[merge-train skip]

[ci skip]

[ci skip]

Prevent GraphQL API access by deactivated users

See merge request gitlab-org/security/gitlab!1527

Bump rails gem version to 6.0.3.7

See merge request gitlab-org/security/gitlab!1516

Limit creation of issues based on issue type

See merge request gitlab-org/security/gitlab!1481

Copy feature visibility settings to a fork

See merge request gitlab-org/security/gitlab!1524

Update rdoc to 6.3.1

See merge request gitlab-org/security/gitlab!1535

Add new username validation

See merge request gitlab-org/security/gitlab!1497

Avoid disclosing project in web IDE

See merge request gitlab-org/security/gitlab!1513

Clipboard DOM-based XSS in Markdown [RUN AS-IF-FOSS]

See merge request gitlab-org/security/gitlab!1452

Add sanitizing for name field

See merge request gitlab-org/security/gitlab!1491

Fix XSS in release Edits

See merge request gitlab-org/security/gitlab!1485

Fix XSS on audit log for feature flag actions

See merge request gitlab-org/security/gitlab!1475

Update Nokogiri to 1.11.4

See merge request gitlab-org/security/gitlab!1480

Add omniauth_user check when verifying user cap

See merge request gitlab-org/security/gitlab!1503

Add total http read timeout

See merge request gitlab-org/security/gitlab!1393

Some users can push to Protected Branch with Deploy keys

See merge request gitlab-org/security/gitlab!1477

Fix merge request diff display issue with unsupported encoding

See merge request gitlab-org/security/gitlab!1425

Igor Drozdov authored 3 years ago and Thong Kuah committed 3 years ago

It contains multiple security fixes.

One of them prevents string polymorphic route arguments and
causes some additional changes to be made along with just bumping
gem version

Changelog: security

Created a fork because rdoc 6.3.1 is missing a file.

Changelog: security

This ensures that deactivated users (and other users who fail the
`api_access` check, such as blocked users, or users who haven't accepted
terms of service) get a forbidden response from the GraphQL API
endpoint.

Changelog: security

Changelog: security

When a public project with a private feature is forked,
it's expected that the fork will also have the feature private

For example, forking a public project with private repo might
accidently lead to a repository code exposure

Changelog: security

Checking user identities presence in that check.
Also added related rspecs.

Changelog: added
EE: true

In this commit we avoid disclosing project info
through the web IDE by checking if the user
can read the project.

Changelog: security

Changelog: security

Changelog: security

Ensure test case and requirement issues are only
creatable on EE with requisite permissions.

Changelog: security

Changelog: security

This commit fixes the vulnerability that
deploy key access check for protected branch wrongly
falls back to role-based permission check to authorize
the user to have Maintainer access.

Changelog: security

An adversary can craft a malicious link in the feature flag
description. This action creates an audit event which is then presented
to an administrator. Clicking on the link will grant admin role to the
adversary.

This change ensures that:

- HTML tags are removed before rendering the audit log actions
- HTML tags are removed in feature flag related audit event messages
- HTML tags are removed when saving `custom_message` in audit events

Changelog: security

[merge-train skip]

[ci skip]

Use tag helper for javascript tag in redirect

See merge request gitlab-org/security/gitlab!1458

This will automatically include the nonce for CSP

This commit adds sanitation to the innerHTML input
on the pasteGFM function which caused a XSS Vulnerability.

Changelog: security

Bump BinData version

See merge request gitlab-org/security/gitlab!1403