summaryrefslogtreecommitdiff
path: root/spec
Commit message (Collapse)AuthorAgeFilesLines
...
| * | | | | | Improve codeFelipe Artur2016-04-051-1/+1
| | | | | | |
| * | | | | | Fix problem when creating milestones in groups without projectsFelipe Artur2016-04-051-0/+6
| | | | | | |
* | | | | | | Merge branch 'regex-for-colons' into 'master' Douwe Maan2016-04-071-0/+115
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add optional colon. See merge request !3591
| * | | | | | | Remove dumb debug statement and add many tests.Jacob Schatz2016-04-071-0/+115
| | | | | | | |
* | | | | | | | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqGrzegorz Bizon2016-04-071-0/+101
|\ \ \ \ \ \ \ \ | |/ / / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 'master' of dev.gitlab.org:gitlab/gitlabhq: Make sessions controller specs more explicit Fix 2FA authentication spoofing vulnerability Add specs for sessions controller including 2FA
| * | | | | | | Merge branch 'fix/2fa-authentication-spoofing' into 'master' Rémy Coutable2016-04-071-0/+101
| |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947
| | * | | | | | | Make sessions controller specs more explicitGrzegorz Bizon2016-04-071-4/+5
| | | | | | | | |
| | * | | | | | | Fix 2FA authentication spoofing vulnerabilityGrzegorz Bizon2016-04-071-35/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login.
| | * | | | | | | Add specs for sessions controller including 2FAGrzegorz Bizon2016-04-061-0/+93
| | | |/ / / / / | | |/| | | | | | | | | | | | | | | | | | | | | This also contains specs for a bug described in #14900
* | | | | | | | Merge branch 'fix-project-404-cache-issue' into 'master' Yorick Peterse2016-04-071-0/+13
|\ \ \ \ \ \ \ \ | |_|_|_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | Expire caches after project creation to ensure a consistent state See merge request !3586
| * | | | | | | Expire caches after project creation to ensure a consistent stateStan Hu2016-04-071-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes #14961
* | | | | | | | Merge branch 'update_main_lang_if_unset' into 'master' Rémy Coutable2016-04-071-5/+21
|\ \ \ \ \ \ \ \ | |_|/ / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556
| * | | | | | | Only update main language if it is not already setupdate_main_lang_if_unsetDrew Blessing2016-04-061-5/+21
| | |/ / / / / | |/| | | | |
* | | | | | | Merge branch 'api-filter-milestone' into 'master' Rémy Coutable2016-04-071-0/+19
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Ability to filter milestones by state Ability to filter milestones by `active` and `closed` state. * Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931 See merge request !3566
| * | | | | | | Improve coding and doc styleRobert Schilling2016-04-061-3/+5
| | | | | | | |
| * | | | | | | API: Ability to filter milestones by stateRobert Schilling2016-04-061-0/+17
| | | | | | | |
* | | | | | | | Merge branch 'feature/expose-builds-badge' into 'master' Rémy Coutable2016-04-072-1/+66
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expose badges This MR exposes badge somewhere in visible place. ![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png) Closes #13801 See merge request !3326
| * | | | | | | | Add feature specs for list of badges pageGrzegorz Bizon2016-04-061-0/+34
| | | | | | | | |
| * | | | | | | | Extend build status badge, add html/markdown methodsGrzegorz Bizon2016-04-061-1/+32
| |/ / / / / / /
* | | | | | | | Merge branch 'fix_14638' into 'master' Rémy Coutable2016-04-071-0/+23
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes #14638. The SQL query was ambiguous and in this case we want to filter projects. See merge request !3462
| * | | | | | | | Fixes #14638.PotHix2016-04-061-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SQL query was ambiguous and in this case we want to filter projects.
* | | | | | | | | Return status code 303 after a branch DELETE operation to avoid project deletionStan Hu2016-04-061-0/+14
| |_|_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | | | | Closes #14994
* | | | | | | | Merge branch 'saml-external-groups' into 'master' Robert Speicher2016-04-071-99/+67
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow SAML to identify external users and set them as such Related to #4009 Fixes #14577 This allows SAML to retrieve group information form the `SAML Response` and match that to a setting that will flag all matching users as external. See merge request !3530
| * | | | | | | | Implemented suggested fixesPatricio Cano2016-04-061-25/+16
| | | | | | | | |
| * | | | | | | | Fix error that was causing only one group to be returned and corrected specs ↵Patricio Cano2016-04-061-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to use the proper attribute type
| * | | | | | | | Removed extra LDAP tests and added tests for the external groups featurePatricio Cano2016-04-051-22/+46
| | | | | | | | |
| * | | | | | | | Remove unnecessary LDAP tests from SAML testsPatricio Cano2016-04-041-59/+7
| | | | | | | | |
* | | | | | | | | Merge branch 'patch/fix-markdown-preview-wikis' into 'master' Robert Speicher2016-04-074-11/+15
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wiki preview URL converting problem [via Markdown] Current implementation when rendering the preview, thinks relative links are for project repository files. We are creating a new preview route that will define correct context data to render for wikis instead. Fixes #2380, #1184 See merge request !3461
| * | | | | | | | | little refactor and improvements on specsGabriel Mazetto2016-04-062-7/+4
| | | | | | | | | |
| * | | | | | | | | Ensure correct filter order to validate with our markdown specpatch/fix-markdown-preview-wikisGabriel Mazetto2016-04-061-1/+1
| | | | | | | | | |
| * | | | | | | | | Fix a few edited references from WikiLinkFilter and specsGabriel Mazetto2016-04-062-4/+6
| | | | | | | | | |
| * | | | | | | | | Fixed WikiPipeline and specsGabriel Mazetto2016-04-061-3/+6
| | | | | | | | | |
| * | | | | | | | | Fixed Gollum pages link url expansion to render correctly in previewGabriel Mazetto2016-03-301-3/+5
| | |_|_|_|_|_|_|/ | |/| | | | | | |
* | | | | | | | | Merge branch 'patch/fix-ldap-unblock-user-logic' into 'master' Robert Speicher2016-04-061-1/+26
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unblocks user when active_directory is disabled and it can be found We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed. Fixes #14253, #13179, #13259, #13959 See merge request !3550
| * | | | | | | | | Unblocks user when active_directory is disabled and it can be foundpatch/fix-ldap-unblock-user-logicGabriel Mazetto2016-04-051-1/+26
| |/ / / / / / / /
* | | | | | | | | Merge branch 'fix-markdown-rendering' into 'master' Douwe Maan2016-04-061-0/+8
|\ \ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix header link rendering when containing numbers This fixes the problem where Markdown such as: ### 31st Would get rendered as a link tag pointing to issue number 31 inside a header tag. See gitlab-org/gitlab-ce#14936 for more information. cc @rspeicher See merge request !3568
| * | | | | | | | | Fix header link rendering when containing numbersfix-markdown-renderingYorick Peterse2016-04-061-0/+8
| | |_|_|_|_|/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the problem where Markdown such as: ### 31st Would get rendered as a link tag pointing to issue number 31 inside a header tag. See gitlab-org/gitlab-ce#14936 for more information.
* | | | | | | | | Revert "API: Ability to retrieve a single tag"Robert Schilling2016-04-061-17/+0
| |_|_|_|/ / / / |/| | | | | | | | | | | | | | | | | | | | | | | This reverts commit 7f287c9136d5d1cdda8df170c6e772ca82aad1e9.
* | | | | | | | Merge branch 'fix_missing_filters_on_status_tab_change' into 'master' Jacob Schatz2016-04-061-0/+119
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix missing filters on status tab when user swithches to another state closes #14769 ![fixi](/uploads/7733ec714b70b2157104af4b039953c3/fixi.gif) See merge request !3482
| * | | | | | | | complete the testsfix_missing_filters_on_status_tab_changeArinde Eniola2016-04-061-1/+75
| | | | | | | | |
| * | | | | | | | set up test for preventing this issue from reoccuringArinde Eniola2016-04-061-0/+45
| | |_|_|_|_|/ / | |/| | | | | |
* | | | | | | | Merge branch 'metrics-measure-block' into 'master' Robert Speicher2016-04-061-3/+44
|\ \ \ \ \ \ \ \ | |_|_|_|_|/ / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Support for measuring Ruby blocks using GitLab performance monitoring This adds support for measuring timings of arbitrary Ruby blocks. Fixes #14710 See merge request !3515
| * | | | | | | Measure Ruby blocks using Gitlab::MetricsYorick Peterse2016-04-061-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows measuring of timings of arbitrary Ruby blocks, this allows for more fine grained performance monitoring. Custom values and tags can also be attached to a block.
| * | | | | | | Corrected some spec headers for Gitlab::MetricsYorick Peterse2016-04-061-3/+3
| | |_|_|_|/ / | |/| | | | |
* | | | | | | Ensure empty recipients are rejected in BuildsEmailServiceRémy Coutable2016-04-061-2/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* | | | | | | API: Ability to retrieve a single tagRobert Schilling2016-04-061-0/+17
|/ / / / / /
* | | | | | Merge branch 'fix-project-path-rename' into 'master' Stan Hu2016-04-051-0/+22
|\ \ \ \ \ \ | |_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix Error 500 after renaming a project path Renaming the path of a project would result in an Error 500 due to `@repository` being memoized with the old path. An Error 500 would result: ``` Started GET "/testing2/test1" for 127.0.0.1 at 2016-04-04 12:42:30 +0000 Processing by ProjectsController#show as HTML Parameters: {"namespace_id"=>"testing2", "id"=>"test1"} Completed 200 OK in 637ms (Views: 194.2ms | ActiveRecord: 111.8ms) Started GET "/testing2/test1/edit" for 127.0.0.1 at 2016-04-04 12:42:33 +0000 Processing by ProjectsController#edit as HTML Parameters: {"namespace_id"=>"testing2", "id"=>"test1"} Completed 200 OK in 594ms (Views: 183.8ms | ActiveRecord: 87.4ms) Started PATCH "/testing2/test1" for 127.0.0.1 at 2016-04-04 12:42:41 +0000 Processing by ProjectsController#update as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "project"=>{"nam e"=>"test123", "path"=>"test123"}, "namespace_id"=>"testing2", "id"=>"test1"} Completed 500 Internal Server Error in 1852ms (ActiveRecord: 124.0ms) ActionView::Template::Error (no repository for such path): 2: %legend 3: Builds: 4: 5: - unless @repository.gitlab_ci_yml 6: .form-group 7: .col-sm-offset-2.col-sm-10 8: %p Builds need to be configured before you can begin using Contin uous Integration. app/models/repository.rb:59:in `block in empty?' lib/repository_cache.rb:19:in `fetch' app/models/repository.rb:59:in `empty?' app/models/repository.rb:471:in `gitlab_ci_yml' app/views/projects/_builds_settings.html.haml:5:in `_app_views_projects__build s_settings_html_haml__782034335636359229_73397600' app/views/projects/edit.html.haml:87:in `block in _app_views_projects_edit_htm l_haml___2388082585934859365_47390860' app/views/projects/edit.html.haml:8:in `_app_views_projects_edit_html_haml___2 388082585934859365_47390860' app/controllers/projects_controller.rb:54:in `block (2 levels) in update' app/controllers/projects_controller.rb:43:in `update' lib/gitlab/middleware/go.rb:16:in `call' ``` Closes #14885 See merge request !3528
| * | | | | Fix Error 500 after renaming a project pathStan Hu2016-04-051-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | Closes #14885
* | | | | | Merge branch 'rs-fix-gmail-actions' into 'master' Robert Speicher2016-04-051-0/+2
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Premailer shouldn't remove script tags from our emails Closes #14943. See merge request !3552
| * | | | | | Premailer shouldn't remove script tags from our emailsRobert Speicher2016-04-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes #14943.
View Lorry Controller Status