Only show notes through JSON on confidential issues that the user has access to

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18535

See merge request !1970

Forbid scripting for wiki files

Wiki files (not pages - files in the repo) are just sent to the browser
with whatever content-type the mime_types gem assigns to them based on
their extension. As this is from the same domain as the GitLab
application, this is an XSS vulnerability.

Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
files.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298.

See merge request !1969

Remove 'unscoped' from project builds selection

This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188

/cc @kamil @grzegorz @stanhu

See merge request !1968

[ci skip]

Prevent privilege escalation via notes API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577

See merge request !1964

Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576

See merge request !1959
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent XSS via custom issue tracker URL

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437

See merge request !1955
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent information disclosure via milestone API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579

See merge request !1961

Prevent information disclosure via new merge request page

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.

See merge request !1963

Prevent privilege escalation via "impersonate" feature

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548

See merge request !1956

Prevent information disclosure via snippet API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580

See merge request !1958

Fix vulnerability that leaks private labels and milestones

## Summary

This fixes vulnerability that leaks information about private labels and milestones because of  insecure direct object reference in issueable create service.
This affects merge requests and issues.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

## Fix

This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does.

## Further work

`IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

See merge request !1954

Fixes XSS injection

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434

**Without the fix**

![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif)


**With the fix**

![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif)


See merge request !1952

Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Check permissions when sharing project with group

## Summary

Unprivileged user was able to share project with group he didn't have access to, and therefore gain partial access to that group, which opened possibilities for further actions like listing private projects in that group.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/15330

## Fix

This change introduces additional check for group read access.

## Further work

We can think about preventing such problems in the future (this is quite common problem) by moving permissions checks to another layer of abstraction (TBD).

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15330

See merge request !1949
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix revoking of authorized OAuth applications

Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized.

Added a spec and also found that the `gon` variables were not being set for this view.

Closes #14370

See merge request !3690
Signed-off-by: Rémy Coutable <remy@rymai.me>

Expire the exists cache before deletion to ensure project dir actually exists

See merge request !3413
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix #14753: Check if head is born before trying to detect main language

This MR makes sure that head exists before trying to detect the main language.
This prevents errors on repo's without a master branch.

Closes #14753

See merge request !3654

Unblocks user when active_directory is disabled and it can be found

We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242.

That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.

Fixes #14253, #13179, #13259, #13959

See merge request !3550

Update language after doing all other operations

See merge request !3533
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix 2FA authentication spoofing

## Summary

This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

## Fix

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

## Further work

Current 2FA code is a bit tricky, so it probably needs some refactoring.

See merge request !1947
Signed-off-by: Rémy Coutable <remy@rymai.me>

Return status code 303 after a branch DELETE operation to avoid project deletion

Closes #14994

See merge request !3583
Signed-off-by: Rémy Coutable <remy@rymai.me>

Only update main language if it is not already set

Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much.

cc @yorickpeterse @ayufan how does this look?

See merge request !3556
Signed-off-by: Rémy Coutable <remy@rymai.me>

Check permissions when importing project members

Closes #14899

See merge request !3535
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix Importing repos from GHE doesn't work

See merge request !3529
Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't fetch any tags from a forked repo

Closes #13957

See merge request !3504
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Update gitlab-shell version and doc to 2.6.12



See merge request !280