1. 30 May, 2019 3 commits
  2. 28 May, 2019 12 commits
  3. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · aef4b0a5
      Kerri Miller authored
      First reported:
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
  4. 25 May, 2019 1 commit
  5. 24 May, 2019 1 commit
  6. 23 May, 2019 1 commit
  7. 22 May, 2019 1 commit
    • Douwe Maan's avatar
      Protect Gitlab::HTTP against DNS rebinding attack · 1de0a033
      Douwe Maan authored
      Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
      blocked, and then uses the same IP to perform the actual request, while
      passing the original hostname in the `Host` header and SSL SNI field.
  8. 21 May, 2019 1 commit
  9. 20 May, 2019 1 commit
  10. 19 May, 2019 1 commit
  11. 06 May, 2019 2 commits
    • Mark Chao's avatar
      Validate MR branch names · cec5d2e8
      Mark Chao authored
      Prevents refspec as branch name, which would bypass branch protection
      when used in conjunction with rebase.
      HEAD seems to be a special case with lots of occurrence,
      so it is considered valid for now.
      Another special case is `refs/head/*`, which can be imported.
    • Patrick Derichs's avatar
      Fix url redaction for issue links · fdaf1b10
      Patrick Derichs authored
  12. 01 May, 2019 8 commits
  13. 30 Apr, 2019 7 commits