delta/gitlab/gitlab-ce.git/lib/banzai, branch docs/api-single-codebase

Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce

2019-07-03T09:55:56+00:00

Merge branch 'security-DOS_issue_comments_banzai' into 'master'

2019-07-02T06:22:45+00:00

Fix DOS when rendering issue/MR comments

See merge request gitlab/gitlabhq!3152

Fix attachments using the wrong URLs in e-mails

2019-06-29T05:08:46+00:00

Prior to https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/29889,
only the project context were set for the Markdown renderer. For a note
on an issuable, the group context was set to `nil` because
`note.noteable.try(:group)` attempted to get the issuable's group, which
doesn't exist.

To make group notifications work, now both the project and group context
are set. The context gets passed to `RelativeLinkFilter`, which
previously assumed that it wasn't possible to have both a group and a
project in the Markdown context. However, if a group were defined, it
would take precedence, and the URL rendered for uploads would be
`/group/-/uploads` instead of `/group/project/uploads/`. This led to
404s in e-mails.

However, now that we have both project and group in the context, we
render the Markdown giving priority to the project context if is set.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63910

Do not rewrite relative links for system notes

2019-06-20T16:15:59+00:00

Fix DOS when rendering issue/MR comments

2019-06-14T01:38:21+00:00

Allow emoji in label and milestone references

2019-06-07T09:05:57+00:00

If we put the emoji filter before the reference filters, each emoji will
have a wrapper element that prevents the reference filter from detecting
the presence of the emoji.

As the emoji filter now runs after the reference filters, references
must contain a literal emoji, not the GitLab Flavored Markdown
versions (:100`, for example).

A weird side-effect is that if you have a label with the 100 emoji, and
a label named :100:, then trying to reference the latter will work (link
to the correct label), but will render with the 100 emoji. I'm
comfortable with that edge case, I think.

Use Redis for CacheMarkDownField on non AR models

2019-06-05T05:19:59+00:00

This allows using `CacheMarkdownField` for models that are not backed
by ActiveRecord.

When the including class inherits `ActiveRecord::Base` we include
`Gitlab::MarkdownCache::ActiveRecord::Extension`. This will cause the
markdown fields to be rendered and the generated HTML stored in a
`_html` attribute on the record. We also store the version
used for generating the markdown.

All other classes that include this model will include the
`Gitlab::MarkdownCache::Redis::Extension`. This add the `_html`
attributes to that model and will generate the html in them. The
generated HTML will be cached in redis under the key
`markdown_cache::`. The class this included in must
therefore respond to `id`.

Merge branch 'security-60143-address-xss-issue-master' into 'master'

2019-06-03T17:01:25+00:00

Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3108

Merge branch 'security-fix-project-existence-disclosure-master' into 'master'

2019-06-03T12:33:57+00:00

Fix url redaction for issue links

See merge request gitlab/gitlabhq!3091

Reject slug+uri concat if slug is deemed unsafe

2019-05-24T19:33:24+00:00

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.