Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

6 files changed, 48 insertions, 18 deletions

diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml
index 8a922a1f163..f49d99360a2 100644
--- a/.rubocop_todo/layout/line_length.yml
+++ b/.rubocop_todo/layout/line_length.yml
@@ -1979,7 +1979,6 @@ Layout/LineLength:
     - 'ee/spec/features/groups/iterations/user_edits_iteration_spec.rb'
     - 'ee/spec/features/groups/iterations/user_views_iteration_cadence_spec.rb'
     - 'ee/spec/features/groups/iterations/user_views_iteration_spec.rb'
-    - 'ee/spec/features/groups/members/manage_groups_spec.rb'
     - 'ee/spec/features/groups/members/manage_members_spec.rb'
     - 'ee/spec/features/groups/members/override_ldap_memberships_spec.rb'
     - 'ee/spec/features/groups/saml_providers_spec.rb'
diff --git a/app/models/group_group_link.rb b/app/models/group_group_link.rb
index b0020f097b5..a70110c4076 100644
--- a/app/models/group_group_link.rb
+++ b/app/models/group_group_link.rb
@@ -41,3 +41,5 @@ class GroupGroupLink < ApplicationRecord
     Gitlab::Access.human_access(self.group_access)
   end
 end
+
+GroupGroupLink.prepend_mod_with('GroupGroupLink')
diff --git a/doc/user/group/index.md b/doc/user/group/index.md
index 085cd054c14..4d22bb045d2 100644
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -640,6 +640,7 @@ To restrict group access by IP address:
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7297) in GitLab 12.2.
 > - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1.
 > - Support for restricting access to projects in the group [added](https://gitlab.com/gitlab-org/gitlab/-/issues/14004) in GitLab 14.1.2.
+> - Support for restricting group memberships to groups with a subset of the allowed email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/354791) in GitLab 15.0.1
 
 You can prevent users with email addresses in specific domains from being added to a group and its projects.
 
@@ -662,6 +663,8 @@ The most popular public email domains cannot be restricted, such as:
 - `hotmail.com`, `hotmail.co.uk`, `hotmail.fr`
 - `msn.com`, `live.com`, `outlook.com`
 
+When you share a group, both the source and target namespaces must allow the domains of the members' email addresses.
+
 ## Group file templates **(PREMIUM)**
 
 Use group file templates to share a set of templates for common file
diff --git a/lib/gitlab/jira/dvcs.rb b/lib/gitlab/jira/dvcs.rb
index ddf2cd76709..41a039674b3 100644
--- a/lib/gitlab/jira/dvcs.rb
+++ b/lib/gitlab/jira/dvcs.rb
@@ -38,7 +38,8 @@ module Gitlab
       # @param [String] namespace
       def self.restore_full_path(namespace:, project:)
         if project.include?(ENCODED_SLASH)
-          project.gsub(ENCODED_SLASH, SLASH)
+          # Replace multiple slashes with single ones to make sure the redirect stays on the same host
+          project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/')
         else
           "#{namespace}/#{project}"
         end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index edad17df272..5ecd033296b 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -20839,6 +20839,9 @@ msgstr ""
 msgid "Invited"
 msgstr ""
 
+msgid "Invited group allowed email domains must contain a subset of the allowed email domains of the root ancestor group. Go to the group's 'Settings &gt; General' page and check 'Restrict membership by email domain'."
+msgstr ""
+
 msgid "Invocations"
 msgstr ""
 
diff --git a/spec/requests/jira_routing_spec.rb b/spec/requests/jira_routing_spec.rb
index a627eea33a8..e0e170044de 100644
--- a/spec/requests/jira_routing_spec.rb
+++ b/spec/requests/jira_routing_spec.rb
@@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do
     expect(response).to redirect_to(redirect_path)
   end
 
-  context 'with encoded subgroup path' do
-    where(:jira_path, :redirect_path) do
-      '/group/group@sub_group@sub_group_project'                | '/group/sub_group/sub_group_project'
-      '/group@sub_group/group@sub_group@sub_group_project'      | '/group/sub_group/sub_group_project'
-      '/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567'
-      '/group/group@sub_group@sub_group_project/tree/1234567'   | '/group/sub_group/sub_group_project/-/tree/1234567'
+  shared_examples 'redirects to jira path' do
+    it 'redirects to canonical path with legacy prefix' do
+      redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
     end
 
-    with_them do
-      context 'with legacy prefix' do
-        it 'redirects to canonical path' do
-          redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
-        end
-      end
-
-      it 'redirects to canonical path' do
-        redirects_to_canonical_path jira_path, redirect_path
-      end
+    it 'redirects to canonical path' do
+      redirects_to_canonical_path jira_path, redirect_path
     end
   end
 
+  let(:jira_path) { '/group/group@sub_group@sub_group_project' }
+  let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+  it_behaves_like 'redirects to jira path'
+
+  context 'contains @ before the first /' do
+    let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including commit path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including tree path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'malicious path' do
+    let(:jira_path) { '/group/@@malicious.server' }
+    let(:redirect_path) { '/malicious.server' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
   context 'regular paths with legacy prefix' do
     where(:jira_path, :redirect_path) do
       '/-/jira/group/group_project'                | '/group/group_project'