- 02 Aug, 2016 9 commits
-
-
Kirill Smelkov authored
Teach GitLab not only to merge changes from a merge-request, but also to apply patches posted to merge-request in a way like `git am` would do - without merge commit and directly on top of current branch. Which way to go is selected by user in web UI, and apply patches is the first option. There are 3 cases: - only 1 commit is present in MR -> the only available option is to apply that single commit as one patch without a merge ( There is no need for merge commit in this case at all: information about user who applied the patch goes to "Committer" field in resultant commit. Avoiding 1 merge per 1 patch results in cleaner history ) It is also possible to review patch description directly in web UI, before doing the actual application, and correct / amend it as needed. - several commits are present in MR: * it is possible to apply the patches directly on top of current branch. Again information about who applied what goes to "Committer" field. * it is possible to merge MR changes with making a merge commit. This variant is useful, when patches from a MR do several logical steps to reach one goal, and MR description contain cover letter for whole patch series. in this case original commits stay untouched and resulting merge will contain MR author as author, user who accepted MR as committer, and cover letter as merge commit message. NOTE we avoid useless "Merge branch X into Y" in merge message, and just put MR title into merge subject and MR description into merge description. This way it is more logical with more important information in merge subject and thus e.g. more handy to oversee what a merge brings, just by it subject, e.g. via looking at updates via gitk --first-parent ... or via web. NOTE for pre-generated references to merge-request we now use full MR URL, instead of !<MR-n>. Full URLs work everywhere, not only on original site where MR was created, or even only in original repo and not its fork on the same site.
-
Kirill Smelkov authored
TODO detect whether request comes from China and only then show ICP (?).
-
Kirill Smelkov authored
We show in small font size the same info that is shown on sign_in page: "GitLab Nexedi Edition", "About GitLab" and "About Nexedi" This is good to have and hereby-introduced about-footer area will be also used in the next patch for ICP too. XXX placement of .about-footer to be near bottom is done not very correctly.
-
Kirill Smelkov authored
Like Omnibus, SlapOS version does not have init script - nothing to check here.
-
Kirill Smelkov authored
This is handy for monitoring tools, which could e.g. periodically call check tasks and instead of parsing output, rely on exit code. The way we detect if something failed is via hooking into String#red, and if anything was ever printed in red - that's an error.
-
Kirill Smelkov authored
-
Kirill Smelkov authored
The default was switched to HTTP in the previous patch, but let's completely remove SSH option - we support only HTTP for git fetch/push.
-
Kirill Smelkov authored
Both fetch and push are possible over https, which is selected by http if gitlab was configured to use https in external url. This way to reduce security vectors and possible ways to interact with gitlab we use https only without ssh at all.
-
Kirill Smelkov authored
= GitLab Community Edition + Nexedi patches
-
- 15 Jun, 2016 1 commit
-
-
Tomasz Maczukin authored
-
- 14 Jun, 2016 4 commits
-
-
Robert Speicher authored
Only show notes through JSON on confidential issues that the user has access to Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18535 See merge request !1970
-
Tomasz Maczukin authored
-
Robert Speicher authored
Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
-
Douwe Maan authored
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
-
- 27 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 26 Apr, 2016 5 commits
-
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961
-
- 25 Apr, 2016 6 commits
-
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones ## Summary This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 ## Fix This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. ## Further work `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954
-
Jacob Schatz authored
Fixes XSS injection REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 **Without the fix** ![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif) **With the fix** ![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif) See merge request !1952
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Rémy Coutable authored
-
- 19 Apr, 2016 4 commits
-
-
Robert Speicher authored
-
Douwe Maan authored
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Douwe Maan authored
Check permissions when sharing project with group ## Summary Unprivileged user was able to share project with group he didn't have access to, and therefore gain partial access to that group, which opened possibilities for further actions like listing private projects in that group. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15330 ## Fix This change introduces additional check for group read access. ## Further work We can think about preventing such problems in the future (this is quite common problem) by moving permissions checks to another layer of abstraction (TBD). Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15330 See merge request !1949 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 15 Apr, 2016 5 commits
-
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
-
Rémy Coutable authored
Fix revoking of authorized OAuth applications Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized. Added a spec and also found that the `gon` variables were not being set for this view. Closes #14370 See merge request !3690 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Yorick Peterse authored
Expire the exists cache before deletion to ensure project dir actually exists See merge request !3413 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix #14753: Check if head is born before trying to detect main language This MR makes sure that head exists before trying to detect the main language. This prevents errors on repo's without a master branch. Closes #14753 See merge request !3654
-
- 07 Apr, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Unblocks user when active_directory is disabled and it can be found We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed. Fixes #14253, #13179, #13259, #13959 See merge request !3550
-
Yorick Peterse authored
Update language after doing all other operations See merge request !3533 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947 Signed-off-by: Rémy Coutable <remy@rymai.me>
-