Signed-off-by: Rémy Coutable <remy@rymai.me>

Filter `authentication_token`, `incoming_email_token` and `runners_token` parameters

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2676

See merge request !2045
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing Note access checks in by moving Note#search to updated NoteFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

See merge request !2035
Signed-off-by: Rémy Coutable <remy@rymai.me>

API: Memoize the current_user so that the sudo can work properly

Closes #25482

See merge request !8017
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Make the `downtime_check` task happy

See merge request !7845
Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin.

Closes #24537

See merge request !7615
Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace MR access checks with use of MergeRequestsFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

## Which fixes are in this MR?

⚠ - Potentially untested  
💣 - No test coverage  
🚥 - Test coverage of some sort exists (a test failed when error raised)  
🚦 - Test coverage of return value (a test failed when nil used)  
✅ - Permissions check tested

### MR lookup from project

- [x] 💣  app/finders/notes_finder.rb:17
- [x] ⚠  app/views/layouts/nav/_project.html.haml:80 [`.count`]
- [x] 💣  app/controllers/concerns/creates_commit.rb:84
- [x] 🚥  app/controllers/projects/commits_controller.rb:24
- [x] 🚥  app/controllers/projects/compare_controller.rb:56
- [x] 🚦  app/controllers/projects/discussions_controller.rb:29
- [x] ✅  app/controllers/projects/todos_controller.rb:27
- [x] 🚦  app/models/commit.rb:268
- [x] ✅ lib/gitlab/search_results.rb:71

### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_267_266 Memoize ` merged_merge_request(current_user)`
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_248_247 Expected side effect for `merged_merge_request!`, consider `skip_authorization: true`.
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#d1c10892daedb4d4dd3d4b12b6d071091eea83df_269_269 Scary use  of unchecked `merged_merge_request?`

See merge request !2033

Update grape-entity to 0.6.0

See merge request !7491
Signed-off-by: Rémy Coutable <remy@rymai.me>

The `repository_access_level` attribute doesn't exist in the 8-12-stable
branch so repository access cannot be restricted using this feature.

Fortunately we use `can?(user, :download_code, ref_project)` in
lib/banzai/reference_parser/commit_parser.rb and
lib/banzai/reference_parser/commit_range_parser.rb and this permission
already exists in 8-12-stable (it only depends on the project
`visibility_access`).
Signed-off-by: Rémy Coutable <remy@rymai.me>

Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000

disable markdown in comments when referencing disabled features

fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548

This MR prevents the following references when tool is disabled:

- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones

This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.

See merge request !2011
Signed-off-by: Rémy Coutable <remy@rymai.me>

This reverts commit 5614d724.

This reverts commit 311b59d9.

Honour issue and merge request visibility in their respective finders

This MR fixes a security issue with the IssuesFinder and MergeRequestFinder where they would return items the user did not have permission to see. This was most visible on the issue and merge requests page for a group containing projects that had set their issues or merge requests to "private".

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22481

See merge request !2000

disable markdown in comments when referencing disabled features

fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548

This MR prevents the following references when tool is disabled:

- issues
- snippets
- commits - when repo is disabled
- commit range - when repo is disabled
- milestones

This MR does not prevent references to repository files, since they are just markdown links and don't leak
information.

See merge request !2011
Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Signed-off-by: Rémy Coutable <remy@rymai.me>

Replace issue access checks with use of IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested

Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells).

- [x] 🚦 app/finders/notes_finder.rb:15 [`visible_to_user`]
- [x] 🚥 app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`]
- [x] ✅ app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`]
- [x] ✅ lib/api/issues.rb:112 [`visible_to_user`]
  - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone
- [x] ✅ lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too?
- [x] ✅ lib/gitlab/search_results.rb:53 [`visible_to_user`]

- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126
- [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87

See merge request !2031
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix missing access checks on issue lookup using IssuableFinder

Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867

⚠ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested

- [x] ✅ app/controllers/projects/branches_controller.rb:39
  - `before_action :authorize_push_code!` helpes limit/prevent exploitation. Always checks for reporter access so fine with
    confidential issues, issues only visible to team, etc.
- [x] 🚥 app/models/cycle_analytics/summary.rb:9 [`.count`]
- [x] ✅ app/controllers/projects/todos_controller.rb:19

- [x] Potential double render in app/controllers/projects/todos_controller.rb

- https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#cedccb227af9bfdf88802767cb58d43c2b977439_24_24

See merge request !2030
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix information disclosure in `Projects::BlobController#update`

It was possible to discover private project names by modifying `from_merge_request`parameter in `Projects::BlobController#update`. This fixes that.

- [ ] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG.md) entry added
- Tests
  - [x] Added for this feature/bug
  - [ ] All builds are passing
- [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html)
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

https://gitlab.com/gitlab-org/gitlab-ce/issues/22869

See merge request !2023
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix for HackerOne XSS vulnerability in markdown

This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153

See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Use Hash rocket syntax to fix cycle analytics under Ruby 2.1

Refers to #23510

See merge request !6977

Fix Safari displaying NaN for selected due date

## What does this MR do?

1. Stops using `Date.parse` to parse selected due dates.
2. Refactors DueDateSelectors to be more maintainable and readable

## Are there points in the code the reviewer needs to double check?

**To review the actual fix, look here:** https://gitlab.com/gitlab-org/gitlab-ce/commit/4ad43ac3a12902d7ea01dc09f8a361b01c21a0ee. It would be difficult to pick out from the overall diff.

## Why was this MR needed?

In Safari, the due date selector was displaying 'NaN' when a date is selected, which was being returned by `Date.parse`. Because `Date.parse` is implemented differently across browsers it's generally recommended to favor implicit Date parsing with the `Date` constructor. For more background on this, [see MDN on Date.parse](https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/Date/parse).

Also, the code for DueDateSelector was pretty messy, and its logic was very tightly coupled, so I refactored it. None of the basic logic changed, I just broke it up into smaller pieces and made it more OO.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22984

See merge request !6797
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix broken rspec in compare text

!6910 changed the filter text from "Filter by branch/tag" to "Filter by Git revision"

See merge request !6926

Fix 500 error when creating mileston from group page

Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/23378

See merge request !6920