Commits · v14.0.7-ee · Peter Leitzen / GitLab

Aug 03, 2021
- Update VERSION files · 2124823b
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.0.7-ee v14.0.7-ee
  
  2124823b
- Update changelog for 14.0.7 · c9a944d6
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  c9a944d6
- Update Gitaly version to 14.0.7 · 9dcfedd6
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  9dcfedd6
- Merge branch 'security-validate-project-members-14-0' into '14-0-stable-ee' · b7d2dd14
  GitLab Release Tools Bot authored 3 years ago
  
  Don't allow to add users to project with email different than group sett See merge request gitlab-org/security/gitlab!1563
  b7d2dd14
- Merge branch 'security-nfriend-hide-project-ci-cd-analytics-for-guests-14-0' into '14-0-stable-ee' · b42cfb6b
  Henri Philipps authored 3 years ago
  
  Hide project-level CI/CD Analytics page for Guest users See merge request gitlab-org/security/gitlab!1574
  b42cfb6b
- Merge branch... · fc211098
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-not-allow-to-impersonate-tokens-while-impersonation-is-off-14-0' into '14-0-stable-ee' Block pushing with impersonation token if impersonation is disabled See merge request gitlab-org/security/gitlab!1584
  fc211098
- Add project member validation for domain limitation · f9a0e781
  mksionek authored 3 years ago
  
  Changelog: security
  f9a0e781
Aug 02, 2021
- Hide project-level CI/CD Analytics for Guests · 56a17ae8
  Nathan Friend authored 3 years ago
  
  This commit updates the project-level CI/CD Analytics page to not be accessible by Guest users of private projects. Changelog: security
  Unverified
  
  56a17ae8
- Merge branch 'security-jivanvl-fix-pipeline-show-page-permissions-14-0' into '14-0-stable-ee' · 6995cbec
  GitLab Release Tools Bot authored 3 years ago
  
  Add permissions check to pipelines#show action See merge request gitlab-org/security/gitlab!1613
  6995cbec
- Merge branch 'security-336301-let-only-guest-members-edit-metadata-14-0' into '14-0-stable-ee' · 8f7070d8
  GitLab Release Tools Bot authored 3 years ago
  
  Disallow non-members to set issue metadata on issue create See merge request gitlab-org/security/gitlab!1581
  8f7070d8
- Merge branch 'security-email-invite-error-message-14-0' into '14-0-stable-ee' · 80fbb12b
  GitLab Release Tools Bot authored 3 years ago
  
  Do not show email address in error message See merge request gitlab-org/security/gitlab!1597
  80fbb12b
- Merge branch 'security-300265-14-0' into '14-0-stable-ee' · c8e20a49
  GitLab Release Tools Bot authored 3 years ago
  
  Misleading username could lead to impersonation in using SSH Certificates See merge request gitlab-org/security/gitlab!1610
  c8e20a49
- Merge branch 'security-impersonation-tokens-listed-14-0' into '14-0-stable-ee' · c0a09f97
  GitLab Release Tools Bot authored 3 years ago
  
  Remove impersonation token from api response for non-admin user See merge request gitlab-org/security/gitlab!1566
  c0a09f97
- Merge branch 'security-security_dblessing_invite_link_any_email-14-0' into '14-0-stable-ee' · 5273a0ca
  GitLab Release Tools Bot authored 3 years ago
  
  Only allow invite to be accepted by user with matching email See merge request gitlab-org/security/gitlab!1633
  5273a0ca
- Merge branch 'security-djadmin-branch-name-xss-14-0' into '14-0-stable-ee' · 2e2dcdc7
  Robert Speicher authored 3 years ago
  
  Add html escaping for default branch name See merge request gitlab-org/security/gitlab!1631
  2e2dcdc7
- Merge branch 'security-security_dblessing_omniauth_logging-14-0' into '14-0-stable-ee' · 935f6c53
  GitLab Release Tools Bot authored 3 years ago
  
  Configure OmniAuth to use GitLab AppLogger See merge request gitlab-org/security/gitlab!1616
  935f6c53
- Merge branch... · 4c2d8836
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-prevent-guests-from-creating-issues-with-sentry-error-14-0' into '14-0-stable-ee' Prevent Guest users from creating issues linked to Sentry errors See merge request gitlab-org/security/gitlab!1588
  4c2d8836
- Merge branch 'security-oauth-0-5-6-14-0' into '14-0-stable-ee' · b14bf78e
  GitLab Release Tools Bot authored 3 years ago
  
  Updates oauth to 0.5.6 See merge request gitlab-org/security/gitlab!1568
  b14bf78e
- Merge branch 'security-fix-protected-environment-access-cleanup-14-0' into '14-0-stable-ee' · c6d41337
  GitLab Release Tools Bot authored 3 years ago
  
  Unauthorized User Can Trigger Deployment to the Protected Environment See merge request gitlab-org/security/gitlab!1607
  c6d41337
- Merge branch 'security-fix-tag-ref-detection-14-0' into '14-0-stable-ee' · 9f41d302
  GitLab Release Tools Bot authored 3 years ago
  
  Fix tag ref detection for pipelines See merge request gitlab-org/security/gitlab!1548
  9f41d302
- Merge branch 'security_299039_restrict_access_for_reporter_and_below_14_0' into '14-0-stable-ee' · 76376a04
  GitLab Release Tools Bot authored 3 years ago
  
  Restrict access to instance-level security features for reporters See merge request gitlab-org/security/gitlab!1539
  76376a04
- Merge branch 'security/sh-mermaid-avoid-html-injection-13-10' into '14-0-stable-ee' · 01201e9a
  GitLab Release Tools Bot authored 3 years ago
  
  [14.0] Fix XSS in Mermaid Markdown rendering See merge request gitlab-org/security/gitlab!1489
  01201e9a
- Merge branch 'security-282445-read-todo-target-14-0' into '14-0-stable-ee' · 7134865f
  GitLab Release Tools Bot authored 3 years ago
  
  Filter todos whose target users no longer have access to [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1554
  7134865f
Jul 30, 2021

Only allow invite to be accepted by user with matching email · a79d0e6d

Drew Blessing authored 3 years ago

Previously, any user was able to accept an invite even if the
user's email addresses didn't match the invite. A note was
displayed but the invite could still be accepted. With this
change, a user without a matching, confirmed email address
is unable to accept the invite.

Changelog: security

Unverified

a79d0e6d

Add html escaping for default branch name · d26f0c4d

Dheeraj Joshi authored 3 years ago

This escapes html chars for default branch
name value in initializing repository instructions

This is to prevent XSS vulnerability

Changelog: security

d26f0c4d

Jul 28, 2021

Configure OmniAuth to use GitLab AppLogger · dfcff90c

Drew Blessing authored 3 years ago

OmniAuth logger was not being configured properly and some logs
were being dropped. This change ensures OmniAuth log messages
are output to `application.log` and/or `application_json.log`
as appropriate depending on configuration.

Fix Group SAML Spec order dependency

Change `allow/expect_any_instance_of` to
`allow/expect_next_instance_of` to avoid leaking state from other
tests.

Changelog: security

Unverified

dfcff90c

Jul 27, 2021

Add permissions check to pipelines#show action · c611a815

Jose Ivan Vargas Lopez authored 3 years ago

This check renders a 404 in case the user trying
to access the pipeline details page doesn't have enough
permissions

Changelog: security

c611a815

Merge branch 'leipert-browserslist-ugh' into 'master' · 940eaf97

Jose Ivan Vargas Lopez authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Disable browserslist warning in CI jobs

See merge request gitlab-org/gitlab!66942

(cherry picked from commit 89dec6ec)

61c4eacf Disable browserslist warning in CI jobs

940eaf97

Merge branch... · fc2074b2

Matthias Käppler authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Merge branch '333819-flaky-test-ee-spec-services-iterations-roll_over_issues_service_spec-rb-82-iterations' into 'master'

Resolve broken test on PG11 [RUN ALL RSPEC]

See merge request gitlab-org/gitlab!64230

(cherry picked from commit 39f94c3d)

575b3db9 Fix a spec that was broken with PG11

fc2074b2

Prevent impersonation in gitlab-shell SSH certs · 320457b1
Robert May authored 3 years ago
```
Updates the gitlab-shell version to include a security patch.

Changelog: security
```
320457b1

Fix Protected Environment Accesses Cleanup · 99846cde

Shinya Maeda authored 3 years ago

Protected Environment Accesses were not automatically cleaned up
when a user was removed from the project membership.
Also, the leftover user/group entry in the access list
couldn't be removed manually.

This commit fixes these security related bugs.

Changelog: security
EE: true

99846cde

Jul 22, 2021
- Do not show email address in error message · 5c4adf41
  Dominic Couture authored 3 years ago
  
  Changelog: security EE: true
  5c4adf41
- Disallow non-members to set issue metadata on issue create · 0bb4499e
  Alexandru Croitor authored 3 years ago
  
  When creating an issue a guest member is allowed to set issue metadata, however in public projects authenticated non-members get guest access as well, so we would restrict permission to set issue metadata for non-members specifically. Changelog: security
  0bb4499e
- Prevent guests from linking issues with errors · 94462a56
  Sean Arnold authored 3 years ago
  
  Changelog: security
  94462a56
Jul 20, 2021
- Update VERSION files · 25085912
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.0.6-ee v14.0.6-ee
  
  25085912
- Update changelog for 14.0.6 · b9075df3
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  b9075df3
- Update Gitaly version to 14.0.6 · a3003937
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  a3003937
- Merge branch '14-0-stable-ee-patch-6' into '14-0-stable-ee' · efd03b24
  Amy Phillips authored 3 years ago
  
  Prepare 14.0.6-ee release See merge request gitlab-org/gitlab!66403
  efd03b24
- Block impersonation token use if it is not permitted · 31b8bc50
  mksionek authored 3 years ago
  
  Changelog: security
  31b8bc50
- Fix validation method regarding MIME type keys · 2cc6d89c
  alex pooley authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
  
  See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65954 Changelog: fixed
  2cc6d89c

Admin message

Admin message