Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-06-22

# Conflicts:
#	doc/topics/autodevops/index.md

[ci skip]

app/controllers/application_controller.rb

@@ -27,7 +27,7 @@ class ApplicationController < ActionController::Base
 
   after_action :set_page_title_header, if: -> { request.format == :json }
 
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true
 
   helper_method :can?
   helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?

app/controllers/health_controller.rb

 class HealthController < ActionController::Base
-  protect_from_forgery with: :exception, except: :storage_check
+  protect_from_forgery with: :exception, except: :storage_check, prepend: true
   include RequiresWhitelistedMonitoringClient
 
   CHECKS = [

app/controllers/metrics_controller.rb

 class MetricsController < ActionController::Base
   include RequiresWhitelistedMonitoringClient
 
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, prepend: true
 
   def index
     response = if Gitlab::Metrics.prometheus_metrics_enabled?

app/controllers/omniauth_callbacks_controller.rb

@@ -3,7 +3,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include Devise::Controllers::Rememberable
   prepend EE::OmniauthCallbacksController
 
-  protect_from_forgery except: [:kerberos, :saml, :cas3]
+  protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
 
   def handle_omniauth
     omniauth_flow(Gitlab::Auth::OAuth)

changelogs/unreleased/blackst0ne-fix-protect-from-forgery-in-application-controller.yml

+---
+title: "[Rails5] Force the callback run first"
+merge_request: 20055
+author: "@blackst0ne"
+type: fixed

doc/topics/autodevops/index.md

@@ -323,7 +323,11 @@ report is created, it's uploaded as an artifact which you can later download and
 check out.
 
 Any security warnings are also
+<<<<<<< HEAD
 [shown in the merge request widget](../../user/project/merge_requests/dependency_scanning.md).
+=======
+[shown in the merge request widget](https://docs.gitlab.com/ee//user/project/merge_requests/dependency_scanning.html).
+>>>>>>> upstream/master
 
 ### Auto License Management **[ULTIMATE]**
 
@@ -336,7 +340,11 @@ report is created, it's uploaded as an artifact which you can later download and
 check out.
 
 Any licenses are also
+<<<<<<< HEAD
 [shown in the merge request widget](../../user/project/merge_requests/license_management.md).
+=======
+[shown in the merge request widget](https://docs.gitlab.com/ee//user/project/merge_requests/license_management.html).
+>>>>>>> upstream/master
 
 ### Auto Container Scanning
 

lib/gitlab/request_forgery_protection.rb

@@ -5,7 +5,7 @@
 module Gitlab
   module RequestForgeryProtection
     class Controller < ActionController::Base
-      protect_from_forgery with: :exception
+      protect_from_forgery with: :exception, prepend: true
 
       rescue_from ActionController::InvalidAuthenticityToken do |e|
         logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"