Commits · dcd41063d3a01326a13ed1e0f53e748a62fc7d11 · nexedi / gitlab-ce

09 Dec, 2019 2 commits
- Update CHANGELOG.md for 12.5.4 · dcd41063
  GitLab Release Tools Bot authored Dec 09, 2019
```
[ci skip]
```
  dcd41063
- Merge branch 'security-37766-transfer-group-reindex-ce-12-5' into '12-5-stable' · 3fe0553e
  Alessio Caiazza authored Dec 09, 2019
```
Trigger Elasticsearch indexing when public group moved to private

See merge request gitlab/gitlabhq!3577
```
  3fe0553e
06 Dec, 2019 1 commit

Trigger Elasticsearch indexing when public group moved to private · 1a7c008f

Dylan Griffith authored Dec 06, 2019

This fixes https://gitlab.com/gitlab-org/gitlab/issues/37766 which is
caused by the fact that we leave the stale permissions data in the index
after a group is moved to another group.

1a7c008f

05 Dec, 2019 1 commit
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 0330bd0a
  GitLab Bot authored Dec 05, 2019
  
  0330bd0a
03 Dec, 2019 4 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 952e4894
  GitLab Bot authored Dec 03, 2019
  
  952e4894
- Update VERSION to 12.5.3 · 225d2e5b
  GitLab Release Tools Bot authored Dec 03, 2019
  
  225d2e5b
- Update CHANGELOG.md for 12.5.3 · f033ece0
  GitLab Release Tools Bot authored Dec 03, 2019
```
[ci skip]
```
  f033ece0
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 662bb2b6
  GitLab Bot authored Dec 03, 2019
  
  662bb2b6
27 Nov, 2019 6 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · ed8af410
  GitLab Bot authored Nov 27, 2019
  
  ed8af410
- Merge remote-tracking branch 'dev/12-5-stable' into 12-5-stable · 5413c6cd
  GitLab Release Tools Bot authored Nov 27, 2019
  
  5413c6cd
- Update VERSION to 12.5.2 · 49482945
  GitLab Release Tools Bot authored Nov 27, 2019
  
  49482945
- Update CHANGELOG.md for 12.5.2 · c5a922b1
  GitLab Release Tools Bot authored Nov 27, 2019
```
[ci skip]
```
  c5a922b1
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · ec764103
  GitLab Bot authored Nov 27, 2019
  
  ec764103
- Merge remote-tracking branch 'dev/12-5-stable' into 12-5-stable · 52b9f101
  GitLab Release Tools Bot authored Nov 27, 2019
  
  52b9f101
26 Nov, 2019 16 commits
- Merge branch 'security-dos-issue-and-commit-comments-12-5' into '12-5-stable' · ef6512ad
  GitLab Release Tools Bot authored Nov 26, 2019
```
Fix invalid byte sequence

See merge request gitlab/gitlabhq!3547
```
  ef6512ad
- Update VERSION to 12.5.1 · 79a183ea
  GitLab Release Tools Bot authored Nov 26, 2019
  
  79a183ea
- Update CHANGELOG.md for 12.5.1 · 0994af92
  GitLab Release Tools Bot authored Nov 26, 2019
```
[ci skip]
```
  0994af92
- Merge branch 'security-29660-update-dependencies-12-5' into '12-5-stable' · 1bc5f5c4
  GitLab Release Tools Bot authored Nov 26, 2019
```
Update Workhorse and Gitaly to fix a security issue

See merge request gitlab/gitlabhq!3531
```
  1bc5f5c4
- Merge branch 'security-aws-secret-key-2937-ce-12-5' into '12-5-stable' · 6584ed51
  GitLab Release Tools Bot authored Nov 26, 2019
```
Hide AWS secret on Admin Integration page

See merge request gitlab/gitlabhq!3532
```
  6584ed51
- Hide AWS secret on Admin Integration page · 2649b160
  Justin Ho Tuan Duong authored Nov 26, 2019
  
  2649b160
- Merge branch 'security-ag-cycle-analytics-guest-permissions-12-5' into '12-5-stable' · ccb32647
  GitLab Release Tools Bot authored Nov 26, 2019
```
Prevent guests from seeing commits for cycle analytics

See merge request gitlab/gitlabhq!3534
```
  ccb32647
- Merge branch 'security-filter-related-branches-from-activity-feed-12.5' into '12-5-stable' · 83e8f432
  GitLab Release Tools Bot authored Nov 26, 2019
```
Related Branches Visible to Guests in Issue Activity

See merge request gitlab/gitlabhq!3538
```
  83e8f432
- Merge branch 'security-2943-encrypt-plaintext-tokens-12-5' into '12-5-stable' · 7d028ae6
  GitLab Release Tools Bot authored Nov 26, 2019
```
GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext

See merge request gitlab/gitlabhq!3543
```
  7d028ae6
- Merge branch 'security-dns-rebind-ssrf-in-slack-notifications-12-5-ce' into '12-5-stable' · 96d91c78
  GitLab Release Tools Bot authored Nov 26, 2019
```
Use Gitlab::HTTP for all chat notifications

See merge request gitlab/gitlabhq!3544
```
  96d91c78
- Merge branch 'security-33712-ce-12-5' into '12-5-stable' · 26540c91
  GitLab Release Tools Bot authored Nov 26, 2019
```
Fix private comment Elasticsearch leak

See merge request gitlab/gitlabhq!3546
```
  26540c91
- Merge branch 'security-fix-xss-in-label-namespace-12-5' into '12-5-stable' · 5f9de1e0
  GitLab Release Tools Bot authored Nov 26, 2019
```
Escape namespace in label references

See merge request gitlab/gitlabhq!3550
```
  5f9de1e0
- Merge branch 'security-28802-respect-fork-parent-visibility-12-5' into '12-5-stable' · 70911c7c
  GitLab Release Tools Bot authored Nov 26, 2019
```
Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3555
```
  70911c7c
- Merge branch 'security-exclude_ids_attribute_cleaning-12-5-ce' into '12-5-stable' · 1c029e63
  GitLab Release Tools Bot authored Nov 26, 2019
```
Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3558
```
  1c029e63
- Spec to ensure `_ids` are cleaned by ImportExport::AttributeCleaner · 518835f7
  Imre Farkas authored Nov 26, 2019
  
  518835f7
- Ensure attributes that end in `_ids` are cleaned · 70f684b5
  DJ Mountney authored Nov 25, 2019
```
This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.
```
  70f684b5
25 Nov, 2019 3 commits

Check permissions before showing a forked project's source · 644d125b
Nick Thomas authored Nov 19, 2019

644d125b

Encrypt application settings with pre and post deployments · cc9a30c7

Arturo Herrero authored Nov 22, 2019

We had concerns about the cached values on Redis with the previous two
releases strategy:

First release (this commit):
  - Create new encrypted fields in the database.
  - Start populating new encrypted fields, read the encrypted fields or
    fallback to the plaintext fields.
  - Backfill the data removing the plaintext fields to the encrypted
    fields.
Second release:
  - Remove the virtual attribute (created in step 2).
  - Drop plaintext columns from the database (empty columns after
    step 3).

We end up with a better strategy only using migration scripts in one
release:
  - Pre-deployment migration: Add columns required for storing encrypted
    values.
  - Pre-deployment migration: Store the encrypted values in the new
    columns.
  - Post-deployment migration: Remove the old unencrypted columns

cc9a30c7

Escape namespace in label references · ad48a55c

Heinrich Lee Yu authored Oct 26, 2019

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.

ad48a55c

22 Nov, 2019 7 commits
- Add latest changes from gitlab-org/gitlab@12-5-stable-ee · 4c442bdd
  GitLab Bot authored Nov 22, 2019
  
  4c442bdd
- Fix invalid byte sequence · 5bdc90c2
  Patrick Derichs authored Nov 22, 2019
  
  5bdc90c2
- Add search_helpers changes from security-33712 · 2533dea9
  Dylan Griffith authored Nov 15, 2019
  
  2533dea9
- Fix group created from other test from polluting · b6ea76a0
  Mark Chao authored Nov 14, 2019
  
  b6ea76a0
- Test admin for search accessibility · 60942bef
  Mark Chao authored Nov 14, 2019
```
Disabled features are ignored as they are grey areas
```
  60942bef
- Internalize private project minimum access level · 443db286
  Mark Chao authored Nov 14, 2019
```
Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.
```
  443db286
- Fix scope to handle private guest permission · 0de1bfea
  Mark Chao authored Oct 22, 2019
```
Guest are blocked to certain feature when project is private,
therefore the scope would filter additionally with REPORTER level.
```
  0de1bfea