Commit graph

10 commits

Author SHA1 Message Date
Yorick Peterse
040e6e72bf Merge branch 'ce-security-jej/group-saml-link-origin-verification' into 'master'
Ensure request to link GroupSAML acount was GitLab initiated

See merge request gitlab/gitlabhq!2976
2019-03-04 18:36:26 +00:00
James Edwards-Jones
6548e01f18 Avoid CSRF check on SAML failure endpoint
SAML and OAuth failures should cause a message to be presented, as well
as logging that an attempt was made. These were incorrectly prevented by
the CSRF check on POST endpoints such as SAML.

In addition we were using a NullSession forgery protection, which made
testing more difficult and could have allowed account linking to take
place if a CSRF was ever needed but not present.
2019-02-04 10:10:51 +00:00
James Edwards-Jones
104c8b890d Backport EE GroupSAML origin verification changes 2019-01-23 19:42:16 +00:00
Jasper Maes
4361c92b6a Update gitlab-styles to 2.5.1 2019-01-11 23:59:35 +01:00
Scott Escue
6540a9468a
Preserve URL fragment across sign-in and sign-up redirects
If window.location contains a URL fragment, append the fragment to all sign-in forms, the sign-up form, and all button based providers.
2019-01-10 00:00:38 -06:00
Yorick Peterse
9606dbbb03
Whitelist existing destroy_all offenses
This whitelists all existing places where we use "destroy_all".
2018-08-16 17:29:37 +02:00
Roger Rüttimann
2efe27ba18 Honor saml assurance level to allow 2FA bypassing 2018-06-25 15:32:03 +00:00
Tiago Botelho
161a05b963 Writes specs 2018-03-22 16:05:15 +00:00
James Lopez
140cb0c092 Merge branch 'fix/auth0-unsafe-login-10-6' into 'security-10-6'
[10.6] Fix GitLab Auth0 integration signs in the wrong user

See merge request gitlab/gitlabhq!2354
2018-03-21 14:43:47 +00:00
Robert Speicher
4493ec0880 Merge branch 'jej/fix-disabled-oauth-access-10-3' into 'security-10-3'
[10.3] Prevent login with disabled OAuth providers

See merge request gitlab/gitlabhq!2296

(cherry picked from commit 4936650427ffc88e6ee927aedbb2c724d24b094c)

a0f9d222 Prevents login with disabled OAuth providers
2018-01-16 17:05:01 -08:00