gitlab-ce

Commit Graph

Author	SHA1	Message	Date
Francisco Javier López	537eb0bb2d	Avoid checking dns rebind protection in validation	2019-09-05 09:11:14 +00:00
George Koltsov	8abf920d1f	Refactor SystemHookUrlValidator and specs Simplify SystemHookUrlValidator to inherit from PublicUrlValidator Refactor specs to move out shared examples to be used in both system hooks and public url validators.	2019-08-02 15:39:18 +01:00
George Koltsov	ac7661924e	Update security/webhooks.md doc page & specs Updating security/webhooks.md to match new behaviour as well as drying up few specs to extract shared examples	2019-08-02 15:39:18 +01:00
George Koltsov	5a19a43a13	Update translations in gitlab.pot	2019-08-02 15:39:18 +01:00
George Koltsov	7fe145b1b5	Add SystemHookUrlValidator spec	2019-08-02 15:39:18 +01:00
Reuben Pereira	5c7f2853dc	Allow blank but not nil in validations - The most common use case for qualified_domain_validator currently is to allow blank ([]) but not allow nil. Modify the qualified_domain_validator to support this use case.	2019-07-31 06:54:03 +00:00
Reuben Pereira	42ecbcad10	Add validator for qualidied domain array - Validate that the entries contain no unicode, html tags and are not larger than 255 characters.	2019-07-23 19:47:17 +00:00
Heinrich Lee Yu	717824144f	Fix color validation regex Also prevents ReDoS vulnerability	2019-06-25 09:06:26 +08:00
Thong Kuah	d119d3d1b2	Align UrlValidator to validate_url gem implementation. Renamed UrlValidator to AddressableUrlValidator to avoid 'url:' naming collision with ActiveModel::Validations::UrlValidator in 'validates' statement. Make use of the options attribute of the parent class ActiveModel::EachValidator. Add more options: allow_nil, allow_blank, message. Renamed 'protocols' option to 'schemes' to match the option naming from UrlValidator.	2019-04-11 06:29:07 +00:00
Imre Farkas	9bc5ed14fe	Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE	2019-04-09 15:38:58 +00:00
Andreas Brandl	46b1b9c1d6	Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'" This reverts merge request !26823	2019-04-05 13:02:56 +00:00
Imre Farkas	d9d7237d2e	Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE	2019-04-05 11:45:47 +00:00
Francisco Javier López	150f7c1e9c	Fix Bitbucket import In `ebf16ada85` we introduced a SHA validator, to ensure that the data provided in merge request diffs, was legit. Nevertheless, the validator assumed that the SHA should be 40 chars long. When we import a project from BitBucket, the retrieved SHA is shorter (12 chars long). Therefore, this validator prevented to create a valid MergeRequestDiff for ever MergeRequest (triggering an exception).	2019-03-14 10:05:17 +00:00
Stan Hu	6908c5f70e	Merge branch 'fix/email_validator' into 'master' Align EmailValidator to validate_email gem implementation. Closes #57352 See merge request gitlab-org/gitlab-ce!24971	2019-03-09 00:05:59 +00:00
Horatiu Eugen Vlad	c8c0ea6c52	Align EmailValidator to validate_email gem implementation. Renamed EmailValidator to DeviseEmailValidator to avoid 'email:' naming collision with ActiveModel::Validations::EmailValidator in 'validates' statement. Make use of the options attribute of the parent class ActiveModel::EachValidator. Add more options: regex.	2019-03-05 19:56:01 +00:00
Stan Hu	ad2f711adf	Add frozen_string_literal to new files	2019-03-04 23:19:19 -08:00
Francisco Javier López	ebf16ada85	Arbitrary file read via MergeRequestDiff	2019-03-04 18:36:34 +00:00
Roger Rüttimann	3197cd9b6c	remove newly supported regex feature from validation error test	2019-01-14 13:42:27 +01:00
Reuben Pereira	f40b5860d7	Add table and model for error tracking settings	2019-01-07 17:55:21 +00:00
James Edwards-Jones	72c0059407	Allow URLs to be validated as ascii_only Restricts unicode characters and IDNA deviations which could be used in a phishing attack	2018-12-06 15:18:18 +00:00
Cindy Pallares	c0e5d9afee	Merge branch 'security-fj-crlf-injection' into 'master' [master] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2627	2018-11-28 19:14:06 -05:00
Nick Thomas	b73f3ce58f	Allow UrlValidator to work with attr_encrypted	2018-09-17 19:34:40 +01:00
Dmitriy Zaporozhets	464b0de1ac	Merge branch 'filter-web-hooks-by-branch' into 'master' Filter web hooks by branch See merge request gitlab-org/gitlab-ce!19513	2018-09-05 13:39:41 +00:00
Roger Rüttimann	93b9bfd93a	Allow whitelisting for "external collaborator by default" setting	2018-08-30 12:53:06 +00:00
Duana Saskia	ece6a1ea6e	Filter project hooks by branch Allow specificying a branch filter for a project hook and only trigger a project hook if either the branch filter is blank or the branch matches. Only supported for push_events for now.	2018-08-13 13:20:58 +02:00
Francisco Javier López	1418afc2d6	Avoid checking the user format in every url validation	2018-06-11 13:29:37 +00:00
Francisco Javier López	840f80d48b	Add validation to webhook and service URLs to ensure they are not blocked because of SSRF	2018-06-01 11:43:53 +00:00
Francisco Javier López	8fe880dc06	Projects and groups badges API	2018-03-05 17:51:40 +00:00
Matija Čupić	9a5ba5c674	Add more information in variable_duplicates validator error message	2018-02-13 23:51:04 +01:00
Matija Čupić	e5d9f4a374	Add specs for VariableDuplicates validator	2018-02-13 17:52:33 +01:00
Douwe Maan	a03d29da1d	Validate User username only on Namespace, and bubble up appropriately	2018-02-06 12:09:03 -06:00
Douwe Maan	a10925e1c3	Reallow project paths ending in periods	2017-11-06 14:46:53 +01:00
Robert Speicher	72a7b30c9f	Change all `:empty_project` to `:project`	2017-08-02 17:47:31 -04:00
Robert Speicher	9513bd18c4	Ensure all project factories use `:repository` trait or `:empty_project`	2017-08-01 14:51:52 -04:00
Bob Van Landuyt	79393a351d	Rebuild the dynamic path before validating it Otherwise we won't validate updates to the path. Allowing users to change the path to something that's not allowed.	2017-06-21 16:09:35 +02:00
Bob Van Landuyt	33aed43e9d	Avoid crash when trying to parse string with invalid UTF-8 sequence	2017-05-30 15:05:52 +00:00
Douwe Maan	43b1750892	Revert "Remove changes that are not absolutely necessary" This reverts commit `b0498c176f`	2017-05-24 20:59:26 +00:00
Douwe Maan	b0498c176f	Remove changes that are not absolutely necessary	2017-05-23 20:38:35 -05:00
Douwe Maan	4345bb8c50	Fix ambiguous routing issues by teaching router about reserved words	2017-05-23 20:38:24 -05:00
Bob Van Landuyt	e2b9420c11	Add a better error message when a certain path is missing	2017-05-02 11:48:54 +02:00
Bob Van Landuyt	a035ebbe06	Update path validation & specs	2017-05-02 10:47:01 +02:00
Bob Van Landuyt	c853dd6158	Reuse Gitlab::Regex.full_namespace_regex in the DynamicPathValidator	2017-05-02 09:13:41 +02:00
Bob Van Landuyt	08b1bc3489	Reject group-routes as names of child namespaces	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	1e14c3c852	Reject paths following namespace for paths including 2 `` Reject the part following `/namespace_id/:project_id` for paths containing 2 wildcard parameters	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	ea8e86dac8	Use `%r{}` regexes to avoid having to escape `/`	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	e50f4bc066	The dynamic path validator can block out partial paths So we can block `objects` only when it is contained in `info/lfs` or `gitlab-lfs`	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	c5059cb4f7	Make path validation case-insensitive	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	bccf8d86c5	Rename `NamespaceValidator` to `DynamicPathValidator` This reflects better that it validates paths instead of a namespace model	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	f7511caa5f	Split off validating full paths The first part of a full path needs to be validated as a `top_level` while the rest need to be validated as `wildcard`	2017-05-01 11:14:24 +02:00
Bob Van Landuyt	e4f5b7ca21	Improve detection of reserved words from routes	2017-05-01 11:14:24 +02:00

1 2

52 Commits