Douwe Maan authored 6 years ago and Mark Fletcher committed 6 years ago

Server Side Request Forgery in Services and Web Hooks

See merge request gitlab/gitlabhq!2337

Closes #43887.

Index creation does not have an effect if the index is present already.
Index removal does not have an affect if the index is not present.

This helps to avoid patterns like this in migrations:
```
if index_exists?(...)
  remove_concurrent_index(...)
end
```

This should simplify refactoring and allow testing

Split repository search result on \n instead of $ to prevent the items of the array to start with a newline. Remove the strip from parsing the search result to keep result endlines.

These can be a `BatchLoader` which is proxying a nil, while not being concrete
nils themselves.

and fixes the project description not being imported

Closes #43355

This is most a backport of
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/4987/diffs but includes
other columns that use column_exists? in a way that may cause unnecessary
schema loads.

Carried over from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8857

Previously, we kept them all in the cache. We don't need the highlight results
for older diffs - if someone does view that (which is rare), we can do the
highlighting on the fly.

When importing from a GitLab archive, an admin can carry over the
assignations. Other users can not.

When a regular user is importing an issue with multiple assignees, the
assignee is replaced with the current user, meaning we would try to
insert current user as an assignee multiple times.

By filtering the array before storing it, the import becomes more
robust.

Prior to this change, this method was called add_namespace, which broke
the CRUD convention and made it harder to grep for what I was looking
for. Given the change was a find and replace kind of fix, this was
changed without opening an issue and on another feature branch.

If more dynamic calls are made to add_namespace, these could've been
missed which might lead to incorrect bahaviour. However, going through
the commit log it seems thats not the case.

Previously, we only handled non-ASCII file contents, but the name itself can be
non-ASCII.

We still have >100K unmigrated MergeRequestDiffs
which don't have commits_count set yet (see
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/17567#note_61904891)

This migration re-schedules the original background migration.
To assure that records are not processed twice, records with
commits_count set are skipped.

Related to #41698 and !17567

Adds detailed_status to pipeline hook data
Adds detailed_description option for Services
Integration edit page renders 404 if a service is disabled

The query becomes a lot simpler if we can check the branch name as
well instead of having to load all branch names.

When an MR is created using `allow_maintainer_to_push`, we enable some
abilities while the MR is open.

This should allow every user with developer abilities on the target
project, to push to the source project.

When a project is not private, and the source branch not protected the
user can now select the option to allow maintainers to push to this
branch