Marin Jankovski authored 6 years ago and John Jarvis committed 6 years ago

This reverts merge request !17871

Patrick Bajao authored 6 years ago and Nick Thomas committed 6 years ago

When `force` is set to `true` and `start_branch` is set, the
branch will be ovewritten with the new commit based on the
`HEAD` of the `start_branch`.

This commit includes changes to update the `gitaly-proto` gem.

We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.

1.4.1 contains a number of bug fixes and performance improvements:
https://github.com/Shopify/bootsnap/blob/master/CHANGELOG.md

Fixes issue with AWS V4 signatures not working with Ceph S3:
https://github.com/fog/fog-aws/issues/462

Adds the ground work for writing into
the merge ref refs/merge-requests/:iid/merge the
merge result between source and target branches of
a MR, without further side-effects such as
mailing, MR updates and target branch changes.

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Webmock 3.5.0 brings Ruby 2.6 support.

Unicorn 5.3.1 fixes a GC issue that causes a crash, and Unicorn 5.4.1
quiets some warnings for Ruby 2.6. More details:

https://github.com/defunkt/unicorn/releases

This release fixes a bug in handling certain ed25519 keys. For more
details, see this GitHub issue:

https://github.com/bensie/sshkey/issues/34

Upgrade gitaly-proto to 1.10.0 to have this field.

This engine was replaced with CommonMarker in 11.4, it was deprecated
since then.

In commit 6fa5fd85 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.

pages:deploy step was failing with the following error:

```
unitialized constant SafeZip::Extract::Zip
```

Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.

RubyZip allows us to perform strong validation of
expanded paths where we do extract file.

We introduce the following additional checks
to extract routines:

1. None of path components can be symlinked,
2. We drop privileges support for directories,
3. Symlink source needs to point within the target directory,
   like `public/`,
4. The symlink source needs to exist ahead of time.

v2.1.0 was published wrongly by the package author.

In commit 6fa5fd85 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.

pages:deploy step was failing with the following error:

```
unitialized constant SafeZip::Extract::Zip
```

Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.

http_max_redirects was introduced in 4.2.2, so upgrade kubeclient.

The monkey-patch was global so we will have to check that all instances
of Kubeclient::Client are handled.

Spec all methods of KubeClient

This should provide better confidence that we are indeed disallowing
redirection in all cases

RubyZip allows us to perform strong validation of
expanded paths where we do extract file.

We introduce the following additional checks
to extract routines:

1. None of path components can be symlinked,
2. We drop privileges support for directories,
3. Symlink source needs to point within the target directory,
   like `public/`,
4. The symlink source needs to exist ahead of time.

This change will instantiate an OpenTracing tracer and configure it
as the global tracer when the GITLAB_TRACING environment variable is
configured. GITLAB_TRACING takes a "connection string"-like value,
encapsulating the driver (eg jaeger, etc) and options for the driver.

Since each service, whether it's written in Ruby or Golang, uses the
same connection-string, it should be very easy to configure all
services in a cluster, or even a single development machine to be
setup to use tracing.

Note that this change does not include instrumentation or propagation
changes as this is a way of breaking a previous larger change into
components. The instrumentation and propagation changes will follow
in separate changes.

and truncato to 0.7.11

This will allow developers to run `bundle install` on both directories
and avoid additional calls to RubyGems for local development. Also sets
up the possibility of improved caching as mentioned in
https://gitlab.com/gitlab-org/gitlab-ce/issues/55843.

This prevents us from shipping duplicate versions of this gem.

* omniauth-google-oauth2: Google will be deprecating its support for the
Google+ API, which currently omniauth-google-oauth2 uses to retrieve
user info. The bump in omniauth-google-oauth2 requires an upgrade to
ruby-jwt v2+ to support the verification of multiple issue providers
(https://github.com/zquestz/omniauth-google-oauth2/pull/345).

* jwt: This has the most number of changes that need to be
reviewed: https://github.com/jwt/ruby-jwt/blob/master/CHANGELOG.md

* oauth2: Needed to support ruby-jwt v2+:
https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md

* omniauth-azure-oauth2 needs a version bump to support ruby-jwt v2+.

* omniauth: This version bump only involves backstage improvements:
https://github.com/omniauth/omniauth/releases

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/55668

Full list of changes:
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md

should fix issue with:
undefined method `schema_migrations_table_name'
for ActiveRecord::Migrator:Class

https://gitlab.com/gitlab-org/gitlab-ee/-/jobs/135978879

Fix the CVE-2018-16476 vulnerability.

Fixes: ActionView::Template::Error (undefined method `add_class' for #<Nokogiri::XML::Element:0x0055dbff5252e8>