Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-05-14

# Conflicts: # app/assets/javascripts/vue_merge_request_widget/dependencies.js [ci skip]

Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-05-14
# Conflicts: # app/assets/javascripts/vue_merge_request_widget/dependencies.js [ci skip]
53092cbe · GitLab Bot · b27877db · 6a77a6a1 · 53092cbe · 53092cbe
Commit 53092cbe authored May 14, 2018 by GitLab Bot
9 changed files
--- a/.gitlab/merge_request_templates/Database Changes.md
+++ b/.gitlab/merge_request_templates/Database Changes.md
@@ -37,9 +37,9 @@ When removing columns, tables, indexes or other structures:
 - [ ] [Documentation created/updated](https://docs.gitlab.com/ee/development/doc_styleguide.html)
 - [ ] API support added
 - [ ] Tests added for this feature/bug
- Review
-  - [ ] Has been reviewed by Backend
-  - [ ] Has been reviewed by Database
+- Conform by the [code review guidelines](https://docs.gitlab.com/ee/development/code_review.html)
+  - [ ] Has been reviewed by a Backend maintainer
+  - [ ] Has been reviewed by a Database specialist
 - [ ] Conform by the [merge request performance guides](https://docs.gitlab.com/ee/development/merge_request_performance_guidelines.html)
 - [ ] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/CONTRIBUTING.md#style-guides)
 - [ ] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

--- a/Gemfile
+++ b/Gemfile
@@ -170,7 +170,7 @@ gem 'state_machines-activerecord', '~> 0.5.1'
 gem 'acts-as-taggable-on', '~> 5.0'

 # Background jobs
-gem 'sidekiq', '~> 5.0'
+gem 'sidekiq', '~> 5.1'
 gem 'sidekiq-cron', '~> 0.6.0'
 gem 'redis-namespace', '~> 1.5.2'
 gem 'sidekiq-limit_fetch', '~> 3.4', require: false

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -875,11 +875,11 @@ GEM
      rack
    shoulda-matchers (3.1.2)
      activesupport (>= 4.0.0)
-    sidekiq (5.0.5)
+    sidekiq (5.1.3)
      concurrent-ruby (~> 1.0)
      connection_pool (~> 2.2, >= 2.2.0)
      rack-protection (>= 1.5.0)
-      redis (>= 3.3.4, < 5)
+      redis (>= 3.3.5, < 5)
    sidekiq-cron (0.6.0)
      rufus-scheduler (>= 3.3.0)
      sidekiq (>= 4.2.1)
@@ -1214,7 +1214,7 @@ DEPENDENCIES
  settingslogic (~> 2.0.9)
  sham_rack (~> 1.3.6)
  shoulda-matchers (~> 3.1.2)
-  sidekiq (~> 5.0)
+  sidekiq (~> 5.1)
  sidekiq-cron (~> 0.6.0)
  sidekiq-limit_fetch (~> 3.4)
  simple_po_parser (~> 1.1.2)

--- a/app/assets/javascripts/vue_merge_request_widget/dependencies.js
+++ b/app/assets/javascripts/vue_merge_request_widget/dependencies.js
@@ -38,9 +38,15 @@ export { default as CheckingState } from './components/states/mr_widget_checking
 export { default as MRWidgetStore } from 'ee/vue_merge_request_widget/stores/mr_widget_store';
 export { default as MRWidgetService } from 'ee/vue_merge_request_widget/services/mr_widget_service';
 export { default as eventHub } from './event_hub';
+<<<<<<< HEAD
 export { default as getStateKey } from 'ee/vue_merge_request_widget/stores/get_state_key';
 export { default as stateMaps } from 'ee/vue_merge_request_widget/stores/state_maps';
 export { default as SquashBeforeMerge } from 'ee/vue_merge_request_widget/components/states/mr_widget_squash_before_merge.vue';
+=======
+export { default as getStateKey } from './stores/get_state_key';
+export { default as stateMaps } from './stores/state_maps';
+export { default as SquashBeforeMerge } from './components/states/mr_widget_squash_before_merge.vue';
+>>>>>>> upstream/master
 export { default as notify } from '../lib/utils/notify';
 export { default as SourceBranchRemovalStatus } from './components/source_branch_removal_status.vue';


--- a/app/controllers/concerns/send_file_upload.rb
+++ b/app/controllers/concerns/send_file_upload.rb
@@ -2,6 +2,10 @@ module SendFileUpload
  def send_upload(file_upload, send_params: {}, redirect_params: {}, attachment: nil, disposition: 'attachment')
    if attachment
      redirect_params[:query] = { "response-content-disposition" => "#{disposition};filename=#{attachment.inspect}" }
+      # By default, Rails will send uploads with an extension of .js with a
+      # content-type of text/javascript, which will trigger Rails'
+      # cross-origin JavaScript protection.
+      send_params[:content_type] = 'text/plain' if File.extname(attachment) == '.js'
      send_params.merge!(filename: attachment, disposition: disposition)
    end


--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -49,12 +49,16 @@ module Ci
    delegate :id, to: :project, prefix: true
    delegate :full_path, to: :project, prefix: true

-    validates :source, exclusion: { in: %w(unknown), unless: :importing? }, on: :create
    validates :sha, presence: { unless: :importing? }
    validates :ref, presence: { unless: :importing? }
    validates :status, presence: { unless: :importing? }
    validate :valid_commit_sha, unless: :importing?

+    # Replace validator below with
+    # `validates :source, presence: { unless: :importing? }, on: :create`
+    # when removing Gitlab.rails5? code.
+    validate :valid_source, unless: :importing?, on: :create
+
    after_create :keep_around_commits, unless: :importing?

    enum source: {
@@ -619,5 +623,11 @@ module Ci
      project.repository.keep_around(self.sha)
      project.repository.keep_around(self.before_sha)
    end
+
+    def valid_source
+      if source.nil? || source == "unknown"
+        errors.add(:source, "invalid source")
+      end
+    end
  end
 end
--- a/changelogs/unreleased/sh-fix-cross-site-origin-uploads-js.yml
+++ b/changelogs/unreleased/sh-fix-cross-site-origin-uploads-js.yml
+---
+title: Fix cross-origin errors when attempting to download JavaScript attachments
+merge_request:
+author:
+type: fixed
--- a/config/initializers/deprecations.rb
+++ b/config/initializers/deprecations.rb
-deprecator = ActiveSupport::Deprecation.new('11.0', 'GitLab')
-
 if Gitlab.dev_env_or_com?
+  deprecator = ActiveSupport::Deprecation.new('11.0', 'GitLab')
+
+  deprecator.behavior = -> (message, callstack) {
+    Rails.logger.warn("#{message}: #{callstack[1..20].join}")
+  }
+
  ActiveSupport::Deprecation.deprecate_methods(Gitlab::GitalyClient::StorageSettings, :legacy_disk_path, deprecator: deprecator)
 end
--- a/spec/controllers/concerns/send_file_upload_spec.rb
+++ b/spec/controllers/concerns/send_file_upload_spec.rb
@@ -51,6 +51,21 @@ describe SendFileUpload do
      end
    end

+    context 'with attachment' do
+      subject { controller.send_upload(uploader, attachment: 'test.js') }
+
+      it 'sends a file with content-type of text/plain' do
+        expected_params = {
+          content_type: 'text/plain',
+          filename: 'test.js',
+          disposition: 'attachment'
+        }
+        expect(controller).to receive(:send_file).with(uploader.path, expected_params)
+
+        subject
+      end
+    end
+
    context 'when remote file is used' do
      before do
        stub_uploads_object_storage(uploader: uploader_class)