1. 06 Jun, 2019 7 commits
  2. 30 May, 2019 2 commits
  3. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · f383ad62
      Kerri Miller authored
      First reported:
        https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
      
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
      f383ad62
  4. 22 May, 2019 1 commit
    • Douwe Maan's avatar
      Protect Gitlab::HTTP against DNS rebinding attack · e2051df6
      Douwe Maan authored
      Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
      blocked, and then uses the same IP to perform the actual request, while
      passing the original hostname in the `Host` header and SSL SNI field.
      e2051df6
  5. 21 May, 2019 1 commit
  6. 06 May, 2019 1 commit
    • Mark Chao's avatar
      Validate MR branch names · d27353be
      Mark Chao authored
      Prevents refspec as branch name, which would bypass branch protection
      when used in conjunction with rebase.
      
      HEAD seems to be a special case with lots of occurrence,
      so it is considered valid for now.
      
      Another special case is `refs/head/*`, which can be imported.
      d27353be
  7. 03 May, 2019 1 commit
  8. 01 May, 2019 2 commits
  9. 30 Apr, 2019 3 commits
  10. 26 Apr, 2019 1 commit
  11. 25 Apr, 2019 1 commit
  12. 24 Apr, 2019 1 commit
  13. 23 Apr, 2019 1 commit
  14. 11 Apr, 2019 5 commits
  15. 02 Apr, 2019 4 commits
  16. 28 Mar, 2019 1 commit
  17. 26 Mar, 2019 1 commit
  18. 25 Mar, 2019 4 commits
  19. 20 Mar, 2019 2 commits