This was shown in specs but surely this will be happening in application
code as well if this method is passes a frozen string.

We were also trying to force_encode a OmniAuth::AuthHash which had the
very confusing behaviour of returning nil when it was sent a method that
it did not define. Fix that by only force_encoding a String.

Reuben Pereira authored 5 years ago and Mayra Cabrera committed 5 years ago

Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>

EE adds this method to Gitlab::Utils, which is also required by our
SimpleCov helper. This prevents us from injecting EE modules into
Gitlab::Utils, because the necessary bits for this are not yet in place.

To work around this we just backport try_megabytes_to_bytes, as there's
no particular reason to keep this in EE only.

These are data columns that store runtime configuration
of build needed to execute it on runner and within pipeline.

The definition of this data is that once used, and when no longer
needed (due to retry capability) they can be freely removed.

They use `jsonb` on PostgreSQL, and `text` on MySQL (due to lacking
support for json datatype on old enough version).

Signed-off-by: Rémy Coutable <remy@rymai.me>

The API permits path traversal characters like '../' to be passed down
to the template finder. Detect these requests and cause them to fail
with a 500 response code.

In Ruby 2.4, `URI.join("http://test//", "a").to_s` will
remove the double slash, however it's not the case in
Ruby 2.5. Using chomp should work better for the intention,
as we're not trying to allow things like ../ or / paths
resolution.

This helper method append path to host, making sure
there's one single slash as path separator.

Fix https://gitlab.com/gitlab-org/gitlab-ee/issues/4474

Conflicts:
	db/schema.rb
	ee/app/controllers/ee/admin/application_settings_controller.rb
	ee/app/helpers/ee/application_settings_helper.rb
	ee/app/models/ee/application_setting.rb
	ee/app/models/license.rb
	ee/app/views/layouts/service_desk.html.haml
	ee/app/views/notify/approved_merge_request_email.html.haml
	ee/app/views/notify/service_desk_new_note_email.text.erb
	ee/app/views/notify/service_desk_thank_you_email.text.erb
	ee/app/views/notify/unapproved_merge_request_email.html.haml
	ee/lib/ee/api/entities.rb
	ee/spec/controllers/admin/application_settings_controller_spec.rb
	ee/spec/models/application_setting_spec.rb
	ee/spec/requests/api/settings_spec.rb
	lib/api/settings.rb
	spec/mailers/previews/notify_preview.rb

Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook' into 'security-10-3'

Don't allow line breaks on HTTP headers

See merge request gitlab/gitlabhq!2277

(cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82)

073b8f9c Don't allow line breaks on HTTP headers

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5734#note_14056642

This reverts commit b33d4bc2.

This reverts commit 0b1084a4.

It pollutes the test output too much.