[merge-train skip]

[ci skip]

[ci skip]

Do not create a pipeline on MR refresh if source branch was deleted

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4522



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Igor Drozdov <idrozdov@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-delete-source-branch-no-pipeline-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4522

Changelog: security

Escape OAuth application name on authorize page

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4517



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Andrew Evans <aevans@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Drew Blessing authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-dblessing_oauth_authorization_html_escape-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4517

Changelog: security

Prevent guest access to project templates

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4477



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>
Co-authored-by: Emma Park <epark@gitlab.com>

Emma Park authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-462108/disclose-project-templates-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4477

Changelog: security

Remove access to local requests via cube query service

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4492



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Halil Coban <hcoban@gitlab.com>
Co-authored-by: Max Woolf <max@woolf.io>

Max Woolf authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-product-analytics-ssrf-cube-localhost-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4492

Changelog: security

External webhook token should be set

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4510



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Co-authored-by: Ash McKenzie <amckenzie@gitlab.com>

Jerry Seto authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-revert-19072-alt-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4510

Changelog: security

Skip content when listing conflict files with types

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4513



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-conflicts-slow-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4513

Changelog: security

Hide version info from unauthorized users

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4500



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Co-authored-by: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>

Paul Gascou-Vaillancourt authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-instance-version-publicly-disclosed-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4500

Changelog: security

Prevent deploy keys from pushing code to an archived project

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4486



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Co-authored-by: Tiger <twatson@gitlab.com>

Tiger Watson authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4486

Changelog: security

[Backport] Go-get: fix 401 error for unauthenticated requests

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167937



Merged-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Reviewed-by: Duo Code Reviewer <duo-code-review-bot@gitlab.com>

Drop project_id not null constraint ci_deleted_objects

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168156



Merged-by: Marius Bobin <mbobin@gitlab.com>
Approved-by: Marius Bobin <mbobin@gitlab.com>
Co-authored-by: Maxime Orefice <morefice@gitlab.com>

Restrict duo pro assignment email to duo pro for sm

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168238



Merged-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Approved-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Co-authored-by: Doug Stull <dstull@gitlab.com>

Restrict duo pro assignment email to duo pro for sm

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166738



Merged-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Approved-by: Jay Montal <jmontal@gitlab.com>
Approved-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Reviewed-by: Jay Montal <jmontal@gitlab.com>
Co-authored-by: rliu-gl <rliu@gitlab.com>

(cherry picked from commit 2aac219d)

39f4cfbb Restrict duo pro assignment email to duo pro for sm

Co-authored-by: Rodrigo Tomonari <rtomonari@gitlab.com>

Backport 17.4 Fix label filter by name for search

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168099



Merged-by: Siddharth Dungarwal <sdungarwal@gitlab.com>
Approved-by: Siddharth Dungarwal <sdungarwal@gitlab.com>
Co-authored-by: Terri Chu <tchu@gitlab.com>

This commit drops check_98f90d6c53 constraint to unblock the
accumulation of ci_job_artifacts that needs to be clean up from the
system.

Changelog: fixed

Fix label filter by name for search

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167845



Merged-by: Dmitry Gruzd <dgruzd@gitlab.com>
Approved-by: Siddharth Dungarwal <sdungarwal@gitlab.com>
Approved-by: Dmitry Gruzd <dgruzd@gitlab.com>
Co-authored-by: Terri Chu <tchu@gitlab.com>

(cherry picked from commit add0da31)

bca1a362 Fix label filter by name for search

Co-authored-by: Dmitry Gruzd <dgruzd@gitlab.com>

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/493732

**Problem**

Self-managed instances that restricted password authentication for Git
over HTTP(S) started to receive 401 error code for `go-get=1` requests
from go toolchain.

The reason is a missing return for the case when request doesn't have
basic credentials.

It was introduced in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/161162.

**Solution**

Restore check for missing basic credentials and add a test case.

Skip multi-version upgrade job for stable branch MRs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166877



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: David Dieulivol <ddieulivol@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Nailia Iskhakova <niskhakova@gitlab.com>

To resolve CI pipelines in backports

[merge-train skip]

[ci skip]

[ci skip]

Update expected vulnerability in enable_advanced_sast_spec.rb

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167033



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Will Meek <wmeek@gitlab.com>

Implement input sanitization for SummarizeComments

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4474



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Reviewed-by: Dillon Wheeler <dwheeler@gitlab.com>
Co-authored-by: dillonwheeler <dwheeler@gitlab.com>

Dillon Wheeler authored 5 months ago and Mayra Cabrera committed 5 months ago

Merge branch 'security-duo-chat-issue-summary-prompt-injection-1-17-4-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4474

Changelog: security

Hide system notes with invalid references

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4482



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Heinrich Lee Yu authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-hide-system-notes-with-invalid-references-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4482

Changelog: security

Reset dependency proxy maven credentials when registry url is changed

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4472



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Rad Batnag authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-1180-fix-dependency-proxy-leak-17-4' into '17-4-stable-ee'

See merge request gitlab-org/security/gitlab!4472

Changelog: security