Commits · v13.10.5-ee · Robert May / GitLab

Jun 01, 2021
- Update VERSION files · 7327f6c9
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.10.5-ee v13.10.5-ee
  
  7327f6c9
- Update Gitaly version to 13.10.5 · 6522a9a8
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  6522a9a8
May 31, 2021
- Merge branch 'security-fix-redirect-csp-13-10' into '13-10-stable-ee' · a852e1ee
  Mayra Cabrera authored 3 years ago
  
  Use tag helper for javascript tag in redirect See merge request gitlab-org/security/gitlab!1459
  a852e1ee
- Use tag helper for javascript tag in redirect · ee8c3cce
  Dominic Couture authored 3 years ago
  
  This will automatically include the nonce for CSP
  Unverified
  
  ee8c3cce
- Merge branch 'security-bump-bindata-version-13-10' into '13-10-stable-ee' · 357b361b
  Alessio Caiazza authored 3 years ago
  
  Bump BinData version See merge request gitlab-org/security/gitlab!1402
  357b361b
- Bump BinData version · 784ebe7c
  Charlie Ablett authored 3 years ago
  
  Changelog: security
  784ebe7c
- Merge branch 'security-increase-authorization-for-lint-endpoint-13-10' into '13-10-stable-ee' · 4b1d10ab
  Alessio Caiazza authored 3 years ago
  
  Updates authorization for lint See merge request gitlab-org/security/gitlab!1449
  4b1d10ab
- Merge branch 'security-oauth2-js-redirect-13-10' into '13-10-stable-ee' · 75d992da
  GitLab Release Tools Bot authored 3 years ago
  
  Adds redirect page to OAuth See merge request gitlab-org/security/gitlab!1443
  75d992da
- Merge branch 'security-expired-password-auth-13-10' into '13-10-stable-ee' · fea4e80f
  GitLab Release Tools Bot authored 3 years ago
  
  Block access to gitlab for users with expired password See merge request gitlab-org/security/gitlab!1444
  fea4e80f
- Merge branch 'security-access-tokens-in-logs-13-10' into '13-10-stable-ee' · 6afb05f9
  GitLab Release Tools Bot authored 3 years ago
  
  OAuth implicit grant access tokens are not logged See merge request gitlab-org/security/gitlab!1437
  6afb05f9
- Merge branch 'security-convert-css-to-xpath-13-10' into '13-10-stable-ee' · 625cd124
  GitLab Release Tools Bot authored 3 years ago
  
  Use xpath instead of css for searching in banzai [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1417
  625cd124
- Merge branch 'security-markdown-field-limit-13-10' into '13-10-stable-ee' · 6607ab12
  GitLab Release Tools Bot authored 3 years ago
  
  Truncate all non-blob markdown to 1MB by default See merge request gitlab-org/security/gitlab!1418
  6607ab12
- Merge branch... · 800743fd
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-dblessing_update_users_two_factor_required_from_group-13-10' into '13-10-stable-ee' Update users two factor required from group See merge request gitlab-org/security/gitlab!1434
  800743fd
- Merge branch 'security-atlassian-qsh-13-10' into '13-10-stable-ee' · 5984cd69
  GitLab Release Tools Bot authored 3 years ago
  
  Opt in to Atlassians new context qsh See merge request gitlab-org/security/gitlab!1406
  5984cd69
- Merge branch... · d999596a
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-297665-validate-commit-author-for-x509-signatures-13-10-ee' into '13-10-stable-ee' Only verify commit signatures if the user email is verified See merge request gitlab-org/security/gitlab!1387
  d999596a
- Merge branch 'security-prevent-notebook-xss-13-10' into '13-10-stable-ee' · a26ec1d5
  GitLab Release Tools Bot authored 3 years ago
  
  Prevent XSS on notebooks See merge request gitlab-org/security/gitlab!1423
  a26ec1d5
May 27, 2021

Updates authorization for lint · c588e945

* Force some form of authentication in order to access the lint
endpoint for unauthenticated users on GitLab instances with restrictions
* Adds a method for determining if registration on an instance is
limited based on the above
* Adds specs for all the cases mentioned above

Changelog: security

c588e945

Adds redirect page to OAuth · 7881e5bc

Ron Chan authored 3 years ago

The goal is to make sure the user to go through js-based redirect

Changelog: security

Unverified

7881e5bc

May 26, 2021
- Merge remote-tracking branch 'security/remove-db-migrate-from-v12-10-0' into 13-10-stable-ee · 7f4a3c70
  John Skarbek authored 3 years ago
  
  Unverified
  
  7f4a3c70
- Remove `db:migrate-from-v12.10.0` job which fails without `mimemagic` gem · 321ebc04
  Rémy Coutable authored 3 years ago
  
  321ebc04
- Block access to GitLab for users with expired password · aaee1c5a
  mksionek authored 3 years ago
  
  Changelog: security
  aaee1c5a
May 25, 2021

Merge branch 'remove-changelog-requirement-for-db-on-danger-13-10' into '13-10-stable-ee' · e4114754
John Skarbek authored 3 years ago
```
Remove db changelog requirement from danger

See merge request gitlab-org/gitlab!62519
```
e4114754
Remove db changelog requirement from danger · 4ebe6583
John Skarbek authored 3 years ago and Mayra Cabrera committed 3 years ago
```
Backports changes from https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62493
into 13-10-stable-ee branch
```
4ebe6583

Update users two factor required from group · a5ae9d82

Drew Blessing authored 3 years ago and

Drew Blessing committed 3 years ago

A background migration to ensure users have the correct setting
when two factor is required by a group they're a member of. A
prior bug caused this setting to be incorrect. That bug is fixed
going forward and this is a one-time fix for existing cases.

Changelog: security

Unverified

a5ae9d82

Stop logging location record with explicit access token · 9b9278d0
mksionek authored 3 years ago
```
Changelog: security

Fix rubocop offence

Add specs for new method

Fix typo in spec title
```
9b9278d0

Opt in to Atlassians new context qsh · 0ea617b7

Lukas Eipert authored 3 years ago

Atlassian introduces a [change to their JWTs for Connect apps][0].

There are two types of JWT, the one being affected (Context JWT) is not
utilized by us. Therefore we do not need to do any code changes in the
auth logic. This change only opts in to the new security model they are
rolling out on June 7th.

For more details see: https://gitlab.com/gitlab-org/gitlab/-/issues/328267

[0]: https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072

Changelog: security

0ea617b7

May 24, 2021

Only verify commit signatures if the user email is verified · 416d70aa

Nick Thomas authored 3 years ago

Currently, users are able to create "verified" commit signatures for
emails they don't control.

Changelog: security

416d70aa

Prevent XSS on notebooks · 9029bfc7
Jacques Erasmus authored 3 years ago
```
Prevented the use of data attributes for notebooks.

Changelog: security
```
9029bfc7

May 22, 2021
- Use xpath search of Nokogiri instead of css search · bad27942
  Brett Walker authored 3 years ago
  
  For large node trees, xpath is significantly faster and uses less memory Changelog: security
  bad27942
May 21, 2021
- Truncate all non-blob markdown to 1MB by default · 2e9f9506
  Brett Walker authored 3 years ago
  
  and prepend a user message if the limit is over a certain threshold Changelog: security
  2e9f9506
Apr 28, 2021
- Merge remote-tracking branch 'dev/13-10-stable-ee' into 13-10-stable-ee · 8203b49b
  GitLab Release Tools Bot authored 3 years ago
  
  8203b49b
Apr 27, 2021
- Update VERSION files · fcf9700a
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v13.10.4-ee v13.10.4-ee
  
  fcf9700a
- Update CHANGELOG.md for 13.10.4-ee · 080082fb
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  080082fb
- Update CHANGELOG-EE.md for 13.10.4-ee · b8daaff0
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  b8daaff0
- Update Gitaly version to 13.10.4 · f6cd5d5c
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  f6cd5d5c
- Merge branch 'security-mermaid-8-9-2-13-10' into '13-10-stable-ee' · ff8d8953
  Henri Philipps authored 3 years ago
  
  Update mermaid to version 8.9.2 See merge request gitlab-org/security/gitlab!1363
  ff8d8953
- Merge branch 'security-pull-mirror-token-13-9-13-10' into '13-10-stable-ee' · 95d49041
  GitLab Release Tools Bot authored 3 years ago
  
  Do not expose pull mirror username and password See merge request gitlab-org/security/gitlab!1355
  95d49041
- Merge branch... · 7a835d56
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-disallow-changing-timestamps-on-issue-create-update-13-10' into '13-10-stable-ee' Prevent non-owners to set system_note_timestamp See merge request gitlab-org/security/gitlab!1359
  7a835d56
- Merge branch... · b7eaee21
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-322500-disable-gitaly-branch-pagination-ff-by-default-13-10' into '13-10-stable-ee' Disable keyset pagination for branches by default See merge request gitlab-org/security/gitlab!1367
  b7eaee21
- Merge branch 'security-10io-dependency-proxy-and-deploy-tokens-13-10' into '13-10-stable-ee' · 5d1816f4
  GitLab Release Tools Bot authored 3 years ago
  
  Restrict the dependency proxy auth service See merge request gitlab-org/security/gitlab!1370
  5d1816f4

Admin message

Admin message