Add latest changes from gitlab-org/gitlab@14-4-stable-eev14.4.0-rc42

3 files changed, 425 insertions, 0 deletions

diff --git a/.gitlab/ci/review-apps/dast.gitlab-ci.yml b/.gitlab/ci/review-apps/dast.gitlab-ci.yml
new file mode 100644
index 00000000000..512c850b7da
--- /dev/null
+++ b/.gitlab/ci/review-apps/dast.gitlab-ci.yml
@@ -0,0 +1,191 @@
+.dast_conf:
+  tags:
+    - prm
+  # For scheduling dast job
+  extends:
+    - .reports:rules:schedule-dast
+  image:
+    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
+  resource_group: dast_scan
+  variables:
+    DAST_USERNAME_FIELD: "user[login]"
+    DAST_PASSWORD_FIELD: "user[password]"
+    DAST_SUBMIT_FIELD: "commit"
+    DAST_FULL_SCAN_ENABLED: "true"
+    DAST_VERSION: 2
+    GIT_STRATEGY: none
+    # -Xmx is used to set the JVM memory to 6GB to prevent DAST OutOfMemoryError.
+    DAST_ZAP_CLI_OPTIONS: "-Xmx6144m"
+  before_script:
+    - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
+    - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
+    - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
+    # Help pages are excluded from scan as they are static pages.
+    # profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage.
+    - 'DAST_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/-/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"'
+    # Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362
+    - 'export DAST_EXCLUDE_URLS="${DAST_EXCLUDE_URLS},${DAST_WEBSITE}/gitlab-instance-.*"'
+  needs: ["review-deploy"]
+  stage: dast
+  # Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout.
+  timeout: 2h
+  # Add retry because of intermittent connection problems. See https://gitlab.com/gitlab-org/gitlab/-/issues/244313
+  retry: 1
+  artifacts:
+    paths:
+      - gl-dast-report.json  # GitLab-specific
+    reports:
+      dast: gl-dast-report.json
+    expire_in: 1 week  # GitLab-specific
+  allow_failure: true
+
+# DAST scan with a subset of Release scan rules.
+# ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/
+
+# 10019, 10021	Missing security headers
+# 10023, 10024, 10025, 10037 Information Disclosure
+# 10040	Secure Pages Include Mixed Content
+# 10055	CSP
+# 10056	X-Debug-Token Information Leak
+# Duration: 14 minutes 20 seconds
+
+dast:secureHeaders-csp-infoLeak:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user1"
+    DAST_ONLY_INCLUDE_RULES: "10019,10021,10023,10024,10025,10037,10040,10055,10056"
+  script:
+    - /analyze
+
+# 90023	XML External Entity Attack
+# Duration: 41 minutes 20 seconds
+# 90019	Server Side Code Injection
+# Duration: 34 minutes 31 seconds
+dast:XXE-SrvSideInj:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user2"
+    DAST_ONLY_INCLUDE_RULES: "90023,90019"
+  script:
+    - /analyze
+
+# 0	Directory Browsing
+# 2	Private IP Disclosure
+# 3	Session ID in URL Rewrite
+# 7	Remote File Inclusion
+# Duration: 63 minutes 43 seconds
+# 90034 Cloud Metadata Potentially Exposed
+# Duration: 13 minutes 48 seconds
+# 90022	Application Error Disclosure
+# Duration: 12 minutes 7 seconds
+dast:infoLeak-fileInc-DirBrowsing:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user3"
+    DAST_ONLY_INCLUDE_RULES: "0,2,3,7,90034,90022"
+  script:
+    - /analyze
+
+# 10010	Cookie No HttpOnly Flag
+# 10011	Cookie Without Secure Flag
+# 10017	Cross-Domain JavaScript Source File Inclusion
+# 10029	Cookie Poisoning
+# 90033	Loosely Scoped Cookie
+# 10054	Cookie Without SameSite Attribute
+# Duration: 13 minutes 23 seconds
+dast:insecureCookie:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user4"
+    DAST_ONLY_INCLUDE_RULES: "10010,10011,10017,10029,90033,10054"
+  script:
+    - /analyze
+
+
+# 20012	Anti-CSRF Tokens Check
+# 10202	Absence of Anti-CSRF Tokens
+# https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/192
+
+# Commented because of lot of FP's
+# dast:csrfTokenCheck:
+#   extends:
+#     - .dast_conf
+#   variables:
+#     DAST_USERNAME: "user6"
+#     DAST_ONLY_INCLUDE_RULES: "20012,10202"
+#   script:
+#     - /analyze
+
+# 10098	Cross-Domain Misconfiguration
+# 10105	Weak Authentication Method
+# 40003	CRLF Injection
+# 40008	Parameter Tampering
+# Duration: 71 minutes 15 seconds
+dast:corsMisconfig-weakauth-crlfInj:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user5"
+    DAST_ONLY_INCLUDE_RULES: "10098,10105,40003,40008"
+  script:
+    - /analyze
+
+# 20019 External Redirect
+# 20014	HTTP Parameter Pollution
+# Duration: 46 minutes 12 seconds
+dast:extRedirect-paramPollution:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user6"
+    DAST_ONLY_INCLUDE_RULES: "20019,20014"
+  script:
+    - /analyze
+
+# 40022 SQL Injection - PostgreSQL
+# Duration: 53 minutes 59 seconds
+dast:sqlInjection:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user7"
+    DAST_ONLY_INCLUDE_RULES: "40022"
+  script:
+    - /analyze
+
+# 40014	Cross Site Scripting (Persistent)
+# Duration: 21 minutes 50 seconds
+dast:xss-persistent:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user8"
+    DAST_ONLY_INCLUDE_RULES: "40014"
+  script:
+    - /analyze
+
+# 40012 Cross Site Scripting (Reflected)
+# Duration: 73 minutes 15 seconds
+dast:xss-reflected:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user9"
+    DAST_ONLY_INCLUDE_RULES: "40012"
+  script:
+    - /analyze
+
+# 40013	Session Fixation
+# Duration: 44 minutes 25 seconds
+dast:sessionFixation:
+  extends:
+    - .dast_conf
+  variables:
+    DAST_USERNAME: "user10"
+    DAST_ONLY_INCLUDE_RULES: "40013"
+  script:
+    - /analyze
diff --git a/.gitlab/ci/review-apps/main.gitlab-ci.yml b/.gitlab/ci/review-apps/main.gitlab-ci.yml
new file mode 100644
index 00000000000..6fe9e39cb82
--- /dev/null
+++ b/.gitlab/ci/review-apps/main.gitlab-ci.yml
@@ -0,0 +1,106 @@
+stages:
+  - prepare
+  - deploy
+  - qa
+  - post-qa
+  - dast
+
+include:
+  - local: .gitlab/ci/global.gitlab-ci.yml
+  - local: .gitlab/ci/rules.gitlab-ci.yml
+  - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml
+  - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml
+
+.base-before_script: &base-before_script
+  - source ./scripts/utils.sh
+  - source ./scripts/review_apps/review-apps.sh
+  - install_api_client_dependencies_with_apk
+
+review-build-cng:
+  extends:
+    - .default-retry
+    - .review:rules:review-build-cng
+  image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine3.13
+  stage: prepare
+  variables:
+    CNG_PROJECT_ACCESS_TOKEN: "${CNG_MIRROR_PROJECT_ACCESS_TOKEN}"  # "Multi-pipeline (from 'gitlab-org/gitlab' 'review-build-cng' job)" at https://gitlab.com/gitlab-org/build/CNG-mirror/-/settings/access_tokens
+    CNG_PROJECT_PATH: "gitlab-org/build/CNG-mirror"
+  before_script:
+    - source ./scripts/utils.sh
+    - install_gitlab_gem
+  script:
+    - ./scripts/trigger-build cng
+
+.review-workflow-base:
+  extends:
+    - .default-retry
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-helm3.5-kubectl1.17
+  variables:
+    HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
+    DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
+    GITLAB_HELM_CHART_REF: "v5.2.1"
+  environment:
+    name: review/${CI_COMMIT_REF_SLUG}${FREQUENCY}
+    url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
+    on_stop: review-stop
+    auto_stop_in: 48 hours
+
+review-deploy:
+  extends:
+    - .review-workflow-base
+    - .review:rules:review-deploy
+  stage: deploy
+  needs: ["review-build-cng"]
+  resource_group: "review/${CI_COMMIT_REF_NAME}"
+  before_script:
+    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
+    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
+    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
+    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
+    - *base-before_script
+  script:
+    - check_kube_domain
+    - download_chart
+    - date
+    - deploy || (display_deployment_debug && exit 1)
+    - verify_deploy || exit 1
+    - disable_sign_ups || (delete_release && exit 1)
+  after_script:
+    # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
+    # Set DAST_RUN to true when jobs are manually scheduled.
+    - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi
+  artifacts:
+    paths:
+      - environment_url.txt
+      - curl_output.txt
+    expire_in: 7 days
+    when: always
+
+.review-stop-base:
+  extends: .review-workflow-base
+  environment:
+    action: stop
+  dependencies: []
+  variables:
+    # We're cloning the repo instead of downloading the script for now
+    # because some repos are private and CI_JOB_TOKEN cannot access files.
+    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
+    GIT_DEPTH: 1
+  before_script:
+    - *base-before_script
+
+review-delete-deployment:
+  extends:
+    - .review-stop-base
+    - .review:rules:review-delete-deployment
+  stage: prepare
+  script:
+    - delete_release
+
+review-stop:
+  extends:
+    - .review-stop-base
+    - .review:rules:review-stop
+  stage: post-qa
+  script:
+    - delete_k8s_release_namespace
diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
new file mode 100644
index 00000000000..6b9d4feb3c8
--- /dev/null
+++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml
@@ -0,0 +1,128 @@
+.review-qa-base:
+  extends:
+    - .use-docker-in-docker
+  image:
+    name: ${QA_IMAGE}
+    entrypoint: [""]
+  stage: qa
+  needs: ["review-deploy"]
+  variables:
+    QA_DEBUG: "true"
+    QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
+    QA_GENERATE_ALLURE_REPORT: "true"
+    GITLAB_USERNAME: "root"
+    GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITLAB_ADMIN_USERNAME: "root"
+    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
+    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
+    SIGNUP_DISABLED: "true"
+  before_script:
+    # Use $CI_MERGE_REQUEST_SOURCE_BRANCH_SHA so that GitLab image built in omnibus-gitlab-mirror and QA image are in sync.
+    - if [ -n "$CI_MERGE_REQUEST_SOURCE_BRANCH_SHA" ]; then
+        git checkout -f ${CI_MERGE_REQUEST_SOURCE_BRANCH_SHA};
+      fi
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - cd qa
+  artifacts:
+    paths:
+      - qa/tmp
+    expire_in: 7 days
+    when: always
+
+.allure-report-base:
+  image:
+    name: ${GITLAB_DEPENDENCY_PROXY}andrcuns/allure-report-publisher:0.3.6
+    entrypoint: [""]
+  stage: post-qa
+  variables:
+    GIT_STRATEGY: none
+    STORAGE_CREDENTIALS: $QA_ALLURE_REPORT_GCS_CREDENTIALS
+    GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN
+    ALLURE_PROJECT_PATH: $CI_PROJECT_PATH
+    ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
+  allow_failure: true
+  script:
+    - |
+      allure-report-publisher upload gcs \
+        --results-glob="qa/tmp/allure-results/*" \
+        --bucket="gitlab-qa-allure-reports" \
+        --prefix="$ALLURE_REPORT_PATH_PREFIX/$CI_COMMIT_REF_SLUG" \
+        --update-pr="comment" \
+        --copy-latest \
+        --ignore-missing-results \
+        --color
+
+review-qa-smoke:
+  extends:
+    - .review-qa-base
+    - .review:rules:review-qa-smoke
+  retry: 1  # This is confusing but this means "2 runs at max".
+  variables:
+    QA_RUN_TYPE: review-qa-smoke
+  script:
+    - bin/test Test::Instance::Smoke "${CI_ENVIRONMENT_URL}"
+
+review-qa-all:
+  extends:
+    - .review-qa-base
+    - .review:rules:review-qa-all
+  variables:
+    QA_RUN_TYPE: review-qa-all
+  parallel: 5
+  script:
+    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
+    - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
+    - |
+      bin/test Test::Instance::All "${CI_ENVIRONMENT_URL}" \
+        -- \
+        --color --format documentation \
+        --format RspecJunitFormatter --out tmp/rspec.xml
+  artifacts:
+    reports:
+      junit: qa/tmp/rspec.xml
+
+review-performance:
+  extends:
+    - .default-retry
+    - .review:rules:review-performance
+  image:
+    name: sitespeedio/sitespeed.io
+    entrypoint: [""]
+  stage: qa
+  needs: ["review-deploy"]
+  before_script:
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - mkdir -p gitlab-exporter
+    - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
+    - mkdir -p sitespeed-results
+  script:
+    - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
+  after_script:
+    - mv sitespeed-results/data/performance.json performance.json
+  artifacts:
+    paths:
+      - sitespeed-results/
+    reports:
+      performance: performance.json
+    expire_in: 31d
+
+allure-report-qa-smoke:
+  extends:
+    - .allure-report-base
+    - .review:rules:review-qa-smoke-report
+  needs: ["review-qa-smoke"]
+  variables:
+    ALLURE_REPORT_PATH_PREFIX: gitlab-review-smoke
+    ALLURE_JOB_NAME: review-qa-smoke
+
+allure-report-qa-all:
+  extends:
+    - .allure-report-base
+    - .review:rules:review-qa-all-report
+  needs: ["review-qa-all"]
+  variables:
+    ALLURE_REPORT_PATH_PREFIX: gitlab-review-all
+    ALLURE_JOB_NAME: review-qa-all