Commits · 26540c9180f5e4f9317dae1bf8bc1b6be2f7f490 · nexedi / gitlab-ce

26 Nov, 2019 6 commits
- Merge branch 'security-33712-ce-12-5' into '12-5-stable' · 26540c91
  GitLab Release Tools Bot authored Nov 26, 2019
```
Fix private comment Elasticsearch leak

See merge request gitlab/gitlabhq!3546
```
  26540c91
- Merge branch 'security-fix-xss-in-label-namespace-12-5' into '12-5-stable' · 5f9de1e0
  GitLab Release Tools Bot authored Nov 26, 2019
```
Escape namespace in label references

See merge request gitlab/gitlabhq!3550
```
  5f9de1e0
- Merge branch 'security-28802-respect-fork-parent-visibility-12-5' into '12-5-stable' · 70911c7c
  GitLab Release Tools Bot authored Nov 26, 2019
```
Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3555
```
  70911c7c
- Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable' · 1c029e63
  GitLab Release Tools Bot authored Nov 26, 2019
```
Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3558
```
  1c029e63
- Spec to ensure `_ids` are cleaned by ImportExport::AttributeCleaner · 518835f7
  Imre Farkas authored Nov 26, 2019
  
  518835f7
- Ensure attributes that end in `_ids` are cleaned · 70f684b5
  DJ Mountney authored Nov 25, 2019
```
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
```
  70f684b5
25 Nov, 2019 2 commits
- Check permissions before showing a forked project's source · 644d125b
  Nick Thomas authored Nov 19, 2019
  
  644d125b
- Escape namespace in label references · ad48a55c
  Heinrich Lee Yu authored Oct 26, 2019
```
When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.
```
  ad48a55c
22 Nov, 2019 10 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 4c442bdd
  GitLab Bot authored Nov 22, 2019
  
  4c442bdd
- Add search_helpers changes from security-33712 · 2533dea9
  Dylan Griffith authored Nov 15, 2019
  
  2533dea9
- Fix group created from other test from polluting · b6ea76a0
  Mark Chao authored Nov 14, 2019
  
  b6ea76a0
- Test admin for search accessibility · 60942bef
  Mark Chao authored Nov 14, 2019
```
Disabled features are ignored as they are grey areas
```
  60942bef
- Internalize private project minimum access level · 443db286
  Mark Chao authored Nov 14, 2019
```
Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.
```
  443db286
- Fix scope to handle private guest permission · 0de1bfea
  Mark Chao authored Oct 22, 2019
```
Guest are blocked to certain feature when project is private,
therefore the scope would filter additionally with REPORTER level.
```
  0de1bfea
- ES: update permission spec table · d5bfeee5
  Mark Chao authored Nov 08, 2019
```
Remove impossible cases due to private project's features can only be
private or disabled.

Fix spec due to sidekiq indexing not triggered.

Update guest use cases: some features has additional constraint that
"Guest users are able to perform action on public/internal projects,
but not private ones."
```
  d5bfeee5
- Update VERSION to 12.5.0 · 1f0ab897
  GitLab Release Tools Bot authored Nov 22, 2019
  
  1f0ab897
- Update CHANGELOG.md for 12.5.0 · 2d143daf
  GitLab Release Tools Bot authored Nov 22, 2019
```
[ci skip]
```
  2d143daf
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · c6e6f89a
  GitLab Bot authored Nov 22, 2019
  
  c6e6f89a
20 Nov, 2019 4 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 89b09399
  GitLab Bot authored Nov 20, 2019
  
  89b09399
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · bbf697a0
  GitLab Bot authored Nov 20, 2019
  
  bbf697a0
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 23e599fb
  GitLab Bot authored Nov 20, 2019
  
  23e599fb
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · e2d670d5
  GitLab Bot authored Nov 20, 2019
  
  e2d670d5
19 Nov, 2019 3 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 43e9756c
  GitLab Bot authored Nov 19, 2019
  
  43e9756c
- Update VERSION to 12.5.0-rc42 · 8664e124
  GitLab Release Tools Bot authored Nov 19, 2019
  
  8664e124
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 5a8431fe
  GitLab Bot authored Nov 19, 2019
  
  5a8431fe
18 Nov, 2019 2 commits
- Update VERSION to 12.4.3 · 4d477238
  GitLab Release Tools Bot authored Nov 18, 2019
  
  4d477238
- Update CHANGELOG.md for 12.4.3 · b7ddcd16
  GitLab Release Tools Bot authored Nov 18, 2019
```
[ci skip]
```
  b7ddcd16
15 Nov, 2019 1 commit
- Add latest changes from gitlab-org/gitlab@12-4-stable-ee · b320251a
  GitLab Bot authored Nov 15, 2019
  
  b320251a
04 Nov, 2019 3 commits
- Update VERSION to 12.4.2 · 393a5bda
  GitLab Release Tools Bot authored Nov 04, 2019
  
  393a5bda
- Update CHANGELOG.md for 12.4.2 · 7fb895cb
  GitLab Release Tools Bot authored Nov 04, 2019
```
[ci skip]
```
  7fb895cb
- Add latest changes from gitlab-org/gitlab@12-4-stable-ee · 39b0e286
  GitLab Bot authored Nov 04, 2019
  
  39b0e286
30 Oct, 2019 1 commit
- Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable · 9fc4650d
  GitLab Release Tools Bot authored Oct 30, 2019
  
  9fc4650d
28 Oct, 2019 2 commits
- Update VERSION to 12.4.1 · 4281915c
  GitLab Release Tools Bot authored Oct 28, 2019
  
  4281915c
- Update CHANGELOG.md for 12.4.1 · 3830617e
  GitLab Release Tools Bot authored Oct 28, 2019
```
[ci skip]
```
  3830617e
25 Oct, 2019 4 commits
- Merge branch 'security-mask-sentry-token-12-4-ce' into '12-4-stable' · 8b69a396
  GitLab Release Tools Bot authored Oct 25, 2019
```
Mask Sentry auth token

See merge request gitlab/gitlabhq!3504
```
  8b69a396
- Merge branch 'security-remove-leaky-401-responses-12.4' into '12-4-stable' · 4f332498
  GitLab Release Tools Bot authored Oct 25, 2019
```
Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3491
```
  4f332498
- Merge branch 'security-id-fix-disclosure-of-private-repo-names-12-4' into '12-4-stable' · 44612c0c
  GitLab Release Tools Bot authored Oct 25, 2019
```
Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3506
```
  44612c0c
- Return 404 on LFS request if project doesn't exist · 48ab4c01
  Igor Drozdov authored Oct 25, 2019
  
  48ab4c01
24 Oct, 2019 2 commits
- Merge branch 'security-bvl-validate-force-remove-branch-on-mrs-12-4-ce' into '12-4-stable' · 1581fb4c
  GitLab Release Tools Bot authored Oct 24, 2019
```
Only assign merge params when allowed

See merge request gitlab/gitlabhq!3487
```
  1581fb4c
- Merge branch 'security-wiki-rdoc-content-12-4-ce' into '12-4-stable' · a2c31462
  GitLab Release Tools Bot authored Oct 24, 2019
```
Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3485
```
  a2c31462