Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/layout/line_length.yml

@@ -1804,7 +1804,6 @@ Layout/LineLength:
     - 'ee/spec/requests/api/related_epic_links_spec.rb'
     - 'ee/spec/requests/api/releases_spec.rb'
     - 'ee/spec/requests/api/resource_iteration_events_spec.rb'
-    - 'ee/spec/requests/api/search_spec.rb'
     - 'ee/spec/requests/api/settings_spec.rb'
     - 'ee/spec/requests/api/status_checks_spec.rb'
     - 'ee/spec/requests/api/users_spec.rb'

.rubocop_todo/performance/map_compact.yml

@@ -69,7 +69,6 @@ Performance/MapCompact:
     - 'ee/lib/gitlab/ci/reports/metrics/reports_comparer.rb'
     - 'ee/lib/gitlab/search/aggregation_parser.rb'
     - 'ee/spec/models/ee/member_spec.rb'
-    - 'ee/spec/requests/api/search_spec.rb'
     - 'haml_lint/linter/no_plain_nodes.rb'
     - 'lib/api/entities/feature.rb'
     - 'lib/api/helpers/common_helpers.rb'

.rubocop_todo/rails/pluck.yml

@@ -71,7 +71,6 @@ Rails/Pluck:
     - 'ee/spec/requests/api/protected_environments_spec.rb'
     - 'ee/spec/requests/api/protected_tags_spec.rb'
     - 'ee/spec/requests/api/releases_spec.rb'
-    - 'ee/spec/requests/api/search_spec.rb'
     - 'ee/spec/requests/api/status_checks_spec.rb'
     - 'ee/spec/requests/api/users_spec.rb'
     - 'ee/spec/requests/api/vulnerabilities_spec.rb'

.rubocop_todo/rspec/before_all_role_assignment.yml

@@ -470,7 +470,6 @@ RSpec/BeforeAllRoleAssignment:
     - 'ee/spec/requests/api/related_epic_links_spec.rb'
     - 'ee/spec/requests/api/repositories_spec.rb'
     - 'ee/spec/requests/api/saml_group_links_spec.rb'
-    - 'ee/spec/requests/api/search_spec.rb'
     - 'ee/spec/requests/api/todos_spec.rb'
     - 'ee/spec/requests/api/vulnerabilities_spec.rb'
     - 'ee/spec/requests/api/vulnerability_exports_spec.rb'

CHANGELOG.md

@@ -2,6 +2,23 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 17.4.2 (2024-10-09)
+
+### Fixed (1 change)
+
+- [Drop project_id not null constraint ci_deleted_objects](https://gitlab.com/gitlab-org/security/gitlab/-/commit/e02a0c065456a51ad57a93d56150271cc4dd442e)
+
+### Security (8 changes)
+
+- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/66c4e57a3494686a9dc6058d2348074b465f5dd3) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4522))
+- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/293bb1f70c681b75672e0b41af84ab5ae47d1e1e) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4517))
+- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/544398bdf7ea2b81100f8b95496f14d9b4698db8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4477))
+- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/86894edacdaf1cad4b0e85f71918109d48013ccb) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4492))
+- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/70fb8bebe2e8f1b85d625a8e496515c3f7e0e6d8) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4510))
+- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c19d8a96d103680ec874327c1631e179e17da06a) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4513))
+- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0dd81e22f819f916c50cf531fa769000e9b5941b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4500))
+- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/ed7a5173cae50f610d2c0263197f7996653cfc10) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4486))
+
 ## 17.4.1 (2024-09-24)
 
 ### Fixed (2 changes)
@@ -872,6 +889,23 @@ entry.
 
 - [Update learn more link and docs formatting](https://gitlab.com/gitlab-org/gitlab/-/commit/6f536fdb20c2d2b96124afe693042c91483a32b2) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164889))
 
+## 17.3.5 (2024-10-09)
+
+### Fixed (1 change)
+
+- [Ensure levels is an array](https://gitlab.com/gitlab-org/security/gitlab/-/commit/74594891f31984feaaae6a069f057d6f48a489a6)
+
+### Security (8 changes)
+
+- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c36869b2e5cb0f88793bec7e20ded3e4d005f942) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4523))
+- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5a704563f746e5c61301d3a7db0eab68d434e24) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4518))
+- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/92d177e2c5aaafb4f74bc2ceafe39b9a068e803d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4449))
+- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/7043d0116cbf2051907dfd88d56ed3f847ab95b2) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4493))
+- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/77c2a678acfc6fded56c6e10147701b6ef7aaeb5) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4511))
+- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/2b559425cb195a78007db930cbbf8450b5254c89) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4514))
+- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/94e70d423789a50fc8e172b002bf1428593bbc51) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4501))
+- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3cd52356b4b1194e7108af832d5da4087e4be05c) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4487))
+
 ## 17.3.4 (2024-09-24)
 
 ### Security (3 changes)
@@ -1662,6 +1696,23 @@ No changes.
 - [Dynamically gets the column type for assertion](https://gitlab.com/gitlab-org/gitlab/-/commit/1389a3daffd104925cce71776903cbf527723222) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/159099))
 - [Quarantine a flaky test](https://gitlab.com/gitlab-org/gitlab/-/commit/c94fca35b909440ec66ea35c97ab11aa847dde58) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158180))
 
+## 17.2.9 (2024-10-09)
+
+### Fixed (1 change)
+
+- [Ensure levels is an array](https://gitlab.com/gitlab-org/security/gitlab/-/commit/d5450d020895b9fab3c7c6ad4191001308590899)
+
+### Security (8 changes)
+
+- [Do not create a pipeline on MR refresh if source branch was deleted](https://gitlab.com/gitlab-org/security/gitlab/-/commit/3dd89a71b436e8218a5d159a1dd75cb2de078129) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524))
+- [Escape OAuth application name on authorize page](https://gitlab.com/gitlab-org/security/gitlab/-/commit/b5cf4d286ae83033912e342177a501ffc2ad6a53) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4519))
+- [Prevent guest access to project templates](https://gitlab.com/gitlab-org/security/gitlab/-/commit/9666414231dbfc03eb0711ec501b7d02665120df) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4450))
+- [Remove access to local requests via cube query service](https://gitlab.com/gitlab-org/security/gitlab/-/commit/1a46c8c1753f08ba55e8a0d2fbcbc710feecf898) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4494))
+- [External webhook token should be set](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c795ea96a4dac381cf434aa7e3f379907ec6366d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4512))
+- [Skip content when listing conflict files with types](https://gitlab.com/gitlab-org/security/gitlab/-/commit/c7f598b42b0c6cd68cdcdb8b79293e7e2b22b457) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4515))
+- [Hide version info from unauthorized users](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0184d4e9c665c209e1c67eff2da9059e17304f1d) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4502))
+- [Prevent deploy keys from pushing code to an archived project](https://gitlab.com/gitlab-org/security/gitlab/-/commit/0a5dc2f0b302123a941a4676eedd52c3423ef73b) ([merge request](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488))
+
 ## 17.2.8 (2024-09-24)
 
 ### Security (3 changes)

app/assets/javascripts/super_sidebar/components/help_center.vue

@@ -48,19 +48,7 @@ export default {
   },
   computed: {
     itemGroups() {
-      return {
-        versionCheck: {
-          items: [
-            {
-              text: this.$options.i18n.version,
-              href: helpPagePath('update/index'),
-              version: `${this.sidebarData.gitlab_version.major}.${this.sidebarData.gitlab_version.minor}`,
-              extraAttrs: {
-                ...this.trackingAttrs('version_help_dropdown'),
-              },
-            },
-          ],
-        },
+      const groups = {
         helpLinks: {
           items: [
             {
@@ -157,6 +145,23 @@ export default {
           ].filter(Boolean),
         },
       };
+
+      if (this.sidebarData.show_version_check) {
+        groups.versionCheck = {
+          items: [
+            {
+              text: this.$options.i18n.version,
+              href: helpPagePath('update/index'),
+              version: `${this.sidebarData.gitlab_version.major}.${this.sidebarData.gitlab_version.minor}`,
+              extraAttrs: {
+                ...this.trackingAttrs('version_help_dropdown'),
+              },
+            },
+          ],
+        };
+      }
+
+      return groups;
     },
     updateSeverity() {
       return this.sidebarData.gitlab_version_check?.severity;

app/helpers/diff_helper.rb

@@ -266,7 +266,12 @@ def conflicts_with_types
     return unless merge_request.cannot_be_merged? && merge_request.source_branch_exists? && merge_request.target_branch_exists?
 
     cached_conflicts_with_types do
-      conflicts_service = MergeRequests::Conflicts::ListService.new(merge_request, allow_tree_conflicts: true) # rubocop:disable CodeReuse/ServiceClass
+      # We set skip_content to true since we don't really need the content to list the conflicts and their types
+      conflicts_service = MergeRequests::Conflicts::ListService.new( # rubocop:disable CodeReuse/ServiceClass
+        merge_request,
+        allow_tree_conflicts: true,
+        skip_content: true
+      )
 
       {}.tap do |h|
         conflicts_service.conflicts.files.each do |file|

app/helpers/sidebars_helper.rb

@@ -43,24 +43,20 @@ def super_sidebar_context(user, group:, project:, panel:, panel_type:) # rubocop
   end
 
   def super_sidebar_logged_out_context(panel:, panel_type:) # rubocop:disable Metrics/AbcSize
-    {
+    super_sidebar_instance_version_data.merge(super_sidebar_whats_new_data).merge({
       is_logged_in: false,
       context_switcher_links: context_switcher_links,
       current_menu_items: panel.super_sidebar_menu_items,
       current_context_header: panel.super_sidebar_context_header,
       support_path: support_url,
       docs_path: help_docs_path,
       display_whats_new: display_whats_new?,
-      whats_new_most_recent_release_items_count: whats_new_most_recent_release_items_count,
-      whats_new_version_digest: whats_new_version_digest,
       show_version_check: show_version_check?,
-      gitlab_version: Gitlab.version_info,
-      gitlab_version_check: gitlab_version_check,
       search: search_data,
       panel_type: panel_type,
       shortcut_links: shortcut_links,
       terms: terms_link
-    }
+    })
   end
 
   def super_sidebar_logged_in_context(user, group:, project:, panel:, panel_type:) # rubocop:disable Metrics/AbcSize
@@ -126,6 +122,24 @@ def super_sidebar_logged_in_context(user, group:, project:, panel:, panel_type:)
     })
   end
 
+  def super_sidebar_instance_version_data
+    return {} unless show_version_check?
+
+    {
+      gitlab_version: Gitlab.version_info,
+      gitlab_version_check: gitlab_version_check
+    }
+  end
+
+  def super_sidebar_whats_new_data
+    return {} unless display_whats_new?
+
+    {
+      whats_new_most_recent_release_items_count: whats_new_most_recent_release_items_count,
+      whats_new_version_digest: whats_new_version_digest
+    }
+  end
+
   def work_items_modal_data(group)
     return unless group && group.id
 

app/services/auth/container_registry_authentication_service.rb

@@ -226,6 +226,11 @@ def ensure_container_repository!(path, actions)
       return if path.has_repository?
       return unless actions.include?('push')
 
+      find_or_create_repository_from_path(path)
+    end
+
+    # Overridden in EE
+    def find_or_create_repository_from_path(path)
       ContainerRepository.find_or_create_from_path!(path)
     end
 

app/services/issuable_base_service.rb

@@ -239,7 +239,7 @@ def set_issuable_author(issuable)
     elsif author_id
       issuable.author_id = author_id
     else
-      issuable.author = current_user
+      issuable.author ||= current_user
     end
   end
 

app/services/merge_requests/conflicts/list_service.rb

@@ -30,7 +30,8 @@ def conflicts
         @conflicts ||=
           Gitlab::Conflict::FileCollection.new(
             merge_request,
-            allow_tree_conflicts: params[:allow_tree_conflicts]
+            allow_tree_conflicts: params[:allow_tree_conflicts],
+            skip_content: params[:skip_content]
           )
       end
     end

app/services/merge_requests/refresh_service.rb

@@ -44,7 +44,7 @@ def refresh_merge_requests!
         mark_mr_as_draft_from_commits(mr)
         execute_mr_web_hooks(mr)
         # Run at the end of the loop to avoid any potential contention on the MR object
-        refresh_pipelines_on_merge_requests(mr)
+        refresh_pipelines_on_merge_requests(mr) unless @push.branch_removed?
         merge_request_activity_counter.track_mr_including_ci_config(user: mr.author, merge_request: mr)
       end
 

app/views/doorkeeper/authorizations/new.html.haml

@@ -1,7 +1,9 @@
 .gl-ml-auto.gl-mr-auto{ class: 'sm:gl-w-1/2' }
   .gl-items-center
     .gl-text-size-h1
-      = html_escape(_('%{client_name} is requesting access to your account on %{title}.')) % { title: brand_title.html_safe, client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
+      = safe_format(_('%{strong_start}%{client_name}%{strong_end} is requesting access to your account on %{title}.'),
+        { client_name: @pre_auth.client.name, title: brand_title },
+        tag_pair(tag.strong, :strong_start, :strong_end))
     .gl-flex.gl-items-center.gl-gap-2.gl-py-5
       = render Pajamas::AvatarComponent.new(current_user, size: 24, avatar_options: { data: { testid: 'user_avatar_content' }, title: current_user.username })
       .gl-pl-1
@@ -12,7 +14,9 @@
   - if current_user.admin?
     = render Pajamas::AlertComponent.new(variant: :warning, dismissible: false, alert_options: { class: 'gl-mb-5'}) do |c|
       - c.with_body do
-        = html_escape(_('You are an administrator, which means authorizing access to %{client_name} will allow it to interact with GitLab as an administrator as well.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
+        = safe_format(_('You are an administrator, which means authorizing access to %{strong_start}%{client_name}%{strong_end} will allow it to interact with GitLab as an administrator as well.'),
+          { client_name: @pre_auth.client.name },
+          tag_pair(tag.strong, :strong_start, :strong_end))
   - if @pre_auth.scopes
     - @pre_auth.scopes.each do |scope|
       %strong= t scope, scope: [:doorkeeper, :scopes]
@@ -26,12 +30,17 @@
       - else
         %p.gl-text-orange-500
           = sprite_icon('warning-solid')
-          = html_escape(_('Make sure you trust %{client_name} before authorizing.')) % { client_name: "<strong>#{html_escape(@pre_auth.client.name)}</strong>".html_safe }
+          = safe_format(_('Make sure you trust %{strong_start}%{client_name}%{strong_end} before authorizing.'),
+            { client_name: @pre_auth.client.name },
+            tag_pair(tag.strong, :strong_start, :strong_end))
       %p
-        = html_escape(_('%{owner} %{created_date} ago.')) % { owner: auth_app_owner_text(@pre_auth.client.application.owner), created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) }
+        = safe_format(_('%{owner} %{created_date} ago.'),
+          { owner: auth_app_owner_text(@pre_auth.client.application.owner),
+            created_date: time_ago_in_words(@pre_auth.client.application.created_at.to_date) })
         - domain = URI.parse(@pre_auth.redirect_uri).host.gsub(/^www\./, '')
         - if @pre_auth.redirect_uri.start_with?('http://', 'https://') && domain != 'localhost'
-          = html_escape(_('You will be redirected to %{domain} after authorizing.')) % { domain: "<strong>#{domain}</strong>".html_safe }
+          = safe_format(_('You will be redirected to %{strong_start}%{domain}%{strong_end} after authorizing.'),
+            { domain: domain }, tag_pair(tag.strong, :strong_start, :strong_end))
   %div
     = form_tag oauth_authorization_path, method: :post, class: 'gl-inline-block gl-pr-3' do
       = hidden_field_tag :client_id, @pre_auth.client.uid
@@ -44,8 +53,8 @@
       = hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method
       = render Pajamas::ButtonComponent.new(type: :submit,
         variant: :confirm,
-        button_options: {testid: 'authorization-button'}) do
-        = html_escape(_('Authorize %{client_name}')) % { client_name: @pre_auth.client.name.html_safe }
+        button_options: { data: { testid: 'authorization-button' }}) do
+        = safe_format(_('Authorize %{client_name}'), { client_name: @pre_auth.client.name })
     = form_tag oauth_authorization_path, method: :delete, class: 'gl-inline-block' do
       = hidden_field_tag :client_id, @pre_auth.client.uid
       = hidden_field_tag :redirect_uri, @pre_auth.redirect_uri