1. 06 Jun, 2019 1 commit
  2. 04 Jun, 2019 3 commits
  3. 03 Jun, 2019 11 commits
  4. 30 May, 2019 7 commits
  5. 28 May, 2019 12 commits
  6. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · aef4b0a5
      Kerri Miller authored
      First reported:
        https://gitlab.com/gitlab-org/gitlab-ce/issues/60143
      
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
      aef4b0a5
  7. 25 May, 2019 1 commit
  8. 24 May, 2019 1 commit
  9. 23 May, 2019 1 commit
  10. 22 May, 2019 1 commit
    • Douwe Maan's avatar
      Protect Gitlab::HTTP against DNS rebinding attack · 1de0a033
      Douwe Maan authored
      Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
      blocked, and then uses the same IP to perform the actual request, while
      passing the original hostname in the `Host` header and SSL SNI field.
      1de0a033
  11. 21 May, 2019 1 commit