delta/gitlab/gitlab-ce.git/lib/banzai, branch docs-pages-force-https gitlab.com: gitlab-org/gitlab-ce.git Do not rewrite relative links for system notes 2019-06-20T16:15:59+00:00 Mario de la Ossa mariodelaossa@gmail.com 2019-06-19T01:28:18+00:00 35a39c1d3476f0398a2846772e075b9a003bd623 






Allow emoji in label and milestone references
2019-06-07T09:05:57+00:00

Sean McGivern
sean@gitlab.com

2019-06-06T16:49:08+00:00

1617aa27562c6c92c981cadf13f0fb999558e1cc

If we put the emoji filter before the reference filters, each emoji will
have a wrapper element that prevents the reference filter from detecting
the presence of the emoji.

As the emoji filter now runs after the reference filters, references
must contain a literal emoji, not the GitLab Flavored Markdown
versions (:100`, for example).

A weird side-effect is that if you have a label with the 100 emoji, and
a label named :100:, then trying to reference the latter will work (link
to the correct label), but will render with the 100 emoji. I'm
comfortable with that edge case, I think.





If we put the emoji filter before the reference filters, each emoji will
have a wrapper element that prevents the reference filter from detecting
the presence of the emoji.

As the emoji filter now runs after the reference filters, references
must contain a literal emoji, not the GitLab Flavored Markdown
versions (:100`, for example).

A weird side-effect is that if you have a label with the 100 emoji, and
a label named :100:, then trying to reference the latter will work (link
to the correct label), but will render with the 100 emoji. I'm
comfortable with that edge case, I think.







Use Redis for CacheMarkDownField on non AR models
2019-06-05T05:19:59+00:00

Patrick Bajao
ebajao@gitlab.com

2019-06-05T04:59:48+00:00

2eecfd8f9d111c6518930b818a16daea8263b37f

This allows using `CacheMarkdownField` for models that are not backed
by ActiveRecord.

When the including class inherits `ActiveRecord::Base` we include
`Gitlab::MarkdownCache::ActiveRecord::Extension`. This will cause the
markdown fields to be rendered and the generated HTML stored in a
`<field>_html` attribute on the record. We also store the version
used for generating the markdown.

All other classes that include this model will include the
`Gitlab::MarkdownCache::Redis::Extension`. This add the `<field>_html`
attributes to that model and will generate the html in them. The
generated HTML will be cached in redis under the key
`markdown_cache:<class>:<id>`. The class this included in must
therefore respond to `id`.





This allows using `CacheMarkdownField` for models that are not backed
by ActiveRecord.

When the including class inherits `ActiveRecord::Base` we include
`Gitlab::MarkdownCache::ActiveRecord::Extension`. This will cause the
markdown fields to be rendered and the generated HTML stored in a
`<field>_html` attribute on the record. We also store the version
used for generating the markdown.

All other classes that include this model will include the
`Gitlab::MarkdownCache::Redis::Extension`. This add the `<field>_html`
attributes to that model and will generate the html in them. The
generated HTML will be cached in redis under the key
`markdown_cache:<class>:<id>`. The class this included in must
therefore respond to `id`.







Merge branch 'security-60143-address-xss-issue-master' into 'master'
2019-06-03T17:01:25+00:00

Robert Speicher
rspeicher@gmail.com

2019-06-03T17:01:25+00:00

5906fb2e45f352b8fc02f0e98a6148d0c0b2db59

Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3108




Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3108






Merge branch 'security-fix-project-existence-disclosure-master' into 'master'
2019-06-03T12:33:57+00:00

GitLab Release Tools Bot
robert+release-tools@gitlab.com

2019-06-03T12:33:57+00:00

c45c64ce298fab6eca6c54142ab5844a4b2c5c63

Fix url redaction for issue links

See merge request gitlab/gitlabhq!3091




Fix url redaction for issue links

See merge request gitlab/gitlabhq!3091






Reject slug+uri concat if slug is deemed unsafe
2019-05-24T19:33:24+00:00

Kerri Miller
kerrizor@kerrizor.com

2019-05-20T20:24:22+00:00

a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.





First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.







Fix milestone references with HTML entities in the name
2019-05-24T09:07:21+00:00

Sean McGivern
sean@gitlab.com

2019-05-23T14:28:55+00:00

17b97bf029a7085f6b726071a15f5d231510f1b6

When a milestone name contained an HTML entity that would be escaped (&,
<, >), then it wasn't possible to refer to this milestone by name, or
use it in a quick action.

This already worked for labels, but not for milestones. We take care to
re-escape un-matched milestones, too.





When a milestone name contained an HTML entity that would be escaped (&,
<, >), then it wasn't possible to refer to this milestone by name, or
use it in a quick action.

This already worked for labels, but not for milestones. We take care to
re-escape un-matched milestones, too.







Merge branch 'patch-49' into 'master'
2019-05-06T07:41:10+00:00

Sean McGivern
sean@gitlab.com

2019-05-06T07:41:10+00:00

ff64584cfaddb170cfa3a5c647ee4783cdb6058e

No leading/trailing spaces when generating heading ids (Fixes #57528)

Closes #57528

See merge request gitlab-org/gitlab-ce!27025




No leading/trailing spaces when generating heading ids (Fixes #57528)

Closes #57528

See merge request gitlab-org/gitlab-ce!27025






Run rubocop -a on CE files
2019-05-05T10:24:28+00:00

Stan Hu
stanhu@gmail.com

2019-05-05T10:19:14+00:00

f93b2e02a56a3b1f3041119e8302d43aeafc8284












Fix url redaction for issue links
2019-05-03T13:09:20+00:00

Patrick Derichs
pderichs@gitlab.com

2019-05-03T13:09:20+00:00

b0fbf001dab134b6638411f0be209bc0d1460519

Add changelog entry

Add missing href to all redactor specs and removed href assignment

Remove obsolete spec

If original_content is given, it should be used for link content





Add changelog entry

Add missing href to all redactor specs and removed href assignment

Remove obsolete spec

If original_content is given, it should be used for link content