[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Escape HTML on scoped labels tooltip

See merge request gitlab-org/security/gitlab!1325

Fixes XSS with source branch in the merge request sidebar

See merge request gitlab-org/security/gitlab!1320

Merge branch 'security-360-prevent-any-users-from-deleting-metrics-issue-images-13-8' into '13-8-stable-ee'

Adjust issuable policy for metric images

See merge request gitlab-org/security/gitlab!1307

Only accept POST request to trigger system hooks

See merge request gitlab-org/security/gitlab!1313

Leave pool repository on fork unlinking

See merge request gitlab-org/security/gitlab!1297

Prevent infinite loop when checking if collaboration is allowed

See merge request gitlab-org/security/gitlab!1295

Kroki Arbitrary File Read/Write

See merge request gitlab-org/security/gitlab!1285

Cherry-pick mimemagic-related changes to 13-8-stable-ee

See merge request gitlab-org/gitlab!57616

Use ruby-magic-static for the time being

See merge request gitlab-org/gitlab!57487

Use upstream ruby-magic project

See merge request gitlab-org/gitlab!57463

Don't use Git in the mimemagic shim

See merge request gitlab-org/gitlab!57516

Update ruby-magic-static to v0.3.1

See merge request gitlab-org/gitlab!57458

Create a fake mimemagic gem in the vendors folder [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!57443

Replace mimemagic dependency and introduce a Gitlab::Utils::MimeType class

See merge request gitlab-org/gitlab!57387

Initial introduction of Gitlab::Utils::MimeType class

See merge request gitlab-org/gitlab!57421

Remove hipchat gem, and make HipChat service a no-op

See merge request gitlab-org/gitlab!57434

https://gitlab.com/gitlab-org/security/gitlab/-/issues/365

Adding changelog for system hooks trigger

Adding the changelog file security-trigger-system-hook-by-post.yml

Added spec for POST request to system hooks

Remove GET request endpoints for system hooks

- Prevent non members from having destructive permisions

When a visibility of a repository changes
we need to leave the pool in order to avoid
accessing objects via forks that are attached
to the same pool

Locked attributes should not be able to be
overridden using a {counter}.
Added specs for updated kroki gem as well.

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Patch Kramdown syntax highlighter gem

See merge request gitlab-org/security/gitlab!1292

When there are merge requests in the same project that have their
source/target branches to each other and collaboration is allowed,
it can result to an infinite loop when a Reporter/Guest views a
project.

This fix adds a `skip_collaboration_check` to `Gitlab::UserAccess`
so when `Project#fetch_branch_allows_collaboration` calls
`MergeRequest#can_be_merged_by?` (which calls `Gitlab::UserAccess`
again), it will not check if collaboration is allowed.

This restricts Rouge formatters to the Rouge::Formatters namespace to
prevent arbitrary classes from being instantiated.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/324452

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Workhorse: prevent escaped router path traversal

See merge request gitlab-org/security/gitlab!1266