- 29 Oct, 2019 15 commits
-
-
GitLab Release Tools Bot authored
Hide private members in project member autocomplete See merge request gitlab/gitlabhq!3212
-
GitLab Release Tools Bot authored
Nested GraphQL query with circular relationship can cause Denial of Service See merge request gitlab/gitlabhq!3360
-
GitLab Release Tools Bot authored
Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3372
-
Charlie Ablett authored
Improper access control allows the attacker to comment in internal commit after they are no longer admin
-
GitLab Release Tools Bot authored
Labels visible despite no access to issues & repositories See merge request gitlab/gitlabhq!3409
-
GitLab Release Tools Bot authored
Project path reveals labels from Private project if the issue is moved to public project See merge request gitlab/gitlabhq!3419
-
GitLab Release Tools Bot authored
Require Maintainer permission on group where project is transferred to See merge request gitlab/gitlabhq!3420
-
GitLab Release Tools Bot authored
Sanitize search text to prevent XSS See merge request gitlab/gitlabhq!3453
-
GitLab Release Tools Bot authored
Private/internal repository enumeration via bruteforce on a vulnerable URL See merge request gitlab/gitlabhq!3454
-
GitLab Release Tools Bot authored
Only assign merge params when allowed See merge request gitlab/gitlabhq!3458
-
GitLab Release Tools Bot authored
Pass all wiki markup formats through our Banzai pipeline filters See merge request gitlab/gitlabhq!3461
-
GitLab Release Tools Bot authored
Mask sentry auth token See merge request gitlab/gitlabhq!3462
-
GitLab Release Tools Bot authored
Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue. Closes #2934 See merge request gitlab/gitlabhq!3466
-
GitLab Release Tools Bot authored
Filter out search results based on permissions to avoid bugs leaking data See merge request gitlab/gitlabhq!3493
-
GitLab Release Tools Bot authored
Return 404 on LFS request if project doesn't exist See merge request gitlab/gitlabhq!3505
-
- 28 Oct, 2019 1 commit
-
-
GitLab Release Tools Bot authored
[ci skip]
-
- 25 Oct, 2019 1 commit
-
-
Igor Drozdov authored
-
- 24 Oct, 2019 9 commits
-
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
Bob Van Landuyt authored
When a user updates a merge request coming from a fork, they should not be able to set `force_remove_source_branch` if they cannot push code to the source project. Otherwise developers of the target project could remove the source branch of the source project by setting this flag through the API.
-
Eugenia Grieff authored
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
- 23 Oct, 2019 14 commits
-
-
GitLab Bot authored
-
Eugenia Grieff authored
- Include new types in SystemNoteMetadata - Add Label and Milestone reference_pattern to Mentionable::ReferenceRegexes to be checked for cross references
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
GitLab Bot authored
-
charlieablett authored
-
charlieablett authored
-
charlieablett authored
- List all overly-recursive fields - Reduce recursion threshold to 2 - Add test for not-recursive-enough query - Use reusable methods in tests - Add changelog - Set changeable acceptable recursion level - Add error check test helpers
-
Dylan Griffith authored
This will be used later for search filtering.
-
Dylan Griffith authored
This is to be more consistent as there is already a :read_note policy in NotePolicy. To keep other behaviour the same we've introduced a Note#noteable_ability_name that is used anywhere this was expected.
-
GitLab Bot authored
-