- 12 8月, 2019 2 次提交
-
-
由 GitLab Release Tools Bot 提交于
-
由 GitLab Release Tools Bot 提交于
[ci skip]
-
- 10 8月, 2019 2 次提交
-
-
由 GitLab Release Tools Bot 提交于
-
由 GitLab Release Tools Bot 提交于
[ci skip]
-
- 09 8月, 2019 3 次提交
-
-
由 John Skarbek 提交于
Update Gitaly to v1.47.2 for security fix See merge request gitlab/gitlabhq!3300
-
由 Paul Okstad 提交于
-
由 John Skarbek 提交于
Fix gitlab api token recovery See merge request gitlab/gitlabhq!3292
-
- 02 8月, 2019 1 次提交
-
-
由 Vladimir Shushlin 提交于
-
- 01 8月, 2019 2 次提交
-
-
由 John Jarvis 提交于
Fix docs-lint job for 12-0-stable See merge request gitlab-org/gitlab-ce!31356
-
由 Sean McGivern 提交于
-
- 25 7月, 2019 11 次提交
-
-
由 GitLab Release Tools Bot 提交于
-
由 GitLab Release Tools Bot 提交于
[ci skip]
-
由 GitLab Release Tools Bot 提交于
Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3185
-
由 GitLab Release Tools Bot 提交于
Do not allow localhost url redirection in GitHub Integration See merge request gitlab/gitlabhq!3206
-
由 GitLab Release Tools Bot 提交于
Server Side Request Forgery mitigation bypass See merge request gitlab/gitlabhq!3213
-
由 GitLab Release Tools Bot 提交于
MR pipeline permissions See merge request gitlab/gitlabhq!3216
-
由 GitLab Release Tools Bot 提交于
Extract SanitizeNodeLink and apply to WikiLinkFilter See merge request gitlab/gitlabhq!3222
-
由 GitLab Release Tools Bot 提交于
Drop feature to take ownership of a trigger token See merge request gitlab/gitlabhq!3227
-
由 GitLab Release Tools Bot 提交于
Merge branch 'security-2873-restrict-slash-commands-to-users-who-can-log-in-12-0' into '12-0-stable' Restrict slash commands to users who can log in See merge request gitlab/gitlabhq!3238
-
由 GitLab Release Tools Bot 提交于
Filter params in MR build service See merge request gitlab/gitlabhq!3254
-
由 GitLab Release Tools Bot 提交于
Do not show moved issue ids for user not authorized See merge request gitlab/gitlabhq!3260
-
- 17 7月, 2019 3 次提交
-
-
由 Bob Van Landuyt 提交于
Reusing the existing `IssuableBaseService#filter_params` which uses the policies to determine what params a user can set, and which values it can be set to. This also removed the need for the seperate call to `IssuableBaseService#ensure_milestone_available`. The `Issues::BuildService` does not suffer from this because it limits the params that are assignable to the `title`, `description` and `milestone_id`.
-
由 Fabio Pitino 提交于
Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
-
Fix order-dependent spec failure in appearance_spec.rb Closes #64083 See merge request gitlab-org/gitlab-ce!30323
-
- 15 7月, 2019 1 次提交
-
-
由 Felipe Artur 提交于
Do not show moved issue id for users that cannot read issue
-
- 12 7月, 2019 1 次提交
-
-
由 Hordur Freyr Yngvason 提交于
-
- 09 7月, 2019 2 次提交
-
-
由 manojmj 提交于
-
由 Kerri Miller 提交于
The SanitizationFilter was running before the WikiFilter. Since WikiFilter can modify links, we could see links that _should_ be stopped by SanatizationFilter being rendered on the page. I (kerrizor) had previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4 However, an additional exploit was discovered after that was merged. Working through the issue, we couldn't simply shuffle the order of filters, due to some implicit assumptions about the order of filters, so instead we've extracted the logic that sanitizes a Nokogiri-generated Node object, and applied it to the WikiLinkFilter as well. On moving filters around: Once we start moving around filters, we get cascading failures; fix one, another one crops up. Many of the existing filters in the WikiPipeline chain seem to assume that other filters have already done their work, and thus operate on a "transform anything that's left" basis; WikiFilter, for instance, assumes any link it finds in the markdown should be prepended with the wiki_base_path.. but if it does that, it also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the UserReferenceFilter doesn't see as a user reference it needs to transform into a user profile link. This is true for all the reference filters in the WikiPipeline.
-
- 05 7月, 2019 1 次提交
-
-
由 drew cimino 提交于
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source project, so we should specifically check that project for permissions. This was already happening for intra-project merge requests, but in the event that the target and source projects both have private builds, we should ensure that the project permissions are respected.
-
- 04 7月, 2019 1 次提交
-
-
由 Francisco Javier López 提交于
When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
-
- 01 7月, 2019 3 次提交
-
-
由 GitLab Release Tools Bot 提交于
[ci skip]
-
由 Marin Jankovski 提交于
Support object storage at FileMover class See merge request gitlab/gitlabhq!3195
-
由 Oswaldo Ferreira 提交于
-
- 27 6月, 2019 7 次提交
-
-
由 GitLab Release Tools Bot 提交于
-
由 GitLab Release Tools Bot 提交于
[ci skip]
-
由 Fabio Pitino 提交于
Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
-
由 GitLab Release Tools Bot 提交于
Ability to write a note in a private snippet See merge request gitlab/gitlabhq!3142
-
由 GitLab Release Tools Bot 提交于
Prevent Billion Laughs attack See merge request gitlab/gitlabhq!3146
-
由 GitLab Release Tools Bot 提交于
Fix MR head pipeline leak See merge request gitlab/gitlabhq!3154
-
由 GitLab Release Tools Bot 提交于
Guests can know whether merge request template name exists or not See merge request gitlab/gitlabhq!3161
-