Signed-off-by: Rémy Coutable <remy@rymai.me>

Closes #1185

Ensure external users are not able to clone disabled repositories.

EE MR for gitlab/gitlabhq!2017

See merge request !506

Signed-off-by: Rémy Coutable <remy@rymai.me>

Restore unauthenticated access to public container registries

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284



See merge request !2025

Signed-off-by: Rémy Coutable <remy@rymai.me>

Respect project visibility settings in the contributions calendar

This MR fixes a number of bugs relating to access controls and date selection of events for the contributions calendar

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23403



See merge request !2019

Signed-off-by: Rémy Coutable <remy@rymai.me>

Ensure external users are not able to clone disabled repositories.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23788



See merge request !2017

Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix for HackerOne XSS vulnerability in markdown

This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153



See merge request !2015

Signed-off-by: Rémy Coutable <remy@rymai.me>

disable markdown in comments when referencing disabled features

fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548



This MR prevents the following references when tool is disabled:

- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones

This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.

See merge request !2011

Signed-off-by: Rémy Coutable <remy@rymai.me>

Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000

It was previously possible for invalid credential errors to go unnoticed
in this task. Users would believe everything was configured correctly and
then sign in would fail with 'invalid credentials'. This adds a specific
bind check, plus catches errors connecting to the server. Also, specs :)

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

reactivates all tests and writes more tests for it

email token be reset

Signed-off-by: Rémy Coutable <remy@rymai.me>

Fixing rubocop violations

Relocated git_blame spec and fixed styling issue

Rewritten spinach git_blame tests to rspec feature tests

Fixing rubocop violations

Relocated git_blame spec and fixed styling issue

Rewritten spinach git_blame tests to rspec feature tests

Fixing rubocop violations

Rewritten spinach git_blame tests to rspec feature tests

Fixing rubocop violations

Rewritten spinach git_blame tests to rspec feature tests

Fixing rubocop violations

Relocated git_blame spec and fixed styling issue

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

[e44da1c] Add Label API expected keys to tests

[ac929c8] Update Label API documentation

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

This moves the code used for processing commits from GitPushService to
its own Sidekiq worker: ProcessCommitWorker.

Using a Sidekiq worker allows us to process multiple commits in
parallel. This in turn will lead to issues being closed faster and cross
references being created faster. Furthermore by isolating this code into
a separate class it's easier to test and maintain the code.

The new worker also ensures it can efficiently check which issues can be
closed, without having to run numerous SQL queries for every issue.

This class can be used to reduce a list of issues down to a subset based
on user permissions. This class operates in such a way that it can
reduce issues using as few queries as possible, if any at all.

These specs use raw Redis objects which can not use the memory based
caching mechanism used for tests. As such we have to explicitly flush
the data from Redis before/after each spec to ensure no data lingers on.

This method returns the project's ID, making ExternalIssue slightly more
compatible with Issue (which also defines the "project_id" method).

This method can be used to retrieve a list of projects for a user that
said user has reporter access to. This list is then be reduced down to
a specific set of projects. This allows you to reduce a list of projects
to a list of projects you have reporter access to in an efficient
manner.

Previously, we were calling `git update-ref <ref> <sha>` about 30 times per
test using `create(:project)` or similar.