Add latest changes from gitlab-org/gitlab@master

app/models/application_setting_implementation.rb

@@ -361,18 +361,33 @@ module ApplicationSettingImplementation
   def separate_whitelists(string_array)
     string_array.reduce([[], []]) do |(ip_whitelist, domain_whitelist), string|
-      ip_obj = Gitlab::Utils.string_to_ip_object(string)
+      address, port = parse_addr_and_port(string)
+
+      ip_obj = Gitlab::Utils.string_to_ip_object(address)
       if ip_obj
-        ip_whitelist << ip_obj
+        ip_whitelist << Gitlab::UrlBlockers::IpWhitelistEntry.new(ip_obj, port: port)
       else
-        domain_whitelist << string
+        domain_whitelist << Gitlab::UrlBlockers::DomainWhitelistEntry.new(address, port: port)
       end
       [ip_whitelist, domain_whitelist]
     end
   end
+  def parse_addr_and_port(str)
+    case str
+    when /\A\[(?<address> .* )\]:(?<port> \d+ )\z/x      # string like "[::1]:80"
+      address, port = $~[:address], $~[:port]
+    when /\A(?<address> [^:]+ ):(?<port> \d+ )\z/x       # string like "127.0.0.1:80"
+      address, port = $~[:address], $~[:port]
+    else                                                 # string with no port number
+      address, port = str, nil
+    end
+
+    [address, port&.to_i]
+  end
+
   def array_to_string(arr)
     arr&.join("\n")
   end

app/uploaders/upload_type_check.rb

-# frozen_string_literal: true
-
-# Ensure that uploaded files are what they say they are for security and
-# handling purposes. The checks are not 100% reliable so we err on the side of
-# caution and allow by default, and deny when we're confident of a fail state.
-#
-# Include this concern, then call `check_upload_type` to check all
-# uploads. Attach a `mime_type` or `extensions` parameter to only check
-# specific upload types. Both parameters will be normalized to a MIME type and
-# checked against the inferred MIME type of the upload content and filename
-# extension.
-#
-# class YourUploader
-#   include UploadTypeCheck::Concern
-#   check_upload_type mime_types: ['image/png', /image\/jpe?g/]
-#
-#   # or...
-#
-#   check_upload_type extensions: ['png', 'jpg', 'jpeg']
-# end
-#
-# The mime_types parameter can accept `NilClass`, `String`, `Regexp`,
-# `Array[String, Regexp]`. This matches the CarrierWave `extension_whitelist`
-# and `content_type_whitelist` family of behavior.
-#
-# The extensions parameter can accept `NilClass`, `String`, `Array[String]`.
-module UploadTypeCheck
-  module Concern
-    extend ActiveSupport::Concern
-
-    class_methods do
-      def check_upload_type(mime_types: nil, extensions: nil)
-        define_method :check_upload_type_callback do |file|
-          magic_file = MagicFile.new(file.to_file)
-
-          # Map file extensions back to mime types.
-          if extensions
-            mime_types = Array(mime_types) +
-                         Array(extensions).map { |e| MimeMagic::EXTENSIONS[e] }
-          end
-
-          if mime_types.nil? || magic_file.matches_mime_types?(mime_types)
-            check_content_matches_extension!(magic_file)
-          end
-        end
-        before :cache, :check_upload_type_callback
-      end
-    end
-
-    def check_content_matches_extension!(magic_file)
-      return if magic_file.ambiguous_type?
-
-      if magic_file.magic_type != magic_file.ext_type
-        raise CarrierWave::IntegrityError, 'Content type does not match file extension'
-      end
-    end
-  end
-
-  # Convenience class to wrap MagicMime objects.
-  class MagicFile
-    attr_reader :file
-
-    def initialize(file)
-      @file = file
-    end
-
-    def magic_type
-      @magic_type ||= MimeMagic.by_magic(file)
-    end
-
-    def ext_type
-      @ext_type ||= MimeMagic.by_path(file.path)
-    end
-
-    def magic_type_type
-      magic_type&.type
-    end
-
-    def ext_type_type
-      ext_type&.type
-    end
-
-    def matches_mime_types?(mime_types)
-      Array(mime_types).any? do |mt|
-        magic_type_type =~ /\A#{mt}\z/ || ext_type_type =~ /\A#{mt}\z/
-      end
-    end
-
-    # - Both types unknown or text/plain.
-    # - Ambiguous magic type with text extension. Plain text file.
-    # - Text magic type with ambiguous extension. TeX file missing extension.
-    def ambiguous_type?
-      (ext_type.to_s.blank? && magic_type.to_s.blank?) ||
-      (magic_type.to_s.blank? && ext_type_type == 'text/plain') ||
-      (ext_type.to_s.blank? && magic_type_type == 'text/plain')
-    end
-  end
-end

changelogs/unreleased/199220-snippet-search.yml

 ---
-title: Include snippet description as part of snippet title search (when Elasticsearch is not enabled)
+title: Include snippet description as part of snippet title search (basic search).
 merge_request: 25961
 author:
 type: added

changelogs/unreleased/rc-whitelist_ports.yml

+---
+title: Add ability to whitelist ports
+merge_request: 27025
+author:
+type: added

doc/administration/operations/unicorn.md

@@ -65,7 +65,7 @@ maximum memory threshold (in bytes) for the Unicorn worker killer by
 setting the following values `/etc/gitlab/gitlab.rb`:
 - For GitLab **12.7** and newer:
-  
+
   ```ruby
   unicorn['worker_memory_limit_min'] = "1024 * 1 << 20"
   unicorn['worker_memory_limit_max'] = "1280 * 1 << 20"

doc/administration/packages/index.md

@@ -118,10 +118,10 @@ upload packages:
      #'path_style' => false                    # If true, use 'host/bucket_name/object' instead of 'bucket_name.host/object'.
    }
    ```
-  
+
    NOTE: **Note:**
    Some build tools, like Gradle, must make `HEAD` requests to Amazon S3 to pull a dependency’s metadata. The `gitlab_rails['packages_object_store_proxy_download']` property must be set to `true`. Without this setting, GitLab won't act as a proxy to the Amazon S3 service, and will instead return the signed URL. This will cause a `HTTP 403 Forbidden` response, since Amazon S3 expects a signed URL.
-  
+
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure)
    for the changes to take effect.

doc/administration/troubleshooting/gdb-stuck-ruby.txt

 # Here's the script I'll use to demonstrate - it just loops forever:
-$ cat test.rb 
+$ cat test.rb
 #!/usr/bin/env ruby
 loop do
@@ -75,7 +75,7 @@ Thread 1 (Thread 0xb74d76c0 (LWP 1343)):
     at eval.c:5778
 #5  rb_call0 (klass=3075304600, recv=3075299660, id=9393, oid=9393, argc=1, argv=0xbf85f490, body=0xb74c85a8, flags=2)
     at eval.c:5928
-#6  0x0805e35d in rb_call (klass=3075304600, recv=3075299660, mid=9393, argc=1, argv=0xbf85f490, scope=1, 
+#6  0x0805e35d in rb_call (klass=3075304600, recv=3075299660, mid=9393, argc=1, argv=0xbf85f490, scope=1,
     self=<optimized out>) at eval.c:6176
 #7  0x080651ec in rb_eval (self=3075299660, n=0xb74c4e1c) at eval.c:3521
 #8  0x0805c31c in rb_yield_0 (val=6, self=3075299660, klass=<optimized out>, flags=0, avalue=0) at eval.c:5095
@@ -139,4 +139,4 @@ A debugging session is active.
 Quit anyway? (y or n) y
 Detaching from program: /opt/vagrant_ruby/bin/ruby, process 1343
-$ 
+$

doc/administration/troubleshooting/kubernetes_cheat_sheet.md

@@ -77,11 +77,11 @@ and they will assist you with any issues you are having.
   ```shell
   kubectl get cronjobs
   ```
-  
+
   When one configures [cron-based backups](https://docs.gitlab.com/charts/backup-restore/backup.html#cron-based-backup),
   you will be able to see the new schedule here. Some details about the schedules can be found
   in [Running Automated Tasks with a CronJob](https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#creating-a-cron-job)
-  
+
 ## GitLab-specific Kubernetes information
 - Minimal config that can be used to test a Kubernetes Helm chart can be found
@@ -167,7 +167,7 @@ and they will assist you with any issues you are having.
   ```shell
   kubectl exec -it <task-runner-pod-name> -- /srv/gitlab/bin/rails dbconsole -p
   ```
-  
+
 - How to get info about Helm installation status:
   ```shell