[merge-train skip]

[ci skip]

[ci skip]

Merge QA fixes into '14-1-stable-ee' for 14.1.8 patch release.

See merge request gitlab-org/gitlab!74395

Fix 2FA e2e tests by setting user password

See merge request gitlab-org/gitlab!71528

(cherry picked from commit edd83af0)

04565a60 Set user password when enabling 2FA

Fix alpine permission and refactor test

See merge request gitlab-org/gitlab!66579

(cherry picked from commit 9490c0dc)

767d9169 Fix alpine permission and refactor test

Prepare 14.1.8-ee release

See merge request gitlab-org/gitlab!73980

Douglas Barbosa Alexandre authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73952

Changelog: fixed
EE: true

Mike Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

Changelog: changed
EE: true

Mike Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

For retries of failed syncs.

Changelog: changed
EE: true

Mike Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

This applies to retry attempts of project and project-wiki Git repos
which failed to sync.

Changelog: changed
EE: true

Mike Kozono authored 3 years ago and GitLab Release Tools Bot committed 3 years ago

The redownload flow has risks, see
https://gitlab.com/gitlab-org/gitlab/-/issues/332151.
Therefore, don't use it until it is more clearly necessary.

This will make Geo use the normal flow for the first 10 retries, so
the redownload flow won't be used until about 2.5 hours of failed
retries.

Changelog: changed
EE: true

[merge-train skip]

[ci skip]

[ci skip]

Ensure disabled import source is always respected

See merge request gitlab-org/security/gitlab!1851

Return 404 if model id wasn't passed to UploadsController

See merge request gitlab-org/security/gitlab!1845

Scrub artifacts signed URL in SendEntry logs

See merge request gitlab-org/security/gitlab!1842

Prevent users from bypassing 2FA on certain pages

See merge request gitlab-org/security/gitlab!1829

Merge branch 'security-506-import-pending-members-from-public-projects-or-private-projects-if-you-have-guest-role-14-1' into '14-1-stable-ee'

Project members import authorization fix

See merge request gitlab-org/security/gitlab!1860

Escapes MR approval rule names correctly

See merge request gitlab-org/security/gitlab!1809

Merge branch 'security-security_dblessing_access_token_impersonation_leak-14-1' into '14-1-stable-ee'

Clear session access tokens when starting/stopping impersonation

See merge request gitlab-org/security/gitlab!1833

Prevent double-impersonation and impersonation breakout

See merge request gitlab-org/security/gitlab!1836

Check permitted groups for shared groups autocomplete

See merge request gitlab-org/security/gitlab!1806

Merge branch 'security-496-permission-check-issuable-template-API-fields-14-1' into '14-1-stable-ee'

Check permissions for Project API issuable default template fields

See merge request gitlab-org/security/gitlab!1787

Apply account locking to password reset page

See merge request gitlab-org/security/gitlab!1784

Enforce configured scopes for OAuth applications

See merge request gitlab-org/security/gitlab!1781

Use validated URL when sending request to Gitea Importer

See merge request gitlab-org/security/gitlab!1820

Do not export and import repository_size_limit

See merge request gitlab-org/security/gitlab!1768

Disable exporting pipeline triggers on project export

See merge request gitlab-org/security/gitlab!1790

Bypass Disabled Bitbucket Server import source Project Creation

See merge request gitlab-org/security/gitlab!1848

Fix stored XSS in GFM auto-complete

See merge request gitlab-org/security/gitlab!1748

Merge branch 'security-493-project-access-tokens-can-be-used-as-back-doors-14-1' into '14-1-stable-ee'

Project access tokens can be used as "back doors"

See merge request gitlab-org/security/gitlab!1812

Users with expired password can still access API and Git with token

See merge request gitlab-org/security/gitlab!1755

2FA bypass using git command

See merge request gitlab-org/security/gitlab!1796

Prevent showing not allowed subgroup epics

See merge request gitlab-org/security/gitlab!1766

Verify state before using errors from OAuth2 OmniAuth providers

See merge request gitlab-org/security/gitlab!1778