Skip to content

G
gitlab-foss

李少辉-开发者 / gitlab-foss

通知 15
Star 0
Fork 0
G
gitlab-foss

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 12 8月, 2019 2 次提交
  3. 10 8月, 2019 2 次提交
  5. 09 8月, 2019 3 次提交
  7. 02 8月, 2019 1 次提交
  9. 01 8月, 2019 2 次提交
  11. 25 7月, 2019 11 次提交
  13. 17 7月, 2019 3 次提交
    • B
      Filter params in MR build service · c32e873a
      Bob Van Landuyt 提交于 
      Reusing the existing `IssuableBaseService#filter_params` which uses
the policies to determine what params a user can set, and which values
it can be set to.

This also removed the need for the seperate call to
`IssuableBaseService#ensure_milestone_available`.

The `Issues::BuildService` does not suffer from this because it limits
the params that are assignable to the `title`, `description` and
`milestone_id`.
      c32e873a
    • F
      Drop feature to take ownership of a trigger token · 65f7b74e
      Fabio Pitino 提交于 
      Removing API and frontend interactions that allowed
users to take ownership of a trigger token.

Removed mentions from the documentation.
      65f7b74e
    • D
      Merge branch 'sh-fix-appearance-spec-failure' into 'master' · 8bc768d8
      Douglas Barbosa Alexandre 提交于 
      Fix order-dependent spec failure in appearance_spec.rb

Closes #64083

See merge request gitlab-org/gitlab-ce!30323
      8bc768d8
  15. 15 7月, 2019 1 次提交
  17. 12 7月, 2019 1 次提交
  19. 09 7月, 2019 2 次提交
    • M
      Do not allow localhost url redirection in GitHub Integration · 50e3b029
      manojmj 提交于
      50e3b029
    • K
      Extract SanitizeNodeLink and apply to WikiLinkFilter · 056d3eee
      Kerri Miller 提交于 
      The SanitizationFilter was running before the WikiFilter. Since
WikiFilter can modify links, we could see links that _should_ be stopped
by SanatizationFilter being rendered on the page. I (kerrizor) had
previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4
However, an additional exploit was discovered after that was merged.
Working through the issue, we couldn't simply shuffle the order of
filters, due to some implicit assumptions about the order of filters, so
instead we've extracted the logic that sanitizes a Nokogiri-generated
Node object, and applied it to the WikiLinkFilter as well.

On moving filters around:
Once we start moving around filters, we get cascading failures; fix one,
another one crops up. Many of the existing filters in the WikiPipeline
chain seem to assume that other filters have already done their work,
and thus operate on a "transform anything that's left" basis;
WikiFilter, for instance, assumes any link it finds in the markdown
should be prepended with the wiki_base_path.. but if it does that, it
also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the
UserReferenceFilter doesn't see as a user reference it needs to
transform into a user profile link. This is true for all the reference
filters in the WikiPipeline.
      056d3eee
  21. 05 7月, 2019 1 次提交
    • D
      Use MergeRequest#source_project as permissions reference for MergeRequest#all_pipelines · 51f506ca
      drew cimino 提交于 
      MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
      51f506ca
  23. 04 7月, 2019 1 次提交
    • F
      Fix Server Side Request Forgery mitigation bypass · c5177d9a
      Francisco Javier López 提交于 
      When we can't resolve the hostname or it is invalid, we shouldn't
even perform the request. This fix also fixes the problem the
SSRF rebinding attack.

We can't stub feature flags outside example blocks. Nevertheless,
there are some actions that calls the UrlBlocker, that are performed
outside example blocks, ie: `set` instruction.

That's why we have to use some signalign mechanism outside the scope
of the specs.
      c5177d9a
  25. 01 7月, 2019 3 次提交
  27. 27 6月, 2019 7 次提交