[ci skip]

Add timeout around Parslet in template parser

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4654



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Joe Woodward <jwoodward@gitlab.com>
Co-authored-by: Gavin Hinfey <ghinfey@gitlab.com>
Co-authored-by: Fred Reinink <freinink@gitlab.com>

Fred Reinink authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-add-timeout-to-template-parser-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4654

Changelog: security

Add authorization check to protectableBranches field

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4595



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Co-authored-by: Fred Reinink <freinink@gitlab.com>

Fred Reinink authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-authorize-protectable-branches-field-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4595

Changelog: security

Check harbor name & digest for path traversal

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4628



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Radamanthus Batnag <rbatnag@gitlab.com>
Approved-by: Greg Myers <gmyers@gitlab.com>
Co-authored-by: moaz-khalifa <mkhalifa@gitlab.com>

Moaz Khalifa authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-check-harbor-name-and-digest-for-path-traversal-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4628

Changelog: security

Ignore titles for GFM links in rich text editor

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4650



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Enrique Alcántara <ealcantara@gitlab.com>
Co-authored-by: Himanshu Kapoor <hkapoor@gitlab.com>

Himanshu Kapoor authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-rte-link-titles-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4650

Changelog: security

Restrict user and group creation when same pages unique domain exist

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4576



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Eugie Limpin <elimpin@gitlab.com>
Co-authored-by: ngala <ngala@gitlab.com>

Naman Jagdish Gala authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-unique-domain-takeover-fix-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4576

Changelog: security

DoS by repeatedly sending unauthenticated requests for diff-files of a commit or merge request

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4638



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jan Provaznik <jprovaznik@gitlab.com>
Co-authored-by: Javiera Tapia <jtapia@gitlab.com>

Javiera Tapia authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-1216-dos-diff-files-commit-and-merge-requests-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4638

Changelog: security

Add query to filter_parameters

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4626



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Greg Myers <gmyers@gitlab.com>
Approved-by: David Fernandez <dfernandez@gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Radamanthus Batnag authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-1222-rbatnag-sanitize-graphql-log-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4626

Changelog: security

Added invalid redirect fragment check

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4605



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Andrew Evans <aevans@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Smriti Garg authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-1214/verify_redirect_fragment_oauth_login-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4605

Changelog: security

Make confidential threads unresolvable via new issue

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4634



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Heinrich Lee Yu <heinrich@gitlab.com>
Co-authored-by: David Kim <dkim@gitlab.com>

Sincheol (David) Kim authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-fix-486300-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4634

Changelog: security

Do not set session cookie for /v2 endpoints in the response

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4631



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mark Chao <mchao@gitlab.com>
Approved-by: Greg Myers <gmyers@gitlab.com>
Co-authored-by: Dzmitry Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>

Dzmitry (Dima) Meshcharakou authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-494694-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4631

Changelog: security

HTML injection in vulnerability details, leads to XSS on self hosted servers

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4553



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Himanshu Kapoor <info@fleon.org>
Co-authored-by: Chen Charnolevsky <ccharnolevsky@gitlab.com>

Chen Charnolevsky authored 2 months ago and GitLab Release Tools Bot committed 2 months ago

Merge branch 'security-480718-xss-vulnerability-details-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4553

Changelog: security

Quarantine Custom model features specs

See merge request !175190



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: Mohamed Hamda <mhamda@gitlab.com>
Approved-by: Manoj M J <mmj@gitlab.com>
Co-authored-by: Manoj M J <mmj@gitlab.com>

Backport !170141 into 17.5

See merge request !171140



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Nick Westbury <nwestbury@gitlab.com>
Co-authored-by: Ian Baum <ibaum@gitlab.com>

Merge branch '498768-graphql-subscriptions-ignore-unauthorized-error' into 'master'

See merge request !174581



Merged-by: John Skarbek <jskarbek@gitlab.com>
Approved-by: Heinrich Lee Yu <heinrich@gitlab.com>
Co-authored-by: Bob Van Landuyt <bob@gitlab.com>

Ignore unauthorized subscription errors in SLIs

See merge request !173506



Merged-by: Bob Van Landuyt <bob@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Reviewed-by: Bob Van Landuyt <bob@gitlab.com>
Reviewed-by: Heinrich Lee Yu <heinrich@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Backport 'always-build-qa-image-for-release-environments' to 17.5

See merge request !174255



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>

Always build QA image for release-environments

See merge request !174120



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: Kev Kloss <kkloss@gitlab.com>
Approved-by: Jenny Kim <yjeankim@gitlab.com>


(cherry picked from commit bdcf9d11)

e594d653 Always build QA image for release-environments

Co-authored-by: Dat Tang <dattang@gitlab.com>

Fix 401 errors when installing the GitLab for Jira app

See merge request !173196



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: James Nutt <jnutt@gitlab.com>
Approved-by: Nivetha Prabakaran <nprabakaran@gitlab.com>
Co-authored-by: Andy Schoenen <asoiron@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Add size check for harbor registry

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4599



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Adie Po <avpfestin@gitlab.com>

Adie (she/her) authored 3 months ago and GitLab Release Tools Bot committed 3 months ago

Merge branch 'security-add-size-check-on-harbor-registry-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4599

Changelog: security

Adding JobArtifactReport class to pre-emptively validate job artifacts

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4568



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Hordur Freyr Yngvason <hfyngvason@gitlab.com>
Co-authored-by: Max Fan <mfan@gitlab.com>

Max Fan authored 3 months ago and GitLab Release Tools Bot committed 3 months ago

Merge branch 'security-443559-validate-test-reports-17-5' into '17-5-stable-ee'

See merge request gitlab-org/security/gitlab!4568

Changelog: security

Fix: unsubscribe from actioncable channel when PAT is revoked

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4550



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Alejandro Rodríguez <alejandro@gitlab.com>
Co-authored-by: Jeff Park <jpark@gitlab.com>