Merge remote-tracking branch 'security/master'

5a70276c · Mayra Cabrera · 562f3b1f · 10627a13 · 5a70276c · 5a70276c
Commit 5a70276c authored Feb 01, 2021 by Mayra Cabrera
62 changed files
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
 Please view this file on the master branch, on stable branches it's out of date.
+## 13.8.2 (2021-02-01)
+### Security (2 changes)
+- Remove Kubernetes IP address from error messages returned in Threat Monitoring.
+- Sanitize XSS in Epic milestone due date.
 ## 13.8.1 (2021-01-26)
 ### Fixed (2 changes)
@@ -119,6 +127,14 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Enable DevOps Adoption Report feature flag if any Segments already exist. !51602
+## 13.7.6 (2021-02-01)
+### Security (2 changes)
+- Remove Kubernetes IP address from error messages returned in Threat Monitoring.
+- Sanitize XSS in Epic milestone due date.
 ## 13.7.5 (2021-01-25)
 ### Fixed (1 change)
@@ -300,6 +316,14 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Rename code coverage analytics sections. !49931
+## 13.6.6 (2021-02-01)
+### Security (2 changes)
+- Remove Kubernetes IP address from error messages returned in Threat Monitoring.
+- Sanitize XSS in Epic milestone due date.
 ## 13.6.5 (2021-01-13)
 - No changes.

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,17 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 13.8.2 (2021-02-01)
+### Security (5 changes)
+- Filter sensitive GraphQL variables from logs.
+- Avoid exposing release links when the user cannot read git-tag/repository.
+- Sanitize target branch on MR page.
+- Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting.
+- Add routes for unmatched url for not-get requests.
 ## 13.8.1 (2021-01-26)
 ### Fixed (3 changes)
@@ -368,6 +379,17 @@ entry.
 - Add verbiage + link sast to show it's in core. !51935
+## 13.7.6 (2021-02-01)
+### Security (5 changes)
+- Filter sensitive GraphQL variables from logs.
+- Avoid exposing release links when the user cannot read git-tag/repository.
+- Sanitize target branch on MR page.
+- Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting.
+- Add routes for unmatched url for not-get requests.
 ## 13.7.5 (2021-01-25)
 ### Fixed (2 changes, 1 of them is from the community)
@@ -878,6 +900,17 @@ entry.
 - Update GitLab Workhorse to v8.57.0.
+## 13.6.6 (2021-02-01)
+### Security (5 changes)
+- Filter sensitive GraphQL variables from logs.
+- Avoid exposing release links when the user cannot read git-tag/repository.
+- Sanitize target branch on MR page.
+- Fix DNS rebinding protection bypass when allowing an IP address in Outbound Requests setting.
+- Add routes for unmatched url for not-get requests.
 ## 13.6.5 (2021-01-13)
 ### Security (1 change)

--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
 <script>
 import { isNumber } from 'lodash';
+import { sanitize } from '~/lib/dompurify';
 import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import ArtifactsApp from './artifacts_list_app.vue';
 import MrWidgetContainer from './mr_widget_container.vue';
@@ -40,7 +41,7 @@ export default {
      return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranch;
    },
    branchLink() {
-      return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranchLink;
+      return this.isPostMerge ? sanitize(this.mr.targetBranch) : this.mr.sourceBranchLink;
    },
    deployments() {
      return this.isPostMerge ? this.mr.postMergeDeployments : this.mr.deployments;

--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
  before_action :require_non_empty_project, except: [:index]
  before_action :release, only: %i[edit show update downloads]
  before_action :authorize_read_release!
+  # We have to check `download_code` permission because detail URL path
+  # contains git-tag name.
+  before_action :authorize_download_code!, except: [:index]
  before_action do
    push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true)
    push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true)

--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -85,10 +85,18 @@ module TokenAuthenticatableStrategies
    end
    def find_by_encrypted_token(token, unscoped)
-      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
+      nonce = Feature.enabled?(:dynamic_nonce_creation) ? find_hashed_iv(token) : Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
+      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce)
      relation(unscoped).find_by(encrypted_field => encrypted_value)
    end
+    def find_hashed_iv(token)
+      token_record = TokenWithIv.find_by_plaintext_token(token)
+      token_record&.iv || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
+    end
    def insecure_strategy
      @insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
        .new(klass, token_field, options)

--- a/app/models/token_with_iv.rb
+++ b/app/models/token_with_iv.rb
+# frozen_string_literal: true
+# rubocop: todo Gitlab/NamespacedClass
+class TokenWithIv < ApplicationRecord
+  validates :hashed_token, presence: true
+  validates :iv, presence: true
+  validates :hashed_plaintext_token, presence: true
+  def self.find_by_hashed_token(value)
+    find_by(hashed_token: ::Digest::SHA256.digest(value))
+  end
+  def self.find_by_plaintext_token(value)
+    find_by(hashed_plaintext_token: ::Digest::SHA256.digest(value))
+  end
+  def self.find_nonce_by_hashed_token(value)
+    return unless table_exists?
+    token_record = find_by_hashed_token(value)
+    token_record&.iv
+  end
+end
--- a/app/presenters/release_presenter.rb
+++ b/app/presenters/release_presenter.rb
@@ -20,6 +20,8 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
  end
  def self_url
+    return unless can_download_code?
    project_release_url(project, release)
  end

--- a/changelogs/unreleased/fix-crypto-helper-issue.yml
+++ b/changelogs/unreleased/fix-crypto-helper-issue.yml
+---
+title: Add token_with_iv table
+merge_request:
+author:
+type: security
--- a/config/feature_flags/development/dynamic_nonce_creation.yml
+++ b/config/feature_flags/development/dynamic_nonce_creation.yml
+---
+name: dynamic_nonce_creation
+introduced_by_url:
+rollout_issue_url:
+milestone: '13.9'
+type: development
+group: group::manage
+default_enabled: false
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -277,6 +277,7 @@ Rails.application.routes.draw do
  draw :dashboard
  draw :user
  draw :project
+  draw :unmatched_project
  # Issue https://gitlab.com/gitlab-org/gitlab/-/issues/210024
  scope as: 'deprecated' do

--- a/config/routes/unmatched_project.rb
+++ b/config/routes/unmatched_project.rb
+# frozen_string_literal: true
+scope(path: '*namespace_id',
+  as: :namespace,
+  namespace_id: Gitlab::PathRegex.full_namespace_route_regex) do
+  scope(path: ':project_id',
+    constraints: { project_id: Gitlab::PathRegex.project_route_regex },
+    as: :project) do
+    post '*all', to: 'application#route_not_found'
+    put '*all', to: 'application#route_not_found'
+    patch '*all', to: 'application#route_not_found'
+    delete '*all', to: 'application#route_not_found'
+    post '/', to: 'application#route_not_found'
+    put '/', to: 'application#route_not_found'
+    patch '/', to: 'application#route_not_found'
+    delete '/', to: 'application#route_not_found'
+  end
+end
--- a/db/migrate/20201120144823_create_tokens_with_iv.rb
+++ b/db/migrate/20201120144823_create_tokens_with_iv.rb
+# frozen_string_literal: true
+class CreateTokensWithIv < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    create_table :token_with_ivs do |t|
+      t.binary :hashed_token, null: false
+      t.binary :hashed_plaintext_token, null: false
+      t.binary :iv, null: false
+      t.index :hashed_token, name: 'index_token_with_ivs_on_hashed_token', unique: true, using: :btree
+      t.index :hashed_plaintext_token, name: 'index_token_with_ivs_on_hashed_plaintext_token', unique: true, using: :btree
+    end
+  end
+end
--- a/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb
+++ b/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb
@@ -10,7 +10,7 @@ class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1]
  def up
    say_with_time("Encrypting tokens from operations_feature_flags_clients") do
      FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
        feature_flags_client.update!(token_encrypted: token_encrypted)
      end
    end

--- a/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
+++ b/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
@@ -10,7 +10,7 @@ class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
  def up
    say_with_time("Encrypting tokens from deploy_tokens") do
      DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each(batch_size: 10000) do |deploy_token|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
        deploy_token.update!(token_encrypted: token_encrypted)
      end
    end

--- a/db/schema_migrations/20201120144823
+++ b/db/schema_migrations/20201120144823
+dde424c434c78e22087123fa30eec75c07268a9079fea44339915747aae235e0
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -17439,6 +17439,22 @@ CREATE SEQUENCE todos_id_seq
 ALTER SEQUENCE todos_id_seq OWNED BY todos.id;
+CREATE TABLE token_with_ivs (
+    id bigint NOT NULL,
+    hashed_token bytea NOT NULL,
+    hashed_plaintext_token bytea NOT NULL,
+    iv bytea NOT NULL
+);
+CREATE SEQUENCE token_with_ivs_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+ALTER SEQUENCE token_with_ivs_id_seq OWNED BY token_with_ivs.id;
 CREATE TABLE trending_projects (
    id integer NOT NULL,
    project_id integer NOT NULL
@@ -19161,6 +19177,8 @@ ALTER TABLE ONLY timelogs ALTER COLUMN id SET DEFAULT nextval('timelogs_id_seq':
 ALTER TABLE ONLY todos ALTER COLUMN id SET DEFAULT nextval('todos_id_seq'::regclass);
+ALTER TABLE ONLY token_with_ivs ALTER COLUMN id SET DEFAULT nextval('token_with_ivs_id_seq'::regclass);
 ALTER TABLE ONLY trending_projects ALTER COLUMN id SET DEFAULT nextval('trending_projects_id_seq'::regclass);
 ALTER TABLE ONLY u2f_registrations ALTER COLUMN id SET DEFAULT nextval('u2f_registrations_id_seq'::regclass);
@@ -20689,6 +20707,9 @@ ALTER TABLE ONLY timelogs
 ALTER TABLE ONLY todos
    ADD CONSTRAINT todos_pkey PRIMARY KEY (id);
+ALTER TABLE ONLY token_with_ivs
+    ADD CONSTRAINT token_with_ivs_pkey PRIMARY KEY (id);
 ALTER TABLE ONLY trending_projects
    ADD CONSTRAINT trending_projects_pkey PRIMARY KEY (id);
@@ -23225,6 +23246,10 @@ CREATE INDEX index_todos_on_user_id_and_id_done ON todos USING btree (user_id, i
 CREATE INDEX index_todos_on_user_id_and_id_pending ON todos USING btree (user_id, id) WHERE ((state)::text = 'pending'::text);
+CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_plaintext_token ON token_with_ivs USING btree (hashed_plaintext_token);
+CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_token ON token_with_ivs USING btree (hashed_token);
 CREATE UNIQUE INDEX index_trending_projects_on_project_id ON trending_projects USING btree (project_id);
 CREATE INDEX index_u2f_registrations_on_key_handle ON u2f_registrations USING btree (key_handle);

--- a/ee/app/assets/javascripts/epic/utils/epic_utils.js
+++ b/ee/app/assets/javascripts/epic/utils/epic_utils.js
@@ -6,6 +6,7 @@ import { __, s__, sprintf } from '~/locale';
 import createGqClient, { fetchPolicies } from '~/lib/graphql';
 import { parseBoolean } from '~/lib/utils/common_utils';
 import { dateInWords, parsePikadayDate } from '~/lib/utils/datetime_utility';
+import { sanitize } from '~/lib/dompurify';
 import { dateTypes } from '../constants';
@@ -54,8 +55,9 @@ const getDateFromMilestonesTooltip = ({
  dueDateSourcingMilestoneDates,
  dueDateTimeFromMilestones,
 }) => {
-  const dateSourcingMilestoneTitle =
+  const dateSourcingMilestoneTitle = sanitize(
-    dateType === dateTypes.start ? startDateSourcingMilestoneTitle : dueDateSourcingMilestoneTitle;
+    dateType === dateTypes.start ? startDateSourcingMilestoneTitle : dueDateSourcingMilestoneTitle,
+  );
  const sourcingMilestoneDates =
    dateType === dateTypes.start ? startDateSourcingMilestoneDates : dueDateSourcingMilestoneDates;

--- a/ee/app/services/network_policies/delete_resource_service.rb
+++ b/ee/app/services/network_policies/delete_resource_service.rb
@@ -23,7 +23,7 @@ module NetworkPolicies
      ServiceResponse.success
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end
  end
 end
--- a/ee/app/services/network_policies/deploy_resource_service.rb
+++ b/ee/app/services/network_policies/deploy_resource_service.rb
@@ -26,7 +26,7 @@ module NetworkPolicies
      load_policy_from_resource
      ServiceResponse.success(payload: policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end
    private

--- a/ee/app/services/network_policies/find_resource_service.rb
+++ b/ee/app/services/network_policies/find_resource_service.rb
@@ -16,7 +16,7 @@ module NetworkPolicies
      ServiceResponse.success(payload: get_policy)
    rescue Kubeclient::HttpError => e
-      kubernetes_error_response(e)
+      kubernetes_error_response(e.message)
    end
    private

--- a/ee/spec/features/read_only_spec.rb
+++ b/ee/spec/features/read_only_spec.rb
@@ -23,7 +23,7 @@ RSpec.describe 'Geo read-only message', :geo do
  context 'when in maintenance mode' do
    before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
    end
    it_behaves_like 'Read-only instance', /This GitLab instance is undergoing maintenance and is operating in read\-only mode./

--- a/ee/spec/frontend/epic/utils/epic_utils_spec.js
+++ b/ee/spec/frontend/epic/utils/epic_utils_spec.js
@@ -57,4 +57,23 @@ describe('epicUtils', () => {
      expect(Cookies.get('collapsed_gutter')).toBe(`${collapsedGutterVal}`); // Cookie value will always be string
    });
  });
+  describe('getDateFromMilestonesTooltip', () => {
+    it('Sanitizes html in milestone title', () => {
+      const tooltipText = epicUtils.getDateFromMilestonesTooltip({
+        dateType: 'start',
+        startDateSourcingMilestoneTitle:
+          '<svg width="100"><use xlink:href="/h5bp/html5-boilerplate/-/raw/master/demo.svg#x" /></svg>',
+        startDateSourcingMilestoneDates: {
+          startDate: '2020-12-23',
+          dueDate: '2021-01-28',
+        },
+        startDateTimeFromMilestones: '2020-12-22T18:30:00.000Z',
+        dueDateTimeFromMilestones: '2021-01-27T18:30:00.000Z',
+      });
+      const sanitizedTitle = '<svg width="100"><use></use></svg>';
+      expect(tooltipText.startsWith(sanitizedTitle)).toBe(true);
+    });
+  });
 });
--- a/ee/spec/helpers/application_helper_spec.rb
+++ b/ee/spec/helpers/application_helper_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe ApplicationHelper do
      context 'maintenance mode' do
        context 'enabled' do
          before do
-            stub_application_setting(maintenance_mode: true)
+            stub_maintenance_mode_setting(true)
          end
          it 'returns default message' do
@@ -48,7 +48,7 @@ RSpec.describe ApplicationHelper do
        context 'disabled' do
          it 'returns nil' do
-            stub_application_setting(maintenance_mode: false)
+            stub_maintenance_mode_setting(false)
            expect(helper.read_only_message).to be_nil
          end
@@ -60,7 +60,7 @@ RSpec.describe ApplicationHelper do
      context 'maintenance mode on' do
        it 'returns messages for both' do
          expect(Gitlab::Geo).to receive(:secondary?).twice { true }
-          stub_application_setting(maintenance_mode: true)
+          stub_maintenance_mode_setting(true)
          expect(helper.read_only_message).to match(/you must visit the primary site/)
          expect(helper.read_only_message).to match(/#{default_maintenance_mode_message}/)

--- a/ee/spec/lib/ee/gitlab/crypto_helper_spec.rb
+++ b/ee/spec/lib/ee/gitlab/crypto_helper_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Gitlab::CryptoHelper do
+  include ::EE::GeoHelpers
+  describe '.read_only?' do
+    context 'with Geo enabled' do
+      before do
+        allow(Gitlab::Geo).to receive(:enabled?) { true }
+        allow(Gitlab::Geo).to receive(:current_node) { geo_node }
+      end
+      context 'is Geo secondary node' do
+        let(:geo_node) { create(:geo_node) }
+        it 'returns true' do
+          expect(described_class.read_only?).to be_truthy
+        end
+      end
+      context 'is Geo primary node' do
+        let(:geo_node) { create(:geo_node, :primary) }
+        it 'returns false when is Geo primary node' do
+          expect(described_class.read_only?).to be_falsey
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/ee/gitlab/database_spec.rb
+++ b/ee/spec/lib/ee/gitlab/database_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe Gitlab::Database do
    context 'in maintenance mode' do
      before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
      end
      it 'returns true' do

--- a/ee/spec/lib/ee/gitlab/middleware/read_only_spec.rb
+++ b/ee/spec/lib/ee/gitlab/middleware/read_only_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Middleware::ReadOnly do
  context 'when maintenance mode is on' do
    before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
    end
    it_behaves_like 'write access for a read-only GitLab (EE) instance in maintenance mode'
@@ -13,7 +13,7 @@ RSpec.describe Gitlab::Middleware::ReadOnly do
  context 'when maintenance mode is not on' do
    before do
-      stub_application_setting(maintenance_mode: false)
+      stub_maintenance_mode_setting(false)
    end
    it_behaves_like 'write access for a read-only GitLab (EE) instance'

--- a/ee/spec/lib/gitlab/git_access_spec.rb
+++ b/ee/spec/lib/gitlab/git_access_spec.rb
@@ -758,7 +758,7 @@ RSpec.describe Gitlab::GitAccess do
    context 'when maintenance mode is enabled' do
      before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
      end
      it 'blocks git push' do
@@ -770,7 +770,7 @@ RSpec.describe Gitlab::GitAccess do
    context 'when maintenance mode is disabled' do
      before do
-        stub_application_setting(maintenance_mode: false)
+        stub_maintenance_mode_setting(false)
      end
      it 'allows git push' do

--- a/ee/spec/migrations/nullify_feature_flag_plaintext_tokens_spec.rb
+++ b/ee/spec/migrations/nullify_feature_flag_plaintext_tokens_spec.rb
@@ -12,8 +12,8 @@ RSpec.describe NullifyFeatureFlagPlaintextTokens do
  let!(:project1) { projects.create!(namespace_id: namespace.id, name: 'Project 1') }
  let!(:project2) { projects.create!(namespace_id: namespace.id, name: 'Project 2') }
-  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1') }
+  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
-  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2') }
+  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
  before do
    feature_flags_clients.create!(token: 'secret1', token_encrypted: secret1_encrypted, project_id: project1.id)

--- a/ee/spec/requests/api/internal/base_spec.rb
+++ b/ee/spec/requests/api/internal/base_spec.rb
@@ -248,7 +248,7 @@ RSpec.describe API::Internal::Base do
      let_it_be(:project) { create(:project, :repository) }
      before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
        project.add_developer(user)
      end

--- a/ee/spec/routing/git_http_routing_spec.rb
+++ b/ee/spec/routing/git_http_routing_spec.rb
@@ -9,5 +9,11 @@ RSpec.describe 'EE git_http routing' do
      let(:container_path) { '/gitlab-org/gitlab-test' }
      let(:params) { { geo_node_id: 'node', repository_path: 'gitlab-org/gitlab-test.git' } }
    end
+    it_behaves_like 'git repository routes with fallback for git-upload-pack' do
+      let(:path) { '/-/push_from_secondary/node/gitlab-org/gitlab-test.git' }
+      let(:container_path) { '/gitlab-org/gitlab-test' }
+      let(:params) { { geo_node_id: 'node', repository_path: 'gitlab-org/gitlab-test.git' } }
+    end
  end
 end
--- a/ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb
+++ b/ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
    end
    before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
      project.add_developer(current_user)
    end

--- a/ee/spec/services/network_policies/delete_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/delete_resource_service_spec.rb
@@ -49,8 +49,11 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
    end
    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
      before do
-        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:delete_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end
      it 'returns error response' do
@@ -58,6 +61,10 @@ RSpec.describe NetworkPolicies::DeleteResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end
    context 'with CiliumNetworkPolicy' do

--- a/ee/spec/services/network_policies/deploy_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/deploy_resource_service_spec.rb
@@ -94,8 +94,11 @@ RSpec.describe NetworkPolicies::DeployResourceService do
    end
    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
      before do
-        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:create_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end
      it 'returns error response' do
@@ -103,6 +106,10 @@ RSpec.describe NetworkPolicies::DeployResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end
    context 'with cilium network policy' do

--- a/ee/spec/services/network_policies/find_resource_service_spec.rb
+++ b/ee/spec/services/network_policies/find_resource_service_spec.rb
@@ -62,8 +62,11 @@ RSpec.describe NetworkPolicies::FindResourceService do
    end
    context 'with Kubeclient::HttpError' do
+      let(:request_url) { 'https://kubernetes.local' }
+      let(:response) {  RestClient::Response.create('', {}, RestClient::Request.new(url: request_url, method: :get)) }
      before do
-        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', nil))
+        allow(kubeclient).to receive(:get_network_policy).and_raise(Kubeclient::HttpError.new(500, 'system failure', response))
      end
      it 'returns error response' do
@@ -71,6 +74,10 @@ RSpec.describe NetworkPolicies::FindResourceService do
        expect(subject.http_status).to eq(:bad_request)
        expect(subject.message).not_to be_nil
      end
+      it 'returns error message without request url' do
+        expect(subject.message).not_to include(request_url)
+      end
    end
  end
 end
--- a/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb
@@ -7,7 +7,7 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
  include_context 'with a mocked GitLab instance'
  before do
-    stub_application_setting(maintenance_mode: true)
+    stub_maintenance_mode_setting(true)
  end
  context 'normal requests to a read-only GitLab instance' do

--- a/lib/gitlab.rb
+++ b/lib/gitlab.rb
@@ -118,6 +118,7 @@ module Gitlab
  def self.maintenance_mode?
    return false unless ::Feature.enabled?(:maintenance_mode)
+    return false unless ::Gitlab::CurrentSettings.current_application_settings?
    ::Gitlab::CurrentSettings.maintenance_mode
  end

--- a/lib/gitlab/crypto_helper.rb
+++ b/lib/gitlab/crypto_helper.rb
@@ -6,25 +6,44 @@ module Gitlab
    AES256_GCM_OPTIONS = {
      algorithm: 'aes-256-gcm',
-      key: Settings.attr_encrypted_db_key_base_32,
+      key: Settings.attr_encrypted_db_key_base_32
-      iv: Settings.attr_encrypted_db_key_base_12
    }.freeze
+    AES256_GCM_IV_STATIC = Settings.attr_encrypted_db_key_base_12
    def sha256(value)
      salt = Settings.attr_encrypted_db_key_base_truncated
      ::Digest::SHA256.base64digest("#{value}#{salt}")
    end
-    def aes256_gcm_encrypt(value)
+    def aes256_gcm_encrypt(value, nonce: nil)
-      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value))
+      aes256_gcm_encrypt_using_static_nonce(value)
-      Base64.strict_encode64(encrypted_token)
    end
    def aes256_gcm_decrypt(value)
      return unless value
+      nonce = Feature.enabled?(:dynamic_nonce_creation) ? dynamic_nonce(value) : AES256_GCM_IV_STATIC
      encrypted_token = Base64.decode64(value)
-      Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token))
+      decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce))
+      decrypted_token
+    end
+    def dynamic_nonce(value)
+      TokenWithIv.find_nonce_by_hashed_token(value) || AES256_GCM_IV_STATIC
+    end
+    def aes256_gcm_encrypt_using_static_nonce(value)
+      create_encrypted_token(value, AES256_GCM_IV_STATIC)
+    end
+    def read_only?
+      Gitlab::Database.read_only?
+    end
+    def create_encrypted_token(value, iv)
+      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value, iv: iv))
+      Base64.strict_encode64(encrypted_token)
    end
  end
 end
--- a/lib/gitlab/current_settings.rb
+++ b/lib/gitlab/current_settings.rb
@@ -7,6 +7,10 @@ module Gitlab
        Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
      end
+      def current_application_settings?
+        Gitlab::SafeRequestStore.exist?(:current_application_settings) || ::ApplicationSetting.current.present?
+      end
      def expire_current_application_settings
        ::ApplicationSetting.expire
        Gitlab::SafeRequestStore.delete(:current_application_settings)

--- a/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
+++ b/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
@@ -49,13 +49,21 @@ module Gitlab
        private
        def process_variables(variables)
-          if variables.respond_to?(:to_s)
+          filtered_variables = filter_sensitive_variables(variables)
-            variables.to_s
+          if filtered_variables.respond_to?(:to_s)
+            filtered_variables.to_s
          else
-            variables
+            filtered_variables
          end
        end
+        def filter_sensitive_variables(variables)
+          ActiveSupport::ParameterFilter
+            .new(::Rails.application.config.filter_parameters)
+            .filter(variables)
+        end
        def duration(time_started)
          Gitlab::Metrics::System.monotonic_time - time_started
        end

--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -49,10 +49,12 @@ module Gitlab
        return [uri, nil] unless address_info
        ip_address = ip_address(address_info)
-        return [uri, nil] if domain_allowed?(uri) || ip_allowed?(ip_address, port: get_port(uri))
+        return [uri, nil] if domain_allowed?(uri)
        protected_uri_with_hostname = enforce_uri_hostname(ip_address, uri, dns_rebind_protection)
+        return protected_uri_with_hostname if ip_allowed?(ip_address, port: get_port(uri))
        # Allow url from the GitLab instance itself but only for the configured hostname and ports
        return protected_uri_with_hostname if internal?(uri)

--- a/spec/controllers/admin/runners_controller_spec.rb
+++ b/spec/controllers/admin/runners_controller_spec.rb
@@ -27,7 +27,8 @@ RSpec.describe Admin::RunnersController do
      # There is still an N+1 query for `runner.builds.count`
      # We also need to add 1 because it takes 2 queries to preload tags
-      expect { get :index }.not_to exceed_query_limit(control_count + 6)
+      # also looking for token nonce requires database queries
+      expect { get :index }.not_to exceed_query_limit(control_count + 16)
      expect(response).to have_gitlab_http_status(:ok)
      expect(response.body).to have_content('tag1')

--- a/spec/controllers/projects/releases_controller_spec.rb
+++ b/spec/controllers/projects/releases_controller_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe Projects::ReleasesController do
  let_it_be(:private_project) { create(:project, :repository, :private) }
  let_it_be(:developer)  { create(:user) }
  let_it_be(:reporter)   { create(:user) }
+  let_it_be(:guest)      { create(:user) }
  let_it_be(:user)       { developer }
  let!(:release_1)       { create(:release, project: project, released_at: Time.zone.parse('2018-10-18')) }
  let!(:release_2)       { create(:release, project: project, released_at: Time.zone.parse('2019-10-19')) }
@@ -16,6 +17,7 @@ RSpec.describe Projects::ReleasesController do
  before do
    project.add_developer(developer)
    project.add_reporter(reporter)
+    project.add_guest(guest)
  end
  shared_examples_for 'successful request' do
@@ -199,6 +201,13 @@ RSpec.describe Projects::ReleasesController do
      it_behaves_like 'not found'
    end
+    context 'when user is a guest' do
+      let(:project) { private_project }
+      let(:user) { guest }
+      it_behaves_like 'not found'
+    end
  end
  # `GET #downloads` is addressed in spec/requests/projects/releases_controller_spec.rb

--- a/spec/factories/token_with_ivs.rb
+++ b/spec/factories/token_with_ivs.rb
+# frozen_string_literal: true
+FactoryBot.define do
+  factory :token_with_iv do
+    hashed_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+    iv { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+    hashed_plaintext_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+  end
+end
--- a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
+++ b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
      });
    });
+    it('sanitizes the targetBranch', () => {
+      factory({
+        isPostMerge: true,
+        mr: {
+          ...mockStore,
+          targetBranch: 'Foo<script>alert("XSS")</script>',
+        },
+      });
+      expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
+    });
    it('renders deployments', () => {
      const expectedProps = mockStore.postMergeDeployments.map((dep) =>
        expect.objectContaining({

--- a/spec/lib/gitlab/crypto_helper_spec.rb
+++ b/spec/lib/gitlab/crypto_helper_spec.rb
@@ -19,21 +19,85 @@ RSpec.describe Gitlab::CryptoHelper do
      expect(encrypted).to match %r{\A[A-Za-z0-9+/=]+\z}
      expect(encrypted).not_to include "\n"
    end
+    it 'does not save hashed token with iv value in database' do
+      expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
+    end
+    it 'encrypts using static iv' do
+      expect(Encryptor).to receive(:encrypt).with(described_class::AES256_GCM_OPTIONS.merge(value: 'some-value', iv: described_class::AES256_GCM_IV_STATIC)).and_return('hashed_value')
+      described_class.aes256_gcm_encrypt('some-value')
+    end
  end
  describe '.aes256_gcm_decrypt' do
-    let(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
+    before do
+      stub_feature_flags(dynamic_nonce_creation: false)
+    end
+    context 'when token was encrypted using static nonce' do
+      let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+        expect(decrypted).to eq 'some-value'
+      end
+      it 'decrypts a value when it ends with a new line character' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
-    it 'correctly decrypts encrypted string' do
+        expect(decrypted).to eq 'some-value'
-      decrypted = described_class.aes256_gcm_decrypt(encrypted)
+      end
-      expect(decrypted).to eq 'some-value'
+      it 'does not save hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
+      end
+      context 'with feature flag switched on' do
+        before do
+          stub_feature_flags(dynamic_nonce_creation: true)
+        end
+        it 'correctly decrypts encrypted string' do
+          decrypted = described_class.aes256_gcm_decrypt(encrypted)
+          expect(decrypted).to eq 'some-value'
+        end
+      end
    end
-    it 'decrypts a value when it ends with a new line character' do
+    context 'when token was encrypted using random nonce' do
-      decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
+      let(:value) { 'random-value' }
+      # for compatibility with tokens encrypted using dynamic nonce
+      let!(:encrypted) do
+        iv = create_nonce
+        encrypted_token = described_class.create_encrypted_token(value, iv)
+        TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
+        encrypted_token
+      end
+      before do
+        stub_feature_flags(dynamic_nonce_creation: true)
+      end
-      expect(decrypted).to eq 'some-value'
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+        expect(decrypted).to eq value
+      end
+      it 'does not save hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
+      end
    end
  end
+  def create_nonce
+    cipher = OpenSSL::Cipher.new('aes-256-gcm')
+    cipher.encrypt # Required before '#random_iv' can be called
+    cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
+  end
 end
--- a/spec/lib/gitlab/current_settings_spec.rb
+++ b/spec/lib/gitlab/current_settings_spec.rb
@@ -194,4 +194,32 @@ RSpec.describe Gitlab::CurrentSettings do
      end
    end
  end
+  describe '#current_application_settings?', :use_clean_rails_memory_store_caching do
+    before do
+      allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_call_original
+    end
+    it 'returns true when settings exist' do
+      create(:application_setting,
+        home_page_url: 'http://mydomain.com',
+        signup_enabled: false)
+      expect(described_class.current_application_settings?).to eq(true)
+    end
+    it 'returns false when settings do not exist' do
+      expect(described_class.current_application_settings?).to eq(false)
+    end
+    context 'with cache', :request_store do
+      include_context 'with settings in cache'
+      it 'returns an in-memory ApplicationSetting object' do
+        expect(ApplicationSetting).not_to receive(:current)
+        expect(described_class.current_application_settings?).to eq(true)
+      end
+    end
+  end
 end
--- a/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb
+++ b/spec/lib/gitlab/graphql/query_analyzers/logger_analyzer_spec.rb
@@ -40,4 +40,22 @@ RSpec.describe Gitlab::Graphql::QueryAnalyzers::LoggerAnalyzer do
      end
    end
  end
+  describe '#initial_value' do
+    it 'filters out sensitive variables' do
+      doc = GraphQL.parse <<-GRAPHQL
+        mutation createNote($body: String!) {
+          createNote(input: {noteableId: "1", body: $body}) {
+            note {
+              id
+            }
+          }
+        }
+      GRAPHQL
+      query = GraphQL::Query.new(GitlabSchema, document: doc, context: {}, variables: { body: "some note" })
+      expect(subject.initial_value(query)[:variables]).to eq('{:body=>"[FILTERED]"}')
+    end
+  end
 end
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -91,6 +91,21 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
      end
    end
+    context 'DNS rebinding protection with IP allowed' do
+      let(:import_url) { 'http://a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&amp;check-keys=*' }
+      before do
+        stub_dns(import_url, ip_address: '192.168.0.120')
+        allow(Gitlab::UrlBlockers::UrlAllowlist).to receive(:ip_allowed?).and_return(true)
+      end
+      it_behaves_like 'validates URI and hostname' do
+        let(:expected_uri) { 'http://192.168.0.120:9121/scrape?target=unix:///var/opt/gitlab/redis/redis.socket&amp;check-keys=*' }
+        let(:expected_hostname) { 'a.192.168.0.120.3times.127.0.0.1.1time.repeat.rebind.network' }
+      end
+    end
    context 'disabled DNS rebinding protection' do
      subject { described_class.validate!(import_url, dns_rebind_protection: false) }

--- a/spec/lib/gitlab_spec.rb
+++ b/spec/lib/gitlab_spec.rb
@@ -332,13 +332,13 @@ RSpec.describe Gitlab do
  describe '.maintenance_mode?' do
    it 'returns true when maintenance mode is enabled' do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
      expect(described_class.maintenance_mode?).to eq(true)
    end
    it 'returns false when maintenance mode is disabled' do
-      stub_application_setting(maintenance_mode: false)
+      stub_maintenance_mode_setting(false)
      expect(described_class.maintenance_mode?).to eq(false)
    end

--- a/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
+++ b/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe EncryptFeatureFlagsClientsTokens do
  let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
  let(:projects) { table(:projects) }
  let(:plaintext) { "secret-token" }
-  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
+  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
  describe '#up' do
    it 'keeps plaintext token the same and populates token_encrypted if not present' do

--- a/spec/models/active_session_spec.rb
+++ b/spec/models/active_session_spec.rb
@@ -358,7 +358,7 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do
      it 'calls .destroy_sessions' do
        expect(ActiveSession).to(
          receive(:destroy_sessions)
-            .with(anything, user, [active_session.public_id, rack_session.public_id, rack_session.private_id]))
+            .with(anything, user, [encrypted_active_session_id, rack_session.public_id, rack_session.private_id]))
        subject
      end

--- a/spec/models/concerns/token_authenticatable_spec.rb
+++ b/spec/models/concerns/token_authenticatable_spec.rb
@@ -54,7 +54,7 @@ RSpec.describe ApplicationSetting, 'TokenAuthenticatable' do
        it 'persists new token as an encrypted string' do
          expect(subject).to eq settings.reload.runners_registration_token
          expect(settings.read_attribute('runners_registration_token_encrypted'))
-            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject)
+            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
          expect(settings).to be_persisted
        end
@@ -243,7 +243,7 @@ RSpec.describe Ci::Build, 'TokenAuthenticatable' do
        it 'persists new token as an encrypted string' do
          build.ensure_token!
-          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token)
+          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
          expect(build.read_attribute('token_encrypted')).to eq encrypted
        end

--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -68,6 +68,10 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
    context 'when using optional strategy' do
      let(:options) { { encrypted: :optional } }
+      before do
+        stub_feature_flags(dynamic_nonce_creation: false)
+      end
      it 'returns decrypted token when an encrypted token is present' do
        allow(instance).to receive(:read_attribute)
          .with('some_field_encrypted')
@@ -124,7 +128,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
      it 'writes encrypted token and removes plaintext token and returns it' do
        expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', encrypted)
+          .with('some_field_encrypted', any_args)
        expect(instance).to receive(:[]=)
          .with('some_field', nil)
@@ -137,7 +141,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
      it 'writes encrypted token and writes plaintext token' do
        expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', encrypted)
+          .with('some_field_encrypted', any_args)
        expect(instance).to receive(:[]=)
          .with('some_field', 'my-value')

--- a/spec/models/token_with_iv_spec.rb
+++ b/spec/models/token_with_iv_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe TokenWithIv do
+  describe 'validations' do
+    it { is_expected.to validate_presence_of :hashed_token }
+    it { is_expected.to validate_presence_of :iv }
+    it { is_expected.to validate_presence_of :hashed_plaintext_token }
+  end
+  describe '.find_by_hashed_token' do
+    it 'only includes matching record' do
+      matching_record = create(:token_with_iv, hashed_token: ::Digest::SHA256.digest('hashed-token'))
+      create(:token_with_iv)
+      expect(described_class.find_by_hashed_token('hashed-token')).to eq(matching_record)
+    end
+  end
+  describe '.find_by_plaintext_token' do
+    it 'only includes matching record' do
+      matching_record = create(:token_with_iv, hashed_plaintext_token: ::Digest::SHA256.digest('hashed-token'))
+      create(:token_with_iv)
+      expect(described_class.find_by_plaintext_token('hashed-token')).to eq(matching_record)
+    end
+  end
+end
--- a/spec/presenters/release_presenter_spec.rb
+++ b/spec/presenters/release_presenter_spec.rb
@@ -62,6 +62,12 @@ RSpec.describe ReleasePresenter do
    it 'returns its own url' do
      is_expected.to eq(project_release_url(project, release))
    end
+    context 'when user is guest' do
+      let(:user) { guest }
+      it { is_expected.to be_nil }
+    end
  end
  describe '#opened_merge_requests_url' do

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -159,13 +159,17 @@ RSpec.describe 'Git HTTP requests' do
    context "POST git-upload-pack" do
      it "fails to find a route" do
-        expect { clone_post(repository_path) }.to raise_error(ActionController::RoutingError)
+        clone_post(repository_path) do |response|
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end
    context "POST git-receive-pack" do
      it "fails to find a route" do
-        expect { push_post(repository_path) }.to raise_error(ActionController::RoutingError)
+        push_post(repository_path) do |response|
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end
  end

--- a/spec/routing/git_http_routing_spec.rb
+++ b/spec/routing/git_http_routing_spec.rb
@@ -7,6 +7,10 @@ RSpec.describe 'git_http routing' do
    it_behaves_like 'git repository routes' do
      let(:path) { '/gitlab-org/gitlab-test.git' }
    end
+    it_behaves_like 'git repository routes with fallback for git-upload-pack' do
+      let(:path) { '/gitlab-org/gitlab-test.git' }
+    end
  end
  describe 'wiki repositories' do
@@ -14,6 +18,7 @@ RSpec.describe 'git_http routing' do
      let(:path) { '/gitlab-org/gitlab-test.wiki.git' }
      it_behaves_like 'git repository routes'
+      it_behaves_like 'git repository routes with fallback for git-upload-pack'
      describe 'redirects', type: :request do
        let(:web_path) { '/gitlab-org/gitlab-test/-/wikis' }
@@ -37,12 +42,20 @@ RSpec.describe 'git_http routing' do
      it_behaves_like 'git repository routes' do
        let(:path) { '/gitlab-org.wiki.git' }
      end
+      it_behaves_like 'git repository routes with fallback for git-upload-pack' do
+        let(:path) { '/gitlab-org.wiki.git' }
+      end
    end
    context 'in child group' do
      it_behaves_like 'git repository routes' do
        let(:path) { '/gitlab-org/child.wiki.git' }
      end
+      it_behaves_like 'git repository routes with fallback for git-upload-pack' do
+        let(:path) { '/gitlab-org/child.wiki.git' }
+      end
    end
  end
@@ -51,12 +64,20 @@ RSpec.describe 'git_http routing' do
      it_behaves_like 'git repository routes' do
        let(:path) { '/snippets/123.git' }
      end
+      it_behaves_like 'git repository routes without fallback' do
+        let(:path) { '/snippets/123.git' }
+      end
    end
    context 'project snippet' do
      it_behaves_like 'git repository routes' do
        let(:path) { '/gitlab-org/gitlab-test/snippets/123.git' }
      end
+      it_behaves_like 'git repository routes with fallback' do
+        let(:path) { '/gitlab-org/gitlab-test/snippets/123.git' }
+      end
    end
  end
 end
--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -876,4 +876,73 @@ RSpec.describe 'project routing' do
      )
    end
  end
+  context 'with a non-existent project' do
+    it 'routes to 404 with get request' do
+      expect(get: "/gitlab/not_exist").to route_to(
+        'application#route_not_found',
+        unmatched_route: 'gitlab/not_exist'
+      )
+    end
+    it 'routes to 404 with delete request' do
+      expect(delete: "/gitlab/not_exist").to route_to(
+        'application#route_not_found',
+        namespace_id: 'gitlab',
+        project_id: 'not_exist'
+      )
+    end
+    it 'routes to 404 with post request' do
+      expect(post: "/gitlab/not_exist").to route_to(
+        'application#route_not_found',
+        namespace_id: 'gitlab',
+        project_id: 'not_exist'
+      )
+    end
+    it 'routes to 404 with put request' do
+      expect(put: "/gitlab/not_exist").to route_to(
+        'application#route_not_found',
+        namespace_id: 'gitlab',
+        project_id: 'not_exist'
+      )
+    end
+    context 'with route to some action' do
+      it 'routes to 404 with get request to' do
+        expect(get: "/gitlab/not_exist/some_action").to route_to(
+          'application#route_not_found',
+          unmatched_route: 'gitlab/not_exist/some_action'
+        )
+      end
+      it 'routes to 404 with delete request' do
+        expect(delete: "/gitlab/not_exist/some_action").to route_to(
+          'application#route_not_found',
+          namespace_id: 'gitlab',
+          project_id: 'not_exist',
+          all: 'some_action'
+        )
+      end
+      it 'routes to 404 with post request' do
+        expect(post: "/gitlab/not_exist/some_action").to route_to(
+          'application#route_not_found',
+          namespace_id: 'gitlab',
+          project_id: 'not_exist',
+          all: 'some_action'
+        )
+      end
+      it 'routes to 404 with put request' do
+        expect(put: "/gitlab/not_exist/some_action").to route_to(
+          'application#route_not_found',
+          namespace_id: 'gitlab',
+          project_id: 'not_exist',
+          all: 'some_action'
+        )
+      end
+    end
+  end
 end
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -284,6 +284,8 @@ RSpec.configure do |config|
        current_user_mode.send(:user)&.admin?
      end
    end
+    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(false)
  end
  config.around(:example, :quarantine) do |example|

--- a/spec/support/helpers/stub_configuration.rb
+++ b/spec/support/helpers/stub_configuration.rb
@@ -121,6 +121,12 @@ module StubConfiguration
    allow(::Gitlab.config.packages).to receive_messages(to_settings(messages))
  end
+  def stub_maintenance_mode_setting(value)
+    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true)
+    stub_application_setting(maintenance_mode: value)
+  end
  private
  # Modifies stubbed messages to also stub possible predicate versions

--- a/spec/support/matchers/route_to_route_not_found_matcher.rb
+++ b/spec/support/matchers/route_to_route_not_found_matcher.rb
+# frozen_string_literal: true
+RSpec::Matchers.define :route_to_route_not_found do
+  match do |actual|
+    expect(actual).to route_to(controller: 'application', action: 'route_not_found')
+  rescue RSpec::Expectations::ExpectationNotMetError => e
+    # `route_to` matcher requires providing all params for exact match. As we use it in shared examples and we provide different paths,
+    # this matcher checks if provided route matches controller and action, without checking params.
+    expect(e.message).to include("-{\"controller\"=>\"application\", \"action\"=>\"route_not_found\"}\n+{\"controller\"=>\"application\", \"action\"=>\"route_not_found\",")
+  end
+  failure_message do |_|
+    "expected #{actual} to route to route_not_found"
+  end
+end
--- a/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
+++ b/spec/support/shared_examples/routing/git_http_routing_shared_examples.rb
@@ -16,10 +16,6 @@ RSpec.shared_examples 'git repository routes' do
      expect(get("#{container_path}/info/refs?service=git-upload-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-upload-pack")
      expect(get("#{container_path}/info/refs?service=git-receive-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-receive-pack")
    end
-    it 'does not redirect other requests' do
-      expect(post("#{container_path}/git-upload-pack")).not_to be_routable
-    end
  end
  it 'routes LFS endpoints' do
@@ -35,6 +31,56 @@ RSpec.shared_examples 'git repository routes' do
    expect(get("#{path}/gitlab-lfs/objects/#{oid}")).to route_to('repositories/lfs_storage#download', oid: oid, **params)
    expect(put("#{path}/gitlab-lfs/objects/#{oid}/456/authorize")).to route_to('repositories/lfs_storage#upload_authorize', oid: oid, size: '456', **params)
    expect(put("#{path}/gitlab-lfs/objects/#{oid}/456")).to route_to('repositories/lfs_storage#upload_finalize', oid: oid, size: '456', **params)
+  end
+end
+RSpec.shared_examples 'git repository routes without fallback' do
+  let(:container_path) { path.delete_suffix('.git') }
+  context 'requests without .git format' do
+    it 'does not redirect other requests' do
+      expect(post("#{container_path}/git-upload-pack")).not_to be_routable
+    end
+  end
+  it 'routes LFS endpoints for unmatched routes' do
+    oid = generate(:oid)
+    expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).not_to be_routable
+  end
+end
+RSpec.shared_examples 'git repository routes with fallback' do
+  let(:container_path) { path.delete_suffix('.git') }
+  context 'requests without .git format' do
+    it 'does not redirect other requests' do
+      expect(post("#{container_path}/git-upload-pack")).to route_to_route_not_found
+    end
+  end
+  it 'routes LFS endpoints' do
+    oid = generate(:oid)
+    expect(put("#{path}/gitlab-lfs/objects/foo")).to route_to_route_not_found
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).to route_to_route_not_found
+    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).to route_to_route_not_found
+  end
+end
+RSpec.shared_examples 'git repository routes with fallback for git-upload-pack' do
+  let(:container_path) { path.delete_suffix('.git') }
+  context 'requests without .git format' do
+    it 'does not redirect other requests' do
+      expect(post("#{container_path}/git-upload-pack")).to route_to_route_not_found
+    end
+  end
+  it 'routes LFS endpoints for unmatched routes' do
+    oid = generate(:oid)
    expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable
    expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable