Add latest changes from gitlab-org/gitlab@master

a98649b7 · GitLab Bot · a4484fd2 · a98649b7 · a98649b7 · a98649b7
Commit a98649b7 authored 5 years ago by GitLab Bot
--- a/.gitlab/ci/rails.gitlab-ci.yml
+++ b/.gitlab/ci/rails.gitlab-ci.yml
@@ -94,11 +94,11 @@ setup-test-env:
  
 rspec unit pg9:
  extends: .rspec-base-pg9
-  parallel: 20
+  parallel: 24
  
 rspec unit pg9-foss:
  extends: .rspec-base-pg9-foss
-  parallel: 20
+  parallel: 24
  
 rspec integration pg9:
  extends: .rspec-base-pg9

--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.
  
+## 12.5.1
+
+### Security (6 changes)
+
+- Protect Jira integration endpoints from guest users.
+- Fix private comment Elasticsearch leak on project search scope.
+- Filter snippet search results by feature visibility.
+- Hide AWS secret on Admin Integration page.
+- Fail pull mirror when mirror user is blocked.
+- Prevent IDOR when adding users to protected environments.
+
+
 ## 12.5.0
  
 ### Security (5 changes)
@@ -224,6 +236,18 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Docs for protected branch code owner approval API. !17132
  
  
+## 12.3.7
+
+### Security (6 changes)
+
+- Protect Jira integration endpoints from guest users.
+- Fix private comment Elasticsearch leak on project search scope.
+- Filter snippet search results by feature visibility.
+- Hide AWS secret on Admin Integration page.
+- Fail pull mirror when mirror user is blocked.
+- Prevent IDOR when adding users to protected environments.
+
+
 ## 12.3.4
  
 ### Fixed (2 changes)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,16 +4,19 @@ entry.
  
 ## 12.5.1
  
-### Security (8 changes)
+### Security (11 changes)
  
- Check permissions before showing a forked project's source.
+- Do not create todos for approvers without access. !1442
+- Hide commit counts from guest users in Cycle Analytics.
 - Encrypt application setting tokens.
 - Update Workhorse and Gitaly to fix a security issue.
- Hide commit counts from guest users in Cycle Analytics.
+- Add maven file_name regex validation on incoming files.
+- Check permissions before showing a forked project's source.
 - Limit potential for DNS rebind SSRF in chat notifications.
 - Ensure are cleaned by ImportExport::AttributeCleaner.
 - Remove notes regarding Related Branches from Issue activity feeds for guest users.
 - Escape namespace in label references to prevent XSS.
+- Add authorization to using filter vulnerable in Dependency List.
  
  
 ## 12.5.0
@@ -367,21 +370,6 @@ entry.
 - Change selects from default browser style to custom style.
  
  
-## 12.4.4
-
-### Security (9 changes)
-
- Check permissions before showing a forked project's source.
- Encrypt application setting tokens.
- Update Workhorse and Gitaly to fix a security issue.
- Hide commit counts from guest users in Cycle Analytics.
- Limit potential for DNS rebind SSRF in chat notifications.
- Fix 500 error caused by invalid byte sequences in links.
- Ensure are cleaned by ImportExport::AttributeCleaner.
- Remove notes regarding Related Branches from Issue activity feeds for guest users.
- Escape namespace in label references to prevent XSS.
-
-
 ## 12.4.3
  
 ### Fixed (2 changes)
@@ -752,17 +740,20 @@ entry.
  
 ## 12.3.7
  
-### Security (9 changes)
+### Security (12 changes)
  
- Check permissions before showing a forked project's source.
+- Do not create todos for approvers without access. !1442
+- Limit potential for DNS rebind SSRF in chat notifications.
 - Encrypt application setting tokens.
 - Update Workhorse and Gitaly to fix a security issue.
+- Add maven file_name regex validation on incoming files.
 - Hide commit counts from guest users in Cycle Analytics.
- Limit potential for DNS rebind SSRF in chat notifications.
+- Check permissions before showing a forked project's source.
 - Fix 500 error caused by invalid byte sequences in links.
 - Ensure are cleaned by ImportExport::AttributeCleaner.
 - Remove notes regarding Related Branches from Issue activity feeds for guest users.
 - Escape namespace in label references to prevent XSS.
+- Add authorization to using filter vulnerable in Dependency List.
  
  
 ## 12.3.4

--- a/app/assets/javascripts/environments/components/environment_item.vue
+++ b/app/assets/javascripts/environments/components/environment_item.vue
 <script>
 /* eslint-disable @gitlab/vue-i18n/no-bare-strings */
 import { __, sprintf } from '~/locale';
-import Timeago from 'timeago.js';
+import { format } from 'timeago.js';
 import _ from 'underscore';
 import { GlTooltipDirective } from '@gitlab/ui';
 import UserAvatarLink from '~/vue_shared/components/user_avatar/user_avatar_link.vue';
@@ -23,7 +23,6 @@ import { convertObjectPropsToCamelCase } from '~/lib/utils/common_utils';
 *
 * Renders a table row for each environment.
 */
-const timeagoInstance = new Timeago();
  
 export default {
  components: {
@@ -123,7 +122,7 @@ export default {
     */
    deployedDate() {
      if (this.canShowDate) {
-        return timeagoInstance.format(this.model.last_deployment.deployed_at);
+        return format(this.model.last_deployment.deployed_at);
      }
      return '';
    },

--- a/app/assets/javascripts/lib/utils/datetime_utility.js
+++ b/app/assets/javascripts/lib/utils/datetime_utility.js
 import $ from 'jquery';
 import _ from 'underscore';
-import timeago from 'timeago.js';
+import * as timeago from 'timeago.js';
 import dateFormat from 'dateformat';
 import { languageCode, s__, __, n__ } from '../../locale';
  
@@ -92,90 +92,80 @@ export const formatDate = (datetime, format = 'mmm d, yyyy h:MMtt Z') => {
 */
 const timeagoLanguageCode = languageCode().replace(/-/g, '_');
  
-let timeagoInstance;
-
 /**
- * Sets a timeago Instance
+ * Registers timeago locales
 */
-export const getTimeago = () => {
-  if (!timeagoInstance) {
-    const memoizedLocaleRemaining = () => {
-      const cache = [];
-
-      const timeAgoLocaleRemaining = [
-        () => [s__('Timeago|just now'), s__('Timeago|right now')],
-        () => [s__('Timeago|just now'), s__('Timeago|%s seconds remaining')],
-        () => [s__('Timeago|1 minute ago'), s__('Timeago|1 minute remaining')],
-        () => [s__('Timeago|%s minutes ago'), s__('Timeago|%s minutes remaining')],
-        () => [s__('Timeago|1 hour ago'), s__('Timeago|1 hour remaining')],
-        () => [s__('Timeago|%s hours ago'), s__('Timeago|%s hours remaining')],
-        () => [s__('Timeago|1 day ago'), s__('Timeago|1 day remaining')],
-        () => [s__('Timeago|%s days ago'), s__('Timeago|%s days remaining')],
-        () => [s__('Timeago|1 week ago'), s__('Timeago|1 week remaining')],
-        () => [s__('Timeago|%s weeks ago'), s__('Timeago|%s weeks remaining')],
-        () => [s__('Timeago|1 month ago'), s__('Timeago|1 month remaining')],
-        () => [s__('Timeago|%s months ago'), s__('Timeago|%s months remaining')],
-        () => [s__('Timeago|1 year ago'), s__('Timeago|1 year remaining')],
-        () => [s__('Timeago|%s years ago'), s__('Timeago|%s years remaining')],
-      ];
-
-      return (number, index) => {
-        if (cache[index]) {
-          return cache[index];
-        }
-        cache[index] = timeAgoLocaleRemaining[index] && timeAgoLocaleRemaining[index]();
-        return cache[index];
-      };
-    };
-
-    const memoizedLocale = () => {
-      const cache = [];
-
-      const timeAgoLocale = [
-        () => [s__('Timeago|just now'), s__('Timeago|right now')],
-        () => [s__('Timeago|just now'), s__('Timeago|in %s seconds')],
-        () => [s__('Timeago|1 minute ago'), s__('Timeago|in 1 minute')],
-        () => [s__('Timeago|%s minutes ago'), s__('Timeago|in %s minutes')],
-        () => [s__('Timeago|1 hour ago'), s__('Timeago|in 1 hour')],
-        () => [s__('Timeago|%s hours ago'), s__('Timeago|in %s hours')],
-        () => [s__('Timeago|1 day ago'), s__('Timeago|in 1 day')],
-        () => [s__('Timeago|%s days ago'), s__('Timeago|in %s days')],
-        () => [s__('Timeago|1 week ago'), s__('Timeago|in 1 week')],
-        () => [s__('Timeago|%s weeks ago'), s__('Timeago|in %s weeks')],
-        () => [s__('Timeago|1 month ago'), s__('Timeago|in 1 month')],
-        () => [s__('Timeago|%s months ago'), s__('Timeago|in %s months')],
-        () => [s__('Timeago|1 year ago'), s__('Timeago|in 1 year')],
-        () => [s__('Timeago|%s years ago'), s__('Timeago|in %s years')],
-      ];
-
-      return (number, index) => {
-        if (cache[index]) {
-          return cache[index];
-        }
-        cache[index] = timeAgoLocale[index] && timeAgoLocale[index]();
-        return cache[index];
-      };
-    };
-
-    timeago.register(timeagoLanguageCode, memoizedLocale());
-    timeago.register(`${timeagoLanguageCode}-remaining`, memoizedLocaleRemaining());
-
-    timeagoInstance = timeago();
-  }
+const memoizedLocaleRemaining = () => {
+  const cache = [];
+
+  const timeAgoLocaleRemaining = [
+    () => [s__('Timeago|just now'), s__('Timeago|right now')],
+    () => [s__('Timeago|just now'), s__('Timeago|%s seconds remaining')],
+    () => [s__('Timeago|1 minute ago'), s__('Timeago|1 minute remaining')],
+    () => [s__('Timeago|%s minutes ago'), s__('Timeago|%s minutes remaining')],
+    () => [s__('Timeago|1 hour ago'), s__('Timeago|1 hour remaining')],
+    () => [s__('Timeago|%s hours ago'), s__('Timeago|%s hours remaining')],
+    () => [s__('Timeago|1 day ago'), s__('Timeago|1 day remaining')],
+    () => [s__('Timeago|%s days ago'), s__('Timeago|%s days remaining')],
+    () => [s__('Timeago|1 week ago'), s__('Timeago|1 week remaining')],
+    () => [s__('Timeago|%s weeks ago'), s__('Timeago|%s weeks remaining')],
+    () => [s__('Timeago|1 month ago'), s__('Timeago|1 month remaining')],
+    () => [s__('Timeago|%s months ago'), s__('Timeago|%s months remaining')],
+    () => [s__('Timeago|1 year ago'), s__('Timeago|1 year remaining')],
+    () => [s__('Timeago|%s years ago'), s__('Timeago|%s years remaining')],
+  ];
+
+  return (number, index) => {
+    if (cache[index]) {
+      return cache[index];
+    }
+    cache[index] = timeAgoLocaleRemaining[index] && timeAgoLocaleRemaining[index]();
+    return cache[index];
+  };
+};
  
-  return timeagoInstance;
+const memoizedLocale = () => {
+  const cache = [];
+
+  const timeAgoLocale = [
+    () => [s__('Timeago|just now'), s__('Timeago|right now')],
+    () => [s__('Timeago|just now'), s__('Timeago|in %s seconds')],
+    () => [s__('Timeago|1 minute ago'), s__('Timeago|in 1 minute')],
+    () => [s__('Timeago|%s minutes ago'), s__('Timeago|in %s minutes')],
+    () => [s__('Timeago|1 hour ago'), s__('Timeago|in 1 hour')],
+    () => [s__('Timeago|%s hours ago'), s__('Timeago|in %s hours')],
+    () => [s__('Timeago|1 day ago'), s__('Timeago|in 1 day')],
+    () => [s__('Timeago|%s days ago'), s__('Timeago|in %s days')],
+    () => [s__('Timeago|1 week ago'), s__('Timeago|in 1 week')],
+    () => [s__('Timeago|%s weeks ago'), s__('Timeago|in %s weeks')],
+    () => [s__('Timeago|1 month ago'), s__('Timeago|in 1 month')],
+    () => [s__('Timeago|%s months ago'), s__('Timeago|in %s months')],
+    () => [s__('Timeago|1 year ago'), s__('Timeago|in 1 year')],
+    () => [s__('Timeago|%s years ago'), s__('Timeago|in %s years')],
+  ];
+
+  return (number, index) => {
+    if (cache[index]) {
+      return cache[index];
+    }
+    cache[index] = timeAgoLocale[index] && timeAgoLocale[index]();
+    return cache[index];
+  };
 };
  
+timeago.register(timeagoLanguageCode, memoizedLocale());
+timeago.register(`${timeagoLanguageCode}-remaining`, memoizedLocaleRemaining());
+
+export const getTimeago = () => timeago;
+
 /**
 * For the given elements, sets a tooltip with a formatted date.
 * @param {JQuery} $timeagoEls
 * @param {Boolean} setTimeago
 */
 export const localTimeAgo = ($timeagoEls, setTimeago = true) => {
-  getTimeago();
-
  $timeagoEls.each((i, el) => {
-    $(el).text(timeagoInstance.format($(el).attr('datetime'), timeagoLanguageCode));
+    $(el).text(timeago.format($(el).attr('datetime'), timeagoLanguageCode));
  });
  
  if (!setTimeago) {
@@ -207,9 +197,7 @@ export const timeFor = (time, expiredLabel) => {
  if (new Date(time) < new Date()) {
    return expiredLabel || s__('Timeago|Past due');
  }
-  return getTimeago()
-    .format(time, `${timeagoLanguageCode}-remaining`)
-    .trim();
+  return timeago.format(time, `${timeagoLanguageCode}-remaining`).trim();
 };
  
 export const getDayDifference = (a, b) => {

--- a/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js
+++ b/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js
-import Timeago from 'timeago.js';
+import { format } from 'timeago.js';
 import _ from 'underscore';
 import getStateKey from 'ee_else_ce/vue_merge_request_widget/stores/get_state_key';
 import { stateKey } from './state_maps';
@@ -213,9 +213,7 @@ export default class MergeRequestStore {
      return '';
    }
  
-    const timeagoInstance = new Timeago();
-
-    return timeagoInstance.format(date);
+    return format(date);
  }
  
  static getPreferredAutoMergeStrategy(availableAutoMergeStrategies) {

--- a/app/graphql/resolvers/issues_resolver.rb
+++ b/app/graphql/resolvers/issues_resolver.rb
@@ -53,6 +53,7 @@ module Resolvers
      # https://gitlab.com/gitlab-org/gitlab-foss/issues/54520
      args[:project_id] = project.id
      args[:iids] ||= [args[:iid]].compact
+      args[:attempt_project_search_optimizations] = args[:search].present?
  
      IssuesFinder.new(context[:current_user], args).execute
    end

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -764,7 +764,7 @@ module Ci
  
      # find all jobs that are needed
      if Feature.enabled?(:ci_dag_support, project, default_enabled: true) && needs.exists?
-        depended_jobs = depended_jobs.where(name: needs.select(:name))
+        depended_jobs = depended_jobs.where(name: needs.artifacts.select(:name))
      end
  
      # find all jobs that are dependent on
@@ -772,6 +772,8 @@ module Ci
        depended_jobs = depended_jobs.where(name: options[:dependencies])
      end
  
+      # if both needs and dependencies are used,
+      # the end result will be an intersection between them
      depended_jobs
    end
  

--- a/app/models/ci/build_need.rb
+++ b/app/models/ci/build_need.rb
@@ -10,5 +10,6 @@ module Ci
    validates :name, presence: true, length: { maximum: 128 }
  
    scope :scoped_build, -> { where('ci_builds.id=ci_build_needs.build_id') }
+    scope :artifacts, -> { where(artifacts: true) }
  end
 end
--- a/app/models/milestone_release.rb
+++ b/app/models/milestone_release.rb
@@ -6,9 +6,6 @@ class MilestoneRelease < ApplicationRecord
  
  validate :same_project_between_milestone_and_release
  
-  # Keep until 2019-11-29
-  self.ignored_columns += %i[id]
-
  private
  
  def same_project_between_milestone_and_release

--- a/changelogs/unreleased/34958-update-timeago-to-the-latest-release.yml
+++ b/changelogs/unreleased/34958-update-timeago-to-the-latest-release.yml
+---
+title: Update timeago to the latest release
+merge_request: 19407
+author:
+type: other
--- a/changelogs/unreleased/36905-create-a-rake-task-to-gather-license-info.yml
+++ b/changelogs/unreleased/36905-create-a-rake-task-to-gather-license-info.yml
+---
+title: Create a license info rake task
+merge_request: 20501
+author: Jason Colyer
+type: added
--- a/changelogs/unreleased/ci-merge-dependencies-and-artifacts-with-needs.yml
+++ b/changelogs/unreleased/ci-merge-dependencies-and-artifacts-with-needs.yml
+---
+title: Control passing artifacts from CI DAG needs
+merge_request: 19943
+author:
+type: added
--- a/changelogs/unreleased/feat-increase-start-in.yml
+++ b/changelogs/unreleased/feat-increase-start-in.yml
+---
+title: Increase upper limit of start_in attribute to 1 week
+merge_request: 20323
+author: Will Layton
+type: changed
--- a/changelogs/unreleased/fix-job-log-default-colors.yml
+++ b/changelogs/unreleased/fix-job-log-default-colors.yml
+---
+title: Fix change to default foreground and backgorund colors in job log
+merge_request: 20787
+author:
+type: fixed
--- a/changelogs/unreleased/issue_34226.yml
+++ b/changelogs/unreleased/issue_34226.yml
+---
+title: Improve issues search performance on GraphQL
+merge_request: 20784
+author:
+type: performance
--- a/changelogs/unreleased/security-394-path-traversal-package-bug.yml
+++ b/changelogs/unreleased/security-394-path-traversal-package-bug.yml
+---
+title: Add maven file_name regex validation on incoming files
+merge_request:
+author:
+type: security
--- a/db/migrate/20191112090226_add_artifacts_to_ci_build_need.rb
+++ b/db/migrate/20191112090226_add_artifacts_to_ci_build_need.rb
+# frozen_string_literal: true
+
+class AddArtifactsToCiBuildNeed < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:ci_build_needs, :artifacts,
+                            :boolean,
+                            default: true,
+                            allow_null: false)
+  end
+
+  def down
+    remove_column(:ci_build_needs, :artifacts)
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -601,6 +601,7 @@ ActiveRecord::Schema.define(version: 2019_11_24_150431) do
  create_table "ci_build_needs", id: :serial, force: :cascade do |t|
    t.integer "build_id", null: false
    t.text "name", null: false
+    t.boolean "artifacts", default: true, null: false
    t.index ["build_id", "name"], name: "index_ci_build_needs_on_build_id_and_name", unique: true
  end
  

--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -1245,11 +1245,12 @@ Delayed job are for executing scripts after a certain period.
 This is useful if you want to avoid jobs entering `pending` state immediately.
  
 You can set the period with `start_in` key. The value of `start_in` key is an elapsed time in seconds, unless a unit is
-provided. `start_in` key must be less than or equal to one hour. Examples of valid values include:
+provided. `start_in` key must be less than or equal to one week. Examples of valid values include:
  
 - `10 seconds`
 - `30 minutes`
- `1 hour`
+- `1 day`
+- `1 week`
  
 When there is a delayed job in a stage, the pipeline will not progress until the delayed job has finished.
 This means this keyword can also be used for inserting delays between different stages.
@@ -2232,6 +2233,49 @@ This example creates three paths of execution:
 - Related to the above, stages must be explicitly defined for all jobs
  that have the keyword `needs:` or are referred to by one.
  
+#### Artifact downloads with `needs`
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14311) in GitLab v12.6.
+
+When using `needs`, artifact downloads are controlled with `artifacts: true` or `artifacts: false`.
+The `dependencies` keyword should not be used with `needs`, as this is deprecated since GitLab 12.6.
+
+In the example below, the `rspec` job will download the `build_job` artifacts, while the
+`rubocop` job will not:
+
+```yaml
+build_job:
+  stage: build
+  artifacts:
+    paths:
+      - binaries/
+
+rspec:
+  stage: test
+  needs:
+    - job: build_job
+      artifacts: true
+
+rubocop:
+  stage: test
+  needs:
+    - job: build_job
+      artifacts: false
+```
+
+Additionally, in the three syntax examples below, the `rspec` job will download the artifacts
+from all three `build_jobs`, as `artifacts` is true for `build_job_1`, and will
+**default** to true for both `build_job_2` and `build_job_3`.
+
+```yaml
+rspec:
+  needs:
+    - job: build_job_1
+      artifacts: true
+    - job: build_job_2
+    - build_job_3
+```
+
 ### `coverage`
  
 > [Introduced][ce-7447] in GitLab 8.17.