delta/gitlab/gitlab-ce.git, branch complexity/descrease-abc-size-threshold

Decrease threshold for ABC Size metric in Rubocop

2016-04-11T08:27:13+00:00

To 60.

Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

2016-04-07T12:10:28+00:00

* 'master' of dev.gitlab.org:gitlab/gitlabhq:
  Make sessions controller specs more explicit
  Fix 2FA authentication spoofing vulnerability
  Add specs for sessions controller  including 2FA

Merge branch 'fix/2fa-authentication-spoofing' into 'master'

2016-04-07T11:56:44+00:00


Fix 2FA authentication spoofing

## Summary

This is security fix for vulnerability described at 
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

## Fix

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

## Further work

Current 2FA code is a bit tricky, so it probably needs some refactoring.



See merge request !1947

Make sessions controller specs more explicit

2016-04-07T11:16:48+00:00

Merge branch 'fix-project-404-cache-issue' into 'master'

2016-04-07T10:31:04+00:00


Expire caches after project creation to ensure a consistent state

See merge request !3586

Merge branch 'update_main_lang_if_unset' into 'master'

2016-04-07T09:41:51+00:00


Only update main language if it is not already set

Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. 

cc @yorickpeterse @ayufan how does this look?

See merge request !3556

Fix 2FA authentication spoofing vulnerability

2016-04-07T09:19:29+00:00

This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.

Merge branch 'api-filter-milestone' into 'master'

2016-04-07T08:45:35+00:00


API: Ability to filter milestones by state

Ability to filter milestones by `active` and `closed` state.

* Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931

See merge request !3566

Merge branch 'feature/expose-builds-badge' into 'master'

2016-04-07T08:40:15+00:00


Expose badges

This MR exposes badge somewhere in visible place.

![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png)

Closes #13801

See merge request !3326

Merge branch 'fix_14638' into 'master'

2016-04-07T08:35:38+00:00


Fixes #14638.

The SQL query was ambiguous and in this case we want to filter projects.

See merge request !3462