Disabled features are ignored as they are grey areas

Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.

Guest are blocked to certain feature when project is private,
therefore the scope would filter additionally with REPORTER level.

Remove impossible cases due to private project's features can only be
private or disabled.

Fix spec due to sidekiq indexing not triggered.

Update guest use cases: some features has additional constraint that
"Guest users are able to perform action on public/internal projects,
but not private ones."

[ci skip]

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3498

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3507

Only assign merge params when allowed

See merge request gitlab/gitlabhq!3459

Merge branch 'security-2914-labels-visible-despite-no-access-to-issues-repositories-12-3' into '12-3-stable'

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3430

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3446

Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-3' into '12-3-stable'

Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3447

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3455

Mask sentry auth token

See merge request gitlab/gitlabhq!3463

Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3467

Sanitize search text to prevent XSS

See merge request gitlab/gitlabhq!3468

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3472

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

See merge request gitlab/gitlabhq!3475

Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3478

Handle Stored XSS for Grafana URL in settings

See merge request gitlab/gitlabhq!3482

- Extend Gitlab::UrlBlocker to allow relative urls (require_absolute
  setting).  The new `require_absolute` setting defaults to true,
  which is the existing behavior.

- Extend AddressableUrlValidator to accept `require_abosolute` and
  default to the existing behavior

- Add validation for ApplicationSetting#grafana_url to validate that
  the URL does not contain XSS but can be a valid relative or absolute
  url.

- In the case of existing stored URLs, validate the stored URL does
  not contain XSS. If the stored URL contains stored XSS or is an
  otherwise invalid URL, return the default database column value.

- Add tests for Gitlab::UrlBlocker to test require_absolute setting

- Add tests for AddressableUrlValidator

- Add tests for ApplicationSetting#grafana_url

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3495

When a user updates a merge request coming from a fork, they should
not be able to set `force_remove_source_branch` if they cannot push
code to the source project.

Otherwise developers of the target project could remove the source
branch of the source project by setting this flag through the API.

This will be used later for search filtering.

This is to be more consistent as there is already a :read_note policy in
NotePolicy. To keep other behaviour the same we've introduced a
Note#noteable_ability_name that is used anywhere this was expected.

Previously, when the wiki page format was anything other than `markdown`
or `asciidoc` the formatted content would be returned though a Gitaly
call. Gitaly in turn would delegate formatting to the gitlab-gollum-lib
gem, which in turn would delegate that to various gems (like RDoc for
`rdoc`) and then apply some very liberal sanitization.

It was too liberal!

This change brings our wiki content formatting in line with how we
format other markdown at GitLab, so we have a SSOT for sanitization.

https://gitlab.com/gitlab-org/gitlab/issues/30540

This makes it so we mask Sentry's auth token. This mask only occurs in
the UI.

Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2934 and https://gitlab.com/gitlab-org/gitlab/issues/33569

This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.