Add latest changes from gitlab-org/gitlab@master

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
+## 12.3.2
+
+### Security (2 changes)
+
+- Hide approvers if a rule has any hidden groups.
+- Prevent IDOR when adding groups to protected environments.
+
+
 ## 12.3.1
 - No changes.
@@ -187,6 +195,15 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Fixes style-lint errors and warnings for EE builds.scss file.
+## 12.2.6
+
+### Security (3 changes)
+
+- Hide approvers if a rule has any hidden groups.
+- Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.59.3].
+- Prevent IDOR when adding groups to protected environments.
+
+
 ## 12.2.5
 ### Security (1 change)
@@ -439,6 +456,16 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Fix alignment of activity dropdown in epic tabs; add counter to discussion tab.
+## 12.1.12
+
+### Security (4 changes)
+
+- Hide approvers if a rule has any hidden groups.
+- Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.53.4].
+- Prevent IDOR when adding groups to protected environments.
+- Upgrade mermaid to prevent XSS.
+
+
 ## 12.1.10
 - No changes.

CHANGELOG.md

@@ -4,16 +4,18 @@ entry.
 ## 12.3.2
-### Security (10 changes)
+### Security (12 changes)
 - Fix Gitaly SearchBlobs flag RPC injection.
 - Add a policy check for system notes that may not be visible due to cross references to private items.
 - Display only participants that user has permission to see on milestone page.
 - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
+- Check permissions before showing head pipeline blocking merge requests.
 - Fix new project path being disclosed through unsubscribe link of issue/merge requests.
 - Prevent bypassing email verification using Salesforce.
 - Do not show resource label events referencing not accessible labels.
 - Cancel all running CI jobs triggered by the user who is just blocked.
+- Fix Gitaly SearchBlobs flag RPC injection.
 - Only render fixed number of mermaid blocks.
 - Prevent GitLab accounts takeover if SAML is configured.
@@ -299,11 +301,12 @@ entry.
 ## 12.2.6
-### Security (10 changes)
+### Security (11 changes)
 - Add a policy check for system notes that may not be visible due to cross references to private items.
 - Display only participants that user has permission to see on milestone page.
 - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
+- Check permissions before showing head pipeline blocking merge requests.
 - Fix new project path being disclosed through unsubscribe link of issue/merge requests.
 - Prevent bypassing email verification using Salesforce.
 - Do not show resource label events referencing not accessible labels.
@@ -633,11 +636,12 @@ entry.
 ## 12.1.12
-### Security (11 changes)
+### Security (12 changes)
 - Add a policy check for system notes that may not be visible due to cross references to private items.
 - Display only participants that user has permission to see on milestone page.
 - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
+- Check permissions before showing head pipeline blocking merge requests.
 - Fix new project path being disclosed through unsubscribe link of issue/merge requests.
 - Prevent bypassing email verification using Salesforce.
 - Do not show resource label events referencing not accessible labels.

app/assets/javascripts/boards/components/issue_card_inner.vue

@@ -104,6 +104,13 @@ export default {
     helpLink() {
       return boardsStore.scopedLabels.helpLink;
     },
+    validIssueWeight() {
+      if (_.isNumber(this.issue.weight)) {
+        return this.issue.weight >= 0;
+      }
+
+      return false;
+    },
   },
   methods: {
     isIndexLessThanlimit(index) {
@@ -212,7 +219,7 @@ export default {
           <issue-due-date v-if="issue.dueDate" :date="issue.dueDate" />
           <issue-time-estimate v-if="issue.timeEstimate" :estimate="issue.timeEstimate" />
           <issue-card-weight
-            v-if="issue.weight"
+            v-if="validIssueWeight"
             :weight="issue.weight"
             @click="filterByWeight(issue.weight)"
           />

app/controllers/projects/commits_controller.rb

@@ -72,7 +72,7 @@ class Projects::CommitsController < Projects::ApplicationController
         @repository.commits(@ref, path: @path, limit: @limit, offset: @offset)
       end
-    @commits = @commits.with_pipeline_status
+    @commits = @commits.with_latest_pipeline(@ref)
     @commits = set_commits_for_rendering(@commits)
   end

app/controllers/projects/merge_requests_controller.rb

@@ -82,7 +82,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
     # Get commits from repository
     # or from cache if already merged
     @commits =
-      set_commits_for_rendering(@merge_request.commits.with_pipeline_status)
+      set_commits_for_rendering(@merge_request.commits.with_latest_pipeline)
     render json: { html: view_to_html_string('projects/merge_requests/_commits') }
   end

app/helpers/ci_status_helper.rb

@@ -64,7 +64,7 @@ module CiStatusHelper
   def ci_icon_for_status(status, size: 16)
     if detailed_status?(status)
-      return sprite_icon(status.icon)
+      return sprite_icon(status.icon, size: size)
     end
     icon_name =
@@ -96,23 +96,29 @@ module CiStatusHelper
     sprite_icon(icon_name, size: size)
   end
+  def ci_icon_class_for_status(status)
+    group = detailed_status?(status) ? status.group : status.dasherize
+
+    "ci-status-icon-#{group}"
+  end
+
   def pipeline_status_cache_key(pipeline_status)
     "pipeline-status/#{pipeline_status.sha}-#{pipeline_status.status}"
   end
-  def render_commit_status(commit, ref: nil, tooltip_placement: 'left')
+  def render_commit_status(commit, status, ref: nil, tooltip_placement: 'left')
     project = commit.project
     path = pipelines_project_commit_path(project, commit, ref: ref)
     render_status_with_link(
-      commit.status(ref),
+      status,
       path,
       tooltip_placement: tooltip_placement,
       icon_size: 24)
   end
   def render_status_with_link(status, path = nil, type: _('pipeline'), tooltip_placement: 'left', cssclass: '', container: 'body', icon_size: 16)
-    klass = "ci-status-link ci-status-icon-#{status.dasherize} d-inline-flex #{cssclass}"
+    klass = "ci-status-link #{ci_icon_class_for_status(status)} d-inline-flex #{cssclass}"
     title = "#{type.titleize}: #{ci_label_for_status(status)}"
     data = { toggle: 'tooltip', placement: tooltip_placement, container: container }
@@ -127,6 +133,7 @@ module CiStatusHelper
   def detailed_status?(status)
     status.respond_to?(:text) &&
+      status.respond_to?(:group) &&
       status.respond_to?(:label) &&
       status.respond_to?(:icon)
   end

app/models/ci/pipeline.rb

@@ -281,16 +281,16 @@ module Ci
       end
     end
-    # Returns a Hash containing the latest pipeline status for every given
+    # Returns a Hash containing the latest pipeline for every given
     # commit.
     #
-    # The keys of this Hash are the commit SHAs, the values the statuses.
+    # The keys of this Hash are the commit SHAs, the values the pipelines.
     #
-    # commits - The list of commit SHAs to get the status for.
+    # commits - The list of commit SHAs to get the pipelines for.
     # ref - The ref to scope the data to (e.g. "master"). If the ref is not
-    #       given we simply get the latest status for the commits, regardless
-    #       of what refs their pipelines belong to.
-    def self.latest_status_per_commit(commits, ref = nil)
+    #       given we simply get the latest pipelines for the commits, regardless
+    #       of what refs the pipelines belong to.
+    def self.latest_pipeline_per_commit(commits, ref = nil)
       p1 = arel_table
       p2 = arel_table.alias
@@ -304,15 +304,14 @@ module Ci
       cond = cond.and(p1[:ref].eq(p2[:ref])) if ref
       join = p1.join(p2, Arel::Nodes::OuterJoin).on(cond)
-      relation = select(:sha, :status)
-        .where(sha: commits)
+      relation = where(sha: commits)
         .where(p2[:id].eq(nil))
         .joins(join.join_sources)
       relation = relation.where(ref: ref) if ref
-      relation.each_with_object({}) do |row, hash|
-        hash[row[:sha]] = row[:status]
+      relation.each_with_object({}) do |pipeline, hash|
+        hash[pipeline.sha] = pipeline
       end
     end

app/models/commit.rb

@@ -119,10 +119,22 @@ class Commit
     @raw = raw_commit
     @project = project
-    @statuses = {}
     @gpg_commit = Gitlab::Gpg::Commit.new(self) if project
   end
+  delegate \
+    :pipelines,
+    :last_pipeline,
+    :latest_pipeline,
+    :latest_pipeline_for_project,
+    :set_latest_pipeline_for_ref,
+    :status,
+    to: :with_pipeline
+
+  def with_pipeline
+    @with_pipeline ||= CommitWithPipeline.new(self)
+  end
+
   def id
     raw.id
   end
@@ -301,30 +313,6 @@ class Commit
     )
   end
-  def pipelines
-    project.ci_pipelines.where(sha: sha)
-  end
-
-  def last_pipeline
-    strong_memoize(:last_pipeline) do
-      pipelines.last
-    end
-  end
-
-  def status(ref = nil)
-    return @statuses[ref] if @statuses.key?(ref)
-
-    @statuses[ref] = status_for_project(ref, project)
-  end
-
-  def status_for_project(ref, pipeline_project)
-    pipeline_project.ci_pipelines.latest_status_per_commit(id, ref)[id]
-  end
-
-  def set_status_for_ref(ref, status)
-    @statuses[ref] = status
-  end
-
   def signature
     return @signature if defined?(@signature)

app/models/commit_collection.rb

@@ -34,6 +34,20 @@ class CommitCollection
     end
   end
+  # Returns the collection with the latest pipeline for every commit pre-set.
+  #
+  # Setting the pipeline for each commit ahead of time removes the need for running
+  # a query for every commit we're displaying.
+  def with_latest_pipeline(ref = nil)
+    pipelines = project.ci_pipelines.latest_pipeline_per_commit(map(&:id), ref)
+
+    each do |commit|
+      commit.set_latest_pipeline_for_ref(ref, pipelines[commit.id])
+    end
+
+    self
+  end
+
   def unenriched
     commits.reject(&:gitaly_commit?)
   end
@@ -65,20 +79,6 @@ class CommitCollection
     self
   end
-  # Sets the pipeline status for every commit.
-  #
-  # Setting this status ahead of time removes the need for running a query for
-  # every commit we're displaying.
-  def with_pipeline_status
-    statuses = project.ci_pipelines.latest_status_per_commit(map(&:id), ref)
-
-    each do |commit|
-      commit.set_status_for_ref(ref, statuses[commit.id])
-    end
-
-    self
-  end
-
   def respond_to_missing?(message, inc_private = false)
     commits.respond_to?(message, inc_private)
   end

app/models/commit_with_pipeline.rb

+# frozen_string_literal: true
+
+class CommitWithPipeline < SimpleDelegator
+  include Presentable
+
+  def initialize(commit)
+    @latest_pipelines = {}
+    super(commit)
+  end
+
+  def pipelines
+    project.ci_pipelines.where(sha: sha)
+  end
+
+  def last_pipeline
+    strong_memoize(:last_pipeline) do
+      pipelines.last
+    end
+  end
+
+  def latest_pipeline(ref = nil)
+    @latest_pipelines.fetch(ref) do |ref|
+      @latest_pipelines[ref] = latest_pipeline_for_project(ref, project)
+    end
+  end
+
+  def latest_pipeline_for_project(ref, pipeline_project)
+    pipeline_project.ci_pipelines.latest_pipeline_per_commit(id, ref)[id]
+  end
+
+  def set_latest_pipeline_for_ref(ref, pipeline)
+    @latest_pipelines[ref] = pipeline
+  end
+
+  def status(ref = nil)
+    latest_pipeline(ref)&.status
+  end
+end

app/presenters/commit_presenter.rb

@@ -6,11 +6,15 @@ class CommitPresenter < Gitlab::View::Presenter::Delegated
   presents :commit
   def status_for(ref)
-    can?(current_user, :read_commit_status, commit.project) && commit.status(ref)
+    return unless can?(current_user, :read_commit_status, commit.project)
+
+    commit.latest_pipeline(ref)&.detailed_status(current_user)
   end
   def any_pipelines?
-    can?(current_user, :read_pipeline, commit.project) && commit.pipelines.any?
+    return false unless can?(current_user, :read_pipeline, commit.project)
+
+    commit.pipelines.any?
   end
   def web_url

app/serializers/commit_entity.rb

@@ -35,8 +35,8 @@ class CommitEntity < API::Entities::Commit
     pipeline_project = options[:pipeline_project] || commit.project
     next unless pipeline_ref && pipeline_project
-    status = commit.status_for_project(pipeline_ref, pipeline_project)
-    next unless status
+    pipeline = commit.latest_pipeline_for_project(pipeline_ref, pipeline_project)
+    next unless pipeline&.status
     pipelines_project_commit_path(pipeline_project, commit.id, ref: pipeline_ref)
   end

app/services/search/snippet_service.rb

@@ -9,9 +9,7 @@ module Search
     end
     def execute
-      snippets = SnippetsFinder.new(current_user).execute
-
-      Gitlab::SnippetSearchResults.new(snippets, params[:search])
+      Gitlab::SnippetSearchResults.new(current_user, params[:search])
     end
     def scope

app/views/projects/commits/_commit.html.haml

@@ -6,7 +6,8 @@
 - merge_request = local_assigns.fetch(:merge_request, nil)
 - project       = local_assigns.fetch(:project) { merge_request&.project }
 - ref           = local_assigns.fetch(:ref) { merge_request&.source_branch }
-- commit_status = commit.present(current_user: current_user).status_for(ref)
+- commit        = commit.present(current_user: current_user)
+- commit_status = commit.status_for(ref)
 - link = commit_path(project, commit, merge_request: merge_request)
@@ -48,7 +49,7 @@
         = render partial: 'projects/commit/ajax_signature', locals: { commit: commit }
       - if commit_status
-        = render_commit_status(commit, ref: ref)
+        = render_commit_status(commit, commit_status, ref: ref)
       .js-commit-pipeline-status{ data: { endpoint: pipelines_project_commit_path(project, commit.id, ref: ref) } }

app/views/shared/projects/_project.html.haml

@@ -63,7 +63,7 @@
           - if pipeline_status && can?(current_user, :read_cross_project) && project.pipeline_status.has_status? && can?(current_user, :read_build, project)
             - pipeline_path = pipelines_project_commit_path(project.pipeline_status.project, project.pipeline_status.sha, ref: project.pipeline_status.ref)
             %span.icon-wrapper.pipeline-status
-              = render 'ci/status/icon', status: project.commit.last_pipeline.detailed_status(current_user), tooltip_placement: 'top', path: pipeline_path
+              = render 'ci/status/icon', status: project.last_pipeline.detailed_status(current_user), tooltip_placement: 'top', path: pipeline_path
           - if project.archived
             %span.d-flex.icon-wrapper.badge.badge-warning archived

changelogs/unreleased/13321-show-issue-weight-when-zero.yml

+---
+title: Show issue weight when weight is 0
+merge_request: 17329
+author: briankabiro
+type: fixed

changelogs/unreleased/backfill-releases-updated-at.yml

+---
+title: Backfill releases table updated_at column and add not null constraints to created_at and updated_at
+merge_request: 17400
+author:
+type: fixed

changelogs/unreleased/eb-fix-ci-status-indicator-for-warnings.yml

+---
+title: Show correct CI indicator when build succeeded with warnings.
+merge_request: 17034
+author:
+type: fixed

changelogs/unreleased/fj-32643-limit-snippets-search-count.yml

+---
+title: Limit snippets search count
+merge_request: 17585
+author:
+type: performance

changelogs/unreleased/jramsay-clarify-git-lfs-push-rule-behavior.yml

+---
+title: Document Git LFS and max file size interaction
+merge_request: 17609
+author:
+type: other