not return results

See merge request gitlab-org/gitlab!59945

(cherry picked from commit ed19a0bd)

7d838b6c Change search string that does not return results

Craig Norris authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Fix Rake command for Pages deploys to object storage

See merge request gitlab-org/gitlab!59764

(cherry picked from commit 3e2e8138)

ec83c25f Fix Rake command for Pages deploys to object storage