Add latest changes from gitlab-org/gitlab@15-5-stable-ee

6 files changed, 49 insertions, 4 deletions

diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js
index 943001b7ec4..24a54358de5 100644
--- a/app/assets/javascripts/blob/openapi/index.js
+++ b/app/assets/javascripts/blob/openapi/index.js
@@ -5,7 +5,7 @@ const createSandbox = () => {
   const iframeEl = document.createElement('iframe');
   setAttributes(iframeEl, {
     src: '/-/sandbox/swagger',
-    sandbox: 'allow-scripts',
+    sandbox: 'allow-scripts allow-popups',
     frameBorder: 0,
     width: '100%',
     // The height will be adjusted dynamically.
diff --git a/config/application.rb b/config/application.rb
index 368036ce064..d7e16117d53 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -564,7 +564,8 @@ module Gitlab
         # Used in app/services/web_hooks/log_execution_service.rb: log_execution
         ActiveSupport::TimeWithZone,
         ActiveSupport::TimeZone,
-        Gitlab::Color # https://gitlab.com/gitlab-org/gitlab/-/issues/368844
+        Gitlab::Color, # https://gitlab.com/gitlab-org/gitlab/-/issues/368844,
+        Hashie::Array # https://gitlab.com/gitlab-org/gitlab/-/issues/378089
       ]
 
       # on_master_start yields immediately in unclustered environments and runs
diff --git a/jest.config.integration.js b/jest.config.integration.js
index df25c2b247b..e2ce32218e0 100644
--- a/jest.config.integration.js
+++ b/jest.config.integration.js
@@ -25,4 +25,5 @@ module.exports = {
     },
   }),
   timers: 'real',
+  testTimeout: process.env.CI ? 20000 : 7000,
 };
diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb
index d679d1eeeb9..e01382cf31f 100644
--- a/spec/features/projects/blobs/blob_show_spec.rb
+++ b/spec/features/projects/blobs/blob_show_spec.rb
@@ -1002,7 +1002,7 @@ RSpec.describe 'File blob', :js do
       end
 
       it 'renders sandboxed iframe' do
-        expected = %(<iframe src="/-/sandbox/swagger" sandbox="allow-scripts" frameborder="0" width="100%" height="1000">)
+        expected = %(<iframe src="/-/sandbox/swagger" sandbox="allow-scripts allow-popups" frameborder="0" width="100%" height="1000">)
         expect(page.html).to include(expected)
       end
     end
diff --git a/spec/frontend/blob/openapi/index_spec.js b/spec/frontend/blob/openapi/index_spec.js
index 5884b27d951..17e718df495 100644
--- a/spec/frontend/blob/openapi/index_spec.js
+++ b/spec/frontend/blob/openapi/index_spec.js
@@ -21,7 +21,7 @@ describe('OpenAPI blob viewer', () => {
 
   it('initializes SwaggerUI with the correct configuration', () => {
     expect(document.body.innerHTML).toContain(
-      '<iframe src="/-/sandbox/swagger" sandbox="allow-scripts" frameborder="0" width="100%" height="1000"></iframe>',
+      '<iframe src="/-/sandbox/swagger" sandbox="allow-scripts allow-popups" frameborder="0" width="100%" height="1000"></iframe>',
     );
   });
 });
diff --git a/spec/initializers/rails_yaml_safe_load_spec.rb b/spec/initializers/rails_yaml_safe_load_spec.rb
new file mode 100644
index 00000000000..8cf6a3676e0
--- /dev/null
+++ b/spec/initializers/rails_yaml_safe_load_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Rails YAML safe load' do
+  let(:unsafe_load) { false }
+
+  let(:klass) do
+    Class.new(ActiveRecord::Base) do
+      self.table_name = 'issues'
+
+      serialize :description
+    end
+  end
+
+  let(:instance) { klass.new(description: data) }
+
+  context 'with default permitted classes' do
+    let(:data) do
+      {
+        'time' => Time.now,
+        'date' => Date.today,
+        'number' => 1,
+        'hashie-array' => Hashie::Array.new([1, 2]),
+        'array' => [5, 6]
+      }
+    end
+
+    it 'deserializes data' do
+      instance.save!
+
+      expect(klass.find(instance.id).description).to eq(data)
+    end
+
+    context 'with unpermitted classes' do
+      let(:data) { { 'test' => create(:user) } }
+
+      it 'throws an exception' do
+        expect { instance.save! }.to raise_error(Psych::DisallowedClass)
+      end
+    end
+  end
+end