[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prevent Denial of Service Attack on gitlab-shell

See merge request gitlab-org/security/gitlab!1200

Prevent SSRF requests for Prometheus when secured by Google IAP

See merge request gitlab-org/security/gitlab!1235

Change authorization policy for /lint

See merge request gitlab-org/security/gitlab!1213

Security check user access on API mr read actions

See merge request gitlab-org/security/gitlab!1219

Prevent exposure of confidential issue titles in file browser

See merge request gitlab-org/security/gitlab!1221

Cancel alive jobs on project deletion [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/security/gitlab!1247

Allison Browne authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

To avoid using runner resources on deleted projects we
cancel all cancelable jobs as the first step in deletion

Geo-GL-ID should be passed in JWT token so it's protected properly

See merge request gitlab-org/security/gitlab!1218

Limit number of invitations for Free tier groups and projects

See merge request gitlab-org/security/gitlab!1098

Strip the `token_credential_uri` key from user-provided JSON.

Fixes some datetime dependent spec tests

See merge request gitlab-org/gitlab!53382

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Sanitize target branch

See merge request gitlab-org/security/gitlab!1201

Add routes for unmatched url for not-get requests

See merge request gitlab-org/security/gitlab!1125

mksionek authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Add changelog entry

Fix typo in routes

Fix git http spec

Fix uploads routing spec

Add matchers only to project facing paths

Add more specs for new routes

Add different shared examples

Fix rubocop offence

Add failure message to new matcher

Add cr remarks

Add cr remarks

Fix DNS rebinding protection for Outbound Requests

See merge request gitlab-org/security/gitlab!1193

Filter sensitive variables from GraphQL logs

See merge request gitlab-org/security/gitlab!1187

Sanitize XSS in Epic milestone due date

See merge request gitlab-org/security/gitlab!1161

Remove Kubernetes IP address from errors returned in Threat Monitoring

See merge request gitlab-org/security/gitlab!1159

Avoid exposing release links when the user cannot read git-tag/repository

See merge request gitlab-org/security/gitlab!1169

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/227040

* Remove general cache for `fetch_logs`
* Add cache for `repository.tree` call
* Add cache for `repository.list_last_commits_for_tree` call
* Add additional tests

There are a number of places where we were not checking for user access
rights (or assuming that authors automatically have them) so we were
potentially in situations where a user could create a merge request,
have their access rights revoked, and they would still be able to access
information or take actions related to their MR. This is potentially a
security issue, so we need to block this potential leak.

it will protect the parameter from tampering

* For /projects/ci/id/lint, change policy to create_pipelinen
* For /ci/lint - enforces user authenication if registration is disabled
* Adds a changelog

Sanitized the target branch to prevent XSS

This fixes DNS rebinding protection bypass when allowing an IP address
in Outbound Requests setting.

Free plan on .com will limit invites to 20 per day.

This uses the same config we setup for config.filter_parameters

[merge-train skip]