[ci skip]

Trigger Elasticsearch indexing when public group moved to private

See merge request gitlab/gitlabhq!3579

This fixes https://gitlab.com/gitlab-org/gitlab/issues/37766 which is
caused by the fact that we leave the stale permissions data in the index
after a group is moved to another group.

[ci skip]

[ci skip]

Fix invalid byte sequence

See merge request gitlab/gitlabhq!3549

Update Workhorse and Gitaly to fix a security issue

See merge request gitlab/gitlabhq!3501

Use Gitlab::HTTP for all chat notifications

See merge request gitlab/gitlabhq!3515

Fix private comment Elasticsearch leak

See merge request gitlab/gitlabhq!3523

Hide AWS secret on Admin Integration page

See merge request gitlab/gitlabhq!3527

Prevent guests from seeing commits for cycle analytics

See merge request gitlab/gitlabhq!3535

Related Branches Visible to Guests in Issue Activity

See merge request gitlab/gitlabhq!3540

GitLab stores AWS, Slack, Askimet, reCaptcha tokens in plaintext

See merge request gitlab/gitlabhq!3541

Escape namespace in label references

See merge request gitlab/gitlabhq!3552

Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3557

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3560

DJ Mountney authored 5 years ago and Imre (Admin) committed 5 years ago

This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.

We had concerns about the cached values on Redis with the previous two
releases strategy:

First release (this commit):
  - Create new encrypted fields in the database.
  - Start populating new encrypted fields, read the encrypted fields or
    fallback to the plaintext fields.
  - Backfill the data removing the plaintext fields to the encrypted
    fields.
Second release:
  - Remove the virtual attribute (created in step 2).
  - Drop plaintext columns from the database (empty columns after
    step 3).

We end up with a better strategy only using migration scripts in one
release:
  - Pre-deployment migration: Add columns required for storing encrypted
    values.
  - Pre-deployment migration: Store the encrypted values in the new
    columns.
  - Post-deployment migration: Remove the old unencrypted columns

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.

This is the plan to encrypt the plaintext tokens:

First release (this commit):
  1. Create new encrypted fields in the database.
  2. Start populating new encrypted fields, read the encrypted fields or
     fallback to the plaintext fields.
  3. Backfill the data removing the plaintext fields to the encrypted fields.

Second release:
  4. Remove the virtual attribute (created in step 2).
  5. Drop plaintext columns from the database (empty columns after step 3).

Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.

- if the user has access level lower than REPORTER,
don't include commit count in summary

Brandon Labuschagne authored 5 years ago and Aakriti Gupta committed 5 years ago

Default number of items is 3. If this is not the case,
then increase the column width of the summary items
to cater for 2 items plus the date filter.

Disabled features are ignored as they are grey areas

Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.