Merge remote-tracking branch 'dev/12-4-stable' into 12-4-stable12-4-stable

10 files changed, 103 insertions, 18 deletions

diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md
index 48e1ff75407..a4137eae69b 100644
--- a/CHANGELOG-EE.md
+++ b/CHANGELOG-EE.md
@@ -1,5 +1,13 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
+## 12.4.7
+
+### Security (2 changes)
+
+- Don't publish drafts if user can't create notes.
+- Remove protected tag access when group is removed.
+
+
 ## 12.4.6
 
 ### Security (1 change)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e5e4ada10c9..98051d1fb9c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 12.4.8
+
+### Security (1 change)
+
+- Fix private objects exposure when using Project Import functionality.
+
+
 ## 12.4.7
 
 ### Security (5 changes)
diff --git a/VERSION b/VERSION
index 0699dceb028..3197f2a8086 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-12.4.7
+12.4.8
diff --git a/danger/changelog/Dangerfile b/danger/changelog/Dangerfile
index f83dc556964..7cd722c1141 100644
--- a/danger/changelog/Dangerfile
+++ b/danger/changelog/Dangerfile
@@ -35,7 +35,7 @@ def check_changelog(path)
   fail "`title` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["title"].nil?
   fail "`type` should be set, in #{gitlab.html_link(path)}! #{SEE_DOC}" if yaml["type"].nil?
 
-  if yaml["merge_request"].nil?
+  if yaml["merge_request"].nil? && !helper.security_mr?
     message "Consider setting `merge_request` to #{gitlab.mr_json["iid"]} in #{gitlab.html_link(path)}. #{SEE_DOC}"
   elsif yaml["merge_request"] != gitlab.mr_json["iid"] && !ce_port_changelog?(path)
     fail "Merge request ID was not set to #{gitlab.mr_json["iid"]}! #{SEE_DOC}"
diff --git a/danger/metadata/Dangerfile b/danger/metadata/Dangerfile
index f2d68e64eb6..5edd134cbab 100644
--- a/danger/metadata/Dangerfile
+++ b/danger/metadata/Dangerfile
@@ -32,7 +32,7 @@ end
 
 has_pick_into_stable_label = gitlab.mr_labels.find { |label| label.start_with?('Pick into') }
 
-if gitlab.branch_for_base != "master" && !has_pick_into_stable_label
+if gitlab.branch_for_base != "master" && !has_pick_into_stable_label && !helper.security_mr?
   warn "Most of the time, merge requests should target `master`. Otherwise, please set the relevant `Pick into X.Y` label."
 end
 
diff --git a/lib/gitlab/danger/helper.rb b/lib/gitlab/danger/helper.rb
index f22fc41a6d8..352303863c4 100644
--- a/lib/gitlab/danger/helper.rb
+++ b/lib/gitlab/danger/helper.rb
@@ -167,6 +167,12 @@ module Gitlab
         labels - current_mr_labels
       end
 
+      def security_mr?
+        return false unless gitlab_helper
+
+        gitlab_helper.mr_json['web_url'].include?('/gitlab-org/security/')
+      end
+
       private
 
       def has_database_scoped_labels?(current_mr_labels)
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb
index 50fec9f3eb9..00c4c41e6be 100644
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -3,8 +3,8 @@
 module Gitlab
   module ImportExport
     class AttributeCleaner
-      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id]
-      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/).freeze
+      ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + %w[group_id commit_id discussion_id custom_attributes]
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_ids\Z/, /_html\Z/, /attributes/).freeze
 
       def self.clean(*args)
         new(*args).clean
diff --git a/scripts/static-analysis b/scripts/static-analysis
index 602cd847a71..72b4c629f7a 100755
--- a/scripts/static-analysis
+++ b/scripts/static-analysis
@@ -26,17 +26,48 @@ def emit_errors(static_analysis)
   end
 end
 
-tasks = [
-  %w[bin/rake lint:all],
-  %w[bundle exec license_finder],
-  %w[yarn run eslint],
-  %w[yarn run stylelint],
-  %w[yarn run prettier-all],
-  %w[bundle exec rubocop --parallel],
-  %w[scripts/lint-conflicts.sh],
-  %w[scripts/lint-rugged]
-]
+ALLOWED_WARNINGS = [
+  # https://github.com/browserslist/browserslist/blob/d0ec62eb48c41c218478cd3ac28684df051cc865/node.js#L329
+  # warns if caniuse-lite package is older than 6 months. Ignore this
+  # warning message so that GitLab backports don't fail.
+  "Browserslist: caniuse-lite is outdated. Please run next command `yarn upgrade`"
+].freeze
 
+def warning_count(static_analysis)
+  static_analysis.warned_results
+    .reject { |result| ALLOWED_WARNINGS.include?(result.stderr.strip) }
+    .count
+end
+
+def jobs_to_run(node_index, node_total)
+  all_tasks = [
+    %w[bin/rake lint:all],
+    %w[bundle exec license_finder],
+    %w[yarn run eslint],
+    %w[yarn run stylelint],
+    %w[yarn run prettier-all],
+    %w[bundle exec rubocop --parallel],
+    %w[scripts/lint-conflicts.sh],
+    %w[scripts/lint-rugged]
+  ]
+
+  case node_total
+  when 1
+    all_tasks
+  when 2
+    rake_lint_all, *rest_jobs = all_tasks
+    case node_index
+    when 1
+      [rake_lint_all]
+    else
+      rest_jobs
+    end
+  else
+    raise "Parallelization > 2 (currently set to #{node_total}) isn't supported yet!"
+  end
+end
+
+tasks = jobs_to_run((ENV['CI_NODE_INDEX'] || 1).to_i, (ENV['CI_NODE_TOTAL'] || 1).to_i)
 static_analysis = Gitlab::Popen::Runner.new
 
 static_analysis.run(tasks) do |cmd, &run|
@@ -62,7 +93,7 @@ elsif static_analysis.all_success?
 
   emit_warnings(static_analysis)
 
-  exit 2
+  exit 2 if warning_count(static_analysis).nonzero?
 else
   puts 'Some static analyses failed:'
 
diff --git a/spec/lib/gitlab/danger/helper_spec.rb b/spec/lib/gitlab/danger/helper_spec.rb
index 1696d3566ad..3ffb6c29a96 100644
--- a/spec/lib/gitlab/danger/helper_spec.rb
+++ b/spec/lib/gitlab/danger/helper_spec.rb
@@ -312,4 +312,26 @@ describe Gitlab::Danger::Helper do
       it { is_expected.to match_array(['database', 'database::review pending']) }
     end
   end
+
+  describe '#security_mr?' do
+    it 'returns false when `gitlab_helper` is unavailable' do
+      expect(helper).to receive(:gitlab_helper).and_return(nil)
+
+      expect(helper).not_to be_security_mr
+    end
+
+    it 'returns false when on a normal merge request' do
+      expect(fake_gitlab).to receive(:mr_json)
+        .and_return('web_url' => 'https://gitlab.com/gitlab-org/gitlab/merge_requests/1')
+
+      expect(helper).not_to be_security_mr
+    end
+
+    it 'returns true when on a security merge request' do
+      expect(fake_gitlab).to receive(:mr_json)
+        .and_return('web_url' => 'https://gitlab.com/gitlab-org/security/gitlab/merge_requests/1')
+
+      expect(helper).to be_security_mr
+    end
+  end
 end
diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
index 1b28e26a7e8..c6a7912d384 100644
--- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
+++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
@@ -23,11 +23,21 @@ describe Gitlab::ImportExport::AttributeCleaner do
       'legit_html' => '<p>legit html</p>',
       '_html' => '<p>perfectly ordinary html</p>',
       'cached_markdown_version' => 12345,
+      'custom_attributes' => 'whatever',
+      'some_attributes_metadata' => 'whatever',
       'group_id' => 99,
       'commit_id' => 99,
       'issue_ids' => [1, 2, 3],
       'merge_request_ids' => [1, 2, 3],
-      'note_ids' => [1, 2, 3]
+      'note_ids' => [1, 2, 3],
+      'attributes' => {
+        'issue_ids' => [1, 2, 3],
+        'merge_request_ids' => [1, 2, 3],
+        'note_ids' => [1, 2, 3]
+      },
+      'variables_attributes' => {
+        'id' => 1
+      }
     }
   end
 
@@ -38,7 +48,8 @@ describe Gitlab::ImportExport::AttributeCleaner do
       'random_id_in_the_middle' => 99,
       'notid' => 99,
       'group_id' => 99,
-      'commit_id' => 99
+      'commit_id' => 99,
+      'custom_attributes' => 'whatever'
     }
   end