1. 08 Apr, 2020 1 commit
  2. 06 Apr, 2020 1 commit
  3. 04 Apr, 2020 2 commits
  4. 03 Apr, 2020 4 commits
  5. 02 Apr, 2020 3 commits
  6. 01 Apr, 2020 1 commit
  7. 31 Mar, 2020 3 commits
  8. 30 Mar, 2020 1 commit
    • Oswaldo Ferreira's avatar
      Bump Labkit version · 837c5ae7
      Oswaldo Ferreira authored
      This version bump refers to fac94cb42 in order to
      support Go Continuous Profiling with versioning.
      
      I.e. Workhorse will provide its build version to
      the profiler and it'll be presented at the Stackdriver
      Profiler UI.
      837c5ae7
  9. 27 Mar, 2020 1 commit
  10. 26 Mar, 2020 1 commit
  11. 25 Mar, 2020 1 commit
  12. 23 Mar, 2020 4 commits
    • Alessio Caiazza's avatar
      Merge branch 'security-193100-ignore-duplicate-multipart-params' into 'master' · 7168c2e3
      Alessio Caiazza authored
      Reject parameters that override upload fields
      
      See merge request gitlab-org/security/gitlab-workhorse!3
      7168c2e3
    • Alessio Caiazza's avatar
      Release v8.28.0 · 3fbf8ef2
      Alessio Caiazza authored
      3fbf8ef2
    • Markus Koller's avatar
      Reject parameters that override upload fields · 7c324521
      Markus Koller authored
      When Workhorse intercepts file uploads, we store the files and send the
      information about the temporary file in new multipart form values called
      `file.path`, `file.size` etc.
      
      Since we're also copying all other multipart form values from the
      original client request, it was possible to override the values we
      set in Workhorse, causing Rails to e.g. load the uploaded file from
      an injected `file.path` parameter.
      
      To avoid this, we check if client parameters have the same name as any
      of our own added fields and reject the request.
      7c324521
    • Markus Koller's avatar
      Always set internally used upload fields · 75a39b0b
      Markus Koller authored
      The `path` and `remote_*` fields are not always set in Workhorse
      depending on the storage type, but still picked up in Rails.
      
      To avoid injecting any client params with the same name, we just set
      these fields to empty strings.
      75a39b0b
  13. 20 Mar, 2020 4 commits
  14. 19 Mar, 2020 1 commit
  15. 17 Mar, 2020 3 commits
  16. 16 Mar, 2020 3 commits
  17. 10 Mar, 2020 2 commits
  18. 03 Mar, 2020 2 commits
  19. 02 Mar, 2020 1 commit
  20. 28 Feb, 2020 1 commit