Commits · d6e2cf8d41eceec30c20b921d9779bbd539ae594 · Robert May / GitLab

Jun 01, 2021
- Update VERSION files · d6e2cf8d
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.11.5-ee v13.11.5-ee
  
  d6e2cf8d
- Update Gitaly version to 13.11.5 · 062f32f1
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  062f32f1
May 31, 2021
- Merge branch 'security-fix-redirect-csp-13-11' into '13-11-stable-ee' · 3b63574b
  Mayra Cabrera authored 3 years ago
  
  Use tag helper for javascript tag in redirect See merge request gitlab-org/security/gitlab!1458
  3b63574b
- Use tag helper for javascript tag in redirect · 4900d437
  Dominic Couture authored 3 years ago
  
  This will automatically include the nonce for CSP
  Unverified
  
  4900d437
- Merge branch 'security-bump-bindata-version-13-11' into '13-11-stable-ee' · fba561ae
  Alessio Caiazza authored 3 years ago
  
  Bump BinData version See merge request gitlab-org/security/gitlab!1403
  fba561ae
- Bump BinData version · 73d2b47b
  Charlie Ablett authored 3 years ago
  
  Changelog: security
  73d2b47b
- Merge branch 'security-increase-authorization-for-lint-endpoint-13-11' into '13-11-stable-ee' · a0558d19
  Alessio Caiazza authored 3 years ago
  
  Updates authorization for lint See merge request gitlab-org/security/gitlab!1430
  a0558d19
- Merge branch 'security-oauth2-js-redirect-13-11' into '13-11-stable-ee' · a64d65a2
  GitLab Release Tools Bot authored 3 years ago
  
  Adds redirect page to OAuth See merge request gitlab-org/security/gitlab!1442
  a64d65a2
- Merge branch 'security-expired-password-auth-13-11' into '13-11-stable-ee' · a5bb79ef
  GitLab Release Tools Bot authored 3 years ago
  
  Block access to gitlab for users with expired password See merge request gitlab-org/security/gitlab!1445
  a5bb79ef
- Merge branch 'security-limit-projects-shown-on-member-removal-13-11' into '13-11-stable-ee' · c78c8fb5
  Alessio Caiazza authored 3 years ago
  
  Limit rotations when removing members to those accessible to the member See merge request gitlab-org/security/gitlab!1388
  c78c8fb5
- Limit rotations when removing members to those accessible to the member · 01676fbe
  Sean Arnold authored 3 years ago
  
  01676fbe
- Merge branch 'security-access-tokens-in-logs-13-11' into '13-11-stable-ee' · 7fe1f03a
  GitLab Release Tools Bot authored 3 years ago
  
  OAuth implicit grant access tokens are not logged See merge request gitlab-org/security/gitlab!1436
  7fe1f03a
- Merge branch 'security-convert-css-to-xpath-13-11' into '13-11-stable-ee' · 8b4ed69b
  GitLab Release Tools Bot authored 3 years ago
  
  Use xpath instead of css for searching in banzai [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1415
  8b4ed69b
- Merge branch 'security-markdown-field-limit-13-11' into '13-11-stable-ee' · 2e5ebee4
  GitLab Release Tools Bot authored 3 years ago
  
  Truncate all non-blob markdown to 1MB by default See merge request gitlab-org/security/gitlab!1419
  2e5ebee4
- Merge branch... · da3633e6
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-dblessing_update_users_two_factor_required_from_group-13-11' into '13-11-stable-ee' Update users two factor required from group See merge request gitlab-org/security/gitlab!1433
  da3633e6
- Merge branch 'security-atlassian-qsh-13-11' into '13-11-stable-ee' · bd9a3c0f
  GitLab Release Tools Bot authored 3 years ago
  
  Opt in to Atlassians new context qsh See merge request gitlab-org/security/gitlab!1405
  bd9a3c0f
- Merge branch... · 3c4b64f0
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-297665-validate-commit-author-for-x509-signatures-13-11-ee' into '13-11-stable-ee' Only verify commit signatures if the user email is verified See merge request gitlab-org/security/gitlab!1386
  3c4b64f0
- Merge branch 'security-prevent-notebook-xss-13-11' into '13-11-stable-ee' · fed3cce9
  GitLab Release Tools Bot authored 3 years ago
  
  Prevent XSS on notebooks See merge request gitlab-org/security/gitlab!1422
  fed3cce9
May 27, 2021
- Merge branch 'msj-description-templates-13-11' into '13-11-stable-ee' · 64dceb1f
  John Skarbek authored 3 years ago
  
  Cherry-pick !62553 into 13-11-stable-ee See merge request gitlab-org/gitlab!62561
  64dceb1f
May 26, 2021
- Block access to GitLab for users with expired password · 1ec1603a
  mksionek authored 3 years ago
  
  Changelog: security
  1ec1603a
- Tweak description templates docs note · 41b4e46d
  Marcin Sedlak-Jakubowski authored 3 years ago
  
  41b4e46d
- Adds redirect page to OAuth · 48fcdb72
  Ron Chan authored 3 years ago
  
  The goal is to make sure the user to go through js-based redirect Changelog: security
  48fcdb72
May 25, 2021

Merge branch 'remove-changelog-requirement-for-db-on-danger-13-11' into '13-11-stable-ee' · 3109950b
John Skarbek authored 3 years ago
```
Remove db changelog requirement from danger

See merge request gitlab-org/gitlab!62509
```
3109950b
Remove db changelog requirement from danger · 85d3e4f3
John Skarbek authored 3 years ago and Mayra Cabrera committed 3 years ago
```
Backports changes from https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62493
into 13-11-stable-ee branch
```
85d3e4f3
Stop logging location record with explicit access token · 70a1763a
mksionek authored 3 years ago
```
Changelog: security

Fix rubocop offence

Add specs for new method

Fix typo in spec title
```
70a1763a

Update users two factor required from group · 28db889d

Drew Blessing authored 3 years ago and

Drew Blessing committed 3 years ago

A background migration to ensure users have the correct setting
when two factor is required by a group they're a member of. A
prior bug caused this setting to be incorrect. That bug is fixed
going forward and this is a one-time fix for existing cases.

Changelog: security

Unverified

28db889d

Updates authorization for lint · 114bd1a6

Laura Montemayor authored 4 years ago

* Force some form of authentication in order to access the lint
endpoint for unauthenticated users on GitLab instances with restrictions
* Adds a method for determining if registration on an instance is
limited based on the above
* Adds specs for all the cases mentioned above

Changelog: security

114bd1a6

Opt in to Atlassians new context qsh · 52401b9b

Lukas Eipert authored 3 years ago

Atlassian introduces a [change to their JWTs for Connect apps][0].

There are two types of JWT, the one being affected (Context JWT) is not
utilized by us. Therefore we do not need to do any code changes in the
auth logic. This change only opts in to the new security model they are
rolling out on June 7th.

For more details see: https://gitlab.com/gitlab-org/gitlab/-/issues/328267

[0]: https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072

Changelog: security

52401b9b

May 24, 2021

Only verify commit signatures if the user email is verified · 78d266e3

Nick Thomas authored 3 years ago

Currently, users are able to create "verified" commit signatures for
emails they don't control.

Changelog: security

78d266e3

Prevent XSS on notebooks · 123300cd
Jacques Erasmus authored 3 years ago
```
Prevented the use of data attributes for notebooks.

Changelog: security
```
123300cd

May 22, 2021
- Use xpath search of Nokogiri instead of css search · 626bc425
  Brett Walker authored 3 years ago
  
  For large node trees, xpath is significantly faster and uses less memory Changelog: security
  626bc425
May 21, 2021
- Truncate all non-blob markdown to 1MB by default · d94d150b
  Brett Walker authored 3 years ago
  
  and prepend a user message if the limit is over a certain threshold Changelog: security
  d94d150b
May 14, 2021
- Update VERSION files · d1a2e182
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.11.4-ee v13.11.4-ee
  
  d1a2e182
- Update CHANGELOG.md for 13.11.4-ee · b043060b
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  b043060b
- Update CHANGELOG-EE.md for 13.11.4-ee · 710409c3
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  710409c3
- Update Gitaly version to 13.11.4 · e460fc09
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  e460fc09
- Merge branch '13-11-stable-ee-patch-4' into '13-11-stable-ee' · 2e88268b
  Alessio Caiazza authored 3 years ago
  
  Prepare 13.11.4-ee release See merge request gitlab-org/gitlab!61736
  2e88268b
May 13, 2021

Merge branch '330787-omits-trailing-slash-when-checking-for-allowed-requests' into 'master' · bdd1bbb8

Stan Hu authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Omit trailing slash when checking allowed requests in the read-only middleware [RUN ALL RSPEC]

See merge request gitlab-org/gitlab!61641

(cherry picked from commit 205ac619)

128f7287 Omit trailing slash when checking allowed requests
94c80317 Add CHANGELOG entry

bdd1bbb8

Merge branch 'sh-avoid-trailing-slash-in-proxy' into 'master' · f6d13338

Nick Thomas authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Omit trailing slash when proxying pre-authorized routes with no suffix

See merge request gitlab-org/gitlab!61638

(cherry picked from commit fe7e3723)

79fc9f2b Omit trailing slash when proxying pre-authorized routes with no suffix

f6d13338

Merge branch 'sh-fix-nplus-one-pipelines-show' into 'master' · fb2f1383

Robert Speicher authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Fix N+1 SQL queries in  PipelinesController#show

See merge request gitlab-org/gitlab!60794

(cherry picked from commit ced23566)

035856f8 Fix N+1 SQL queries in PipelinesController#show

fb2f1383

Admin message

Admin message