[ci skip]

Backport reliable fetcher to 12.1

See merge request gitlab/gitlabhq!3584

backport https://gitlab.com/gitlab-org/gitlab/commit/2be136b6cdf59f4664d9fbbe91e16498a47ba227
see https://gitlab.com/gitlab-org/gitlab/commit/3baeb0c7fd6829b8c083a43370163d16f7700263
see https://gitlab.com/gitlab-org/gitlab/merge_requests/21161

Sanitize search text to prevent XSS

See merge request gitlab/gitlabhq!3471

Handle Stored XSS for Grafana URL in settings

See merge request gitlab/gitlabhq!3483

- Extend Gitlab::UrlBlocker to allow relative urls (require_absolute
  setting).  The new `require_absolute` setting defaults to true,
  which is the existing behavior.

- Extend AddressableUrlValidator to accept `require_abosolute` and
  default to the existing behavior

- Add validation for ApplicationSetting#grafana_url to validate that
  the URL does not contain XSS but can be a valid relative or absolute
  url.

- In the case of existing stored URLs, validate the stored URL does
  not contain XSS. If the stored URL contains stored XSS or is an
  otherwise invalid URL, return the default database column value.

- Add tests for Gitlab::UrlBlocker to test require_absolute setting

- Add tests for AddressableUrlValidator

- Add tests for ApplicationSetting#grafana_url

[ci skip]

[ci skip]

Fix private feature Elasticsearch leak

See merge request gitlab/gitlabhq!3452

Add spec to test different combinations.
Accept string for required_minimum_access_level
Allow more flexible project membership query

Fix broken specs : Generate new GPG key in place of expired one

Closes #32956

See merge request gitlab-org/gitlab!17853

[ci skip]

Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.53.4]

See merge request gitlab/gitlabhq!3435

Check that SAML identity linking validates the origin of the request

See merge request gitlab/gitlabhq!3376

Gitlab XSS in markdown preview page

See merge request gitlab/gitlabhq!3400

Merge branch 'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-1' into '12-1-stable'

Display only participants that user has permission to see

See merge request gitlab/gitlabhq!3403

Prevent Bypassing Email Verification using Salesforce

See merge request gitlab/gitlabhq!3407

Only render fixed number of mermaid blocks

See merge request gitlab/gitlabhq!3413

Hide disabled project milestones in project settings on group level

See merge request gitlab/gitlabhq!3416

Redirect user to root path after unsubscribing from private resource

See merge request gitlab/gitlabhq!3418

Add policy check if cross reference system notes are accessible

See merge request gitlab/gitlabhq!3428

Cancel all running CI jobs when user is blocked

See merge request gitlab/gitlabhq!3438

Filter not accessible label events

See merge request gitlab/gitlabhq!3442

Add argument to catch

See merge request gitlab-org/gitlab-ee!15911

Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.

This prevents a MITM attack where attacker could
still access Git repository if any jobs were
running long enough.

If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.

https://gitlab.com/gitlab-org/gitlab-ce/issues/64938

[ci skip]