Add latest changes from gitlab-org/security/gitlab@15-9-stable-eev15.9.4

29 files changed, 505 insertions, 67 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 416c13b5db7..e680728a01e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,27 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 15.9.4 (2023-03-30)
+
+### Security (16 changes)
+
+- [Add checks to remove open redirects from Observability URL](gitlab-org/security/gitlab@98b1bd243f454bd28c262131be616ee2060c3a78) ([merge request](gitlab-org/security/gitlab!3104))
+- [Redirect to tree from project root on ref collision](gitlab-org/security/gitlab@0f0c0f21dffe300a56abf1e07a2fefb17160faeb) ([merge request](gitlab-org/security/gitlab!3133))
+- [Fixes soft email confirmation alert vulnerability](gitlab-org/security/gitlab@12498f791f9c5fe833f5202b06cc818d4dcf965b) ([merge request](gitlab-org/security/gitlab!3124))
+- [Restrict Prometheus API access on public projects](gitlab-org/security/gitlab@440a7989ff46ca333f86a38aefa47f74301e66fc) ([merge request](gitlab-org/security/gitlab!3163))
+- [Verify that users have access to the parent of the fork](gitlab-org/security/gitlab@9dd0dff69d3941e827c461c67b9af10da07d69f8) ([merge request](gitlab-org/security/gitlab!3084))
+- [Protect webhook secrets by resetting url_variables](gitlab-org/security/gitlab@cd20b44dd5b075827203330802e331b896448265) ([merge request](gitlab-org/security/gitlab!3140))
+- [Replace Unicode space chars with spaces](gitlab-org/security/gitlab@76975082c41870265e1285fa8f4e053eb6ff11ae) ([merge request](gitlab-org/security/gitlab!3136))
+- [Check access to parent when creating and updating epics](gitlab-org/security/gitlab@7fcc4a0d010d3a428e803f95ef47904c4c7178a8) ([merge request](gitlab-org/security/gitlab!3149))
+- [Improve Gitlab::UrlSanitizer regex to match more URIs](gitlab-org/security/gitlab@4e7313536e4cdb3ecef37100b5a73720eabfbc79) ([merge request](gitlab-org/security/gitlab!3108))
+- [Check access to target project before looking for branch](gitlab-org/security/gitlab@f55edf39e52af9eecb19caf8ed5d4cb8524ef64d) ([merge request](gitlab-org/security/gitlab!3040))
+- [Fix the potential leak of internal notes](gitlab-org/security/gitlab@be73600e8c43c22cda1ace5910eb2052b2741972) ([merge request](gitlab-org/security/gitlab!3120))
+- [Use UntrustedRegexp to limit scan of HTML comments](gitlab-org/security/gitlab@d5e65583debcae71787e171643275bc9b9d4393e) ([merge request](gitlab-org/security/gitlab!3142))
+- [Filter namespace environments by feature visibility](gitlab-org/security/gitlab@54045b508a9ba9ae18f5992b77970240774b28a7) ([merge request](gitlab-org/security/gitlab!3111))
+- [Check access to reorder issues in epic tree](gitlab-org/security/gitlab@bc033cd3a98c9a1468545811a8180604f7f8aee3) ([merge request](gitlab-org/security/gitlab!3101))
+- [Fix security report authorization](gitlab-org/security/gitlab@a01cf9d8383ffc4c0e29514f71d49bf345e1f7c2) ([merge request](gitlab-org/security/gitlab!3106))
+- [Prevent XSS attack in "Maximum page reached" page](gitlab-org/security/gitlab@3cefb16a5e369ee99f4c3ccbaa02cead6faf1a99) ([merge request](gitlab-org/security/gitlab!3130))
+
 ## 15.9.3 (2023-03-09)
 
 ### Fixed (4 changes)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index e99b2f49e96..29d84970580 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-15.9.3
\ No newline at end of file
+15.9.4
\ No newline at end of file
diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION
index e99b2f49e96..29d84970580 100644
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
@@ -1 +1 @@
-15.9.3
\ No newline at end of file
+15.9.4
\ No newline at end of file
diff --git a/app/assets/javascripts/behaviors/markdown/render_observability.js b/app/assets/javascripts/behaviors/markdown/render_observability.js
index 704d85cf22e..d5d46c10efd 100644
--- a/app/assets/javascripts/behaviors/markdown/render_observability.js
+++ b/app/assets/javascripts/behaviors/markdown/render_observability.js
@@ -7,23 +7,36 @@ export function getFrameSrc(url) {
 }
 
 const mountVueComponent = (element) => {
-  const url = [element.dataset.frameUrl];
+  const { frameUrl, observabilityUrl } = element.dataset;
 
-  return new Vue({
-    el: element,
-    render(h) {
-      return h('iframe', {
-        style: {
-          height: '366px',
-          width: '768px',
-        },
-        attrs: {
-          src: getFrameSrc(url),
-          frameBorder: '0',
-        },
-      });
-    },
-  });
+  try {
+    if (
+      !observabilityUrl ||
+      !frameUrl ||
+      new URL(frameUrl)?.host !== new URL(observabilityUrl).host
+    )
+      return;
+
+    // eslint-disable-next-line no-new
+    new Vue({
+      el: element,
+      render(h) {
+        return h('iframe', {
+          style: {
+            height: '366px',
+            width: '768px',
+          },
+          attrs: {
+            src: getFrameSrc(frameUrl),
+            frameBorder: '0',
+          },
+        });
+      },
+    });
+  } catch (e) {
+    // eslint-disable-next-line no-console
+    console.error(e);
+  }
 };
 
 export default function renderObservability(elements) {
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index 5773737c41b..a4b3b83a855 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -110,9 +110,10 @@ export default class Project {
             const urlParams = { [fieldName]: ref };
             if (params.group === BRANCH_GROUP_NAME) {
               urlParams.ref_type = BRANCH_REF_TYPE;
-            } else {
+            } else if (params.group === TAG_GROUP_NAME) {
               urlParams.ref_type = TAG_REF_TYPE;
             }
+
             link.href = mergeUrlParams(urlParams, linkTarget);
           }
 
diff --git a/app/assets/javascripts/repository/index.js b/app/assets/javascripts/repository/index.js
index 494e270a66c..95e0c94527b 100644
--- a/app/assets/javascripts/repository/index.js
+++ b/app/assets/javascripts/repository/index.js
@@ -2,7 +2,7 @@ import { GlButton } from '@gitlab/ui';
 import Vue from 'vue';
 import Vuex from 'vuex';
 import { parseBoolean } from '~/lib/utils/common_utils';
-import { escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
+import { joinPaths, escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import initWebIdeLink from '~/pages/projects/shared/web_ide_link';
 import PerformancePlugin from '~/performance/vue_performance_plugin';
@@ -121,7 +121,7 @@ export default function setupVueRepositoryList() {
 
     if (!refSwitcherEl) return false;
 
-    const { projectId, projectRootPath } = refSwitcherEl.dataset;
+    const { projectId, projectRootPath, refType } = refSwitcherEl.dataset;
 
     return new Vue({
       el: refSwitcherEl,
@@ -129,7 +129,8 @@ export default function setupVueRepositoryList() {
         return createElement(RefSelector, {
           props: {
             projectId,
-            value: ref,
+            value: refType ? joinPaths('refs', refType, ref) : ref,
+            useSymbolicRefNames: true,
           },
           on: {
             input(selectedRef) {
diff --git a/app/assets/javascripts/repository/utils/ref_switcher_utils.js b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
index c62f7f709c4..bcad4a2c822 100644
--- a/app/assets/javascripts/repository/utils/ref_switcher_utils.js
+++ b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
@@ -16,22 +16,29 @@ const getNamespaceTargetRegex = (ref) => new RegExp(`(/-/(blob|tree))/${ref}/(.*
  * @param {string} selectedRef - The selected ref from the ref dropdown.
  */
 export function generateRefDestinationPath(projectRootPath, ref, selectedRef) {
-  const currentPath = window.location.pathname;
-  const encodedHash = '%23';
+  const url = new URL(window.location.href);
+  const currentPath = url.pathname;
+  let refType = null;
   let namespace = '/-/tree';
   let target;
+  let actualRef = selectedRef;
+
+  const matches = selectedRef.match(/^refs\/(heads|tags)\/(.+)/);
+  if (matches) {
+    [, refType, actualRef] = matches;
+  }
+  if (refType) {
+    url.searchParams.set('ref_type', refType);
+  } else {
+    url.searchParams.delete('ref_type');
+  }
+
   const NAMESPACE_TARGET_REGEX = getNamespaceTargetRegex(ref);
   const match = NAMESPACE_TARGET_REGEX.exec(currentPath);
   if (match) {
     [, namespace, , target] = match;
   }
+  url.pathname = joinPaths(projectRootPath, namespace, actualRef, target);
 
-  const destinationPath = joinPaths(
-    projectRootPath,
-    namespace,
-    encodeURI(selectedRef).replace(/#/g, encodedHash),
-    target,
-  );
-
-  return `${destinationPath}${window.location.hash}`;
+  return url.toString();
 }
diff --git a/app/controllers/concerns/confirm_email_warning.rb b/app/controllers/concerns/confirm_email_warning.rb
index ec5140bf223..2711c823275 100644
--- a/app/controllers/concerns/confirm_email_warning.rb
+++ b/app/controllers/concerns/confirm_email_warning.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module ConfirmEmailWarning
+  include Gitlab::Utils::StrongMemoize
   extend ActiveSupport::Concern
 
   included do
@@ -17,11 +18,9 @@ module ConfirmEmailWarning
     return unless current_user
     return if current_user.confirmed?
 
-    email = current_user.unconfirmed_email || current_user.email
-
     flash.now[:warning] = format(
       confirm_warning_message,
-      email: email,
+      email: email_to_display,
       resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
       update_link: view_context.link_to(_('Update it'), profile_path)
     ).html_safe
@@ -29,7 +28,16 @@ module ConfirmEmailWarning
 
   private
 
+  def email
+    current_user.unconfirmed_email || current_user.email
+  end
+  strong_memoize_attr :email
+
   def confirm_warning_message
     _("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.")
   end
+
+  def email_to_display
+    html_escape(email)
+  end
 end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 59cea00e26b..b71af82535a 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -31,6 +31,7 @@ class Projects::BlobController < Projects::ApplicationController
   before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
 
   before_action :commit, except: [:new, :create]
+  before_action :check_for_ambiguous_ref, only: [:show]
   before_action :blob, except: [:new, :create]
   before_action :require_branch_head, only: [:edit, :update]
   before_action :editor_variables, except: [:show, :preview, :diff]
@@ -145,6 +146,15 @@ class Projects::BlobController < Projects::ApplicationController
     end
   end
 
+  def check_for_ambiguous_ref
+    @ref_type = ref_type
+
+    if @ref_type == ExtractsRef::BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      redirect_to project_blob_path(@project, File.join(branch.target, @path))
+    end
+  end
+
   def commit
     @commit ||= @repository.commit(@ref)
 
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 4c2bd2a9d42..f55fc2242a4 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -22,7 +22,7 @@ class Projects::RefsController < Projects::ApplicationController
           when "tree"
             project_tree_path(@project, @id)
           when "blob"
-            project_blob_path(@project, @id)
+            project_blob_path(@project, @id, ref_type: ref_type)
           when "graph"
             project_network_path(@project, @id, ref_type: ref_type)
           when "graphs"
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 737a6290431..1f7912e15df 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -28,6 +28,15 @@ class Projects::TreeController < Projects::ApplicationController
   def show
     return render_404 unless @commit
 
+    @ref_type = ref_type
+    if @ref_type == BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      if branch
+        redirect_to project_tree_path(@project, branch.target)
+        return
+      end
+    end
+
     if tree.entries.empty?
       if @repository.blob_at(@commit.id, @path)
         redirect_to project_blob_path(@project, File.join(@ref, @path))
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 71ad747b6b1..d71b782c62b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -171,11 +171,19 @@ class ProjectsController < Projects::ApplicationController
       flash.now[:alert] = _("Project '%{project_name}' queued for deletion.") % { project_name: @project.name }
     end
 
+    if ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+
+      # The files view would render a ref other than the default branch
+      # This redirect can be removed once the view is fixed
+      redirect_to(project_tree_path(@project, branch.target), alert: _("The default branch of this project clashes with another ref"))
+      return
+    end
+
     respond_to do |format|
       format.html do
         @notification_setting = current_user.notification_settings_for(@project) if current_user
         @project = @project.present(current_user: current_user)
-
         render_landing_page
       end
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 875520d24be..3d22002e828 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -412,7 +412,6 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:metrics_dashboard) }.policy do
-    enable :read_prometheus
     enable :read_deployment
   end
 
diff --git a/app/views/projects/tree/_tree_header.html.haml b/app/views/projects/tree/_tree_header.html.haml
index 6cd3c584f2a..d494d9cc36d 100644
--- a/app/views/projects/tree/_tree_header.html.haml
+++ b/app/views/projects/tree/_tree_header.html.haml
@@ -2,7 +2,7 @@
 
 .tree-ref-container.gl-display-flex.gl-flex-wrap.gl-gap-2.mb-2.mb-md-0
   .tree-ref-holder.gl-max-w-26
-    #js-tree-ref-switcher{ data: { project_id: @project.id, project_root_path: project_path(@project) } }
+    #js-tree-ref-switcher{ data: { project_id: @project.id, ref_type: @ref_type.to_s, project_root_path: project_path(@project) } }
 
   #js-repo-breadcrumb{ data: breadcrumb_data_attributes }
 
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 334c04f2b59..50d4aac70cc 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'uri'
+
 module Banzai
   module Filter
     class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -15,7 +17,8 @@ module Banzai
         doc.document.create_element(
           'div',
           class: 'js-render-observability',
-          'data-frame-url': url
+          'data-frame-url': url,
+          'data-observability-url': Gitlab::Observability.observability_url
         )
       end
 
@@ -28,8 +31,15 @@ module Banzai
       # obtained from the target link
       def element_to_embed(node)
         url = node['href']
-
-        create_element(url)
+        uri = URI.parse(url)
+        observability_uri = URI.parse(Gitlab::Observability.observability_url)
+
+        if uri.scheme == observability_uri.scheme &&
+            uri.port == observability_uri.port &&
+            uri.host.casecmp?(observability_uri.host) &&
+            uri.path.downcase.exclude?("auth/start")
+          create_element(url)
+        end
       end
 
       private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-
+  BRANCH_REF_TYPE = 'heads'
+  TAG_REF_TYPE = 'tags'
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -91,7 +92,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == 'tags' ? 'tags' : 'heads'
+    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
   end
 
   private
@@ -154,4 +155,13 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
+
+  def ambiguous_ref?(project, ref)
+    return true if project.repository.ambiguous_ref?(ref)
+
+    return false unless ref&.starts_with?('refs/')
+
+    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+    project.repository.commit(unprefixed_ref).present?
+  end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 88a17b7d697..695b567039e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42698,6 +42698,9 @@ msgstr ""
 msgid "The default branch for this project has been changed. Please update your bookmarks."
 msgstr ""
 
+msgid "The default branch of this project clashes with another ref"
+msgstr ""
+
 msgid "The dependency list details information about the components used within your project."
 msgstr ""
 
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index 334c156e1ae..b8a4b94aa66 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ConfirmEmailWarning do
+RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
   before do
     stub_feature_flags(soft_email_confirmation: true)
   end
@@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do
             it { is_expected.to set_confirm_warning_for(user.email) }
           end
         end
+
+        context 'when user is being impersonated' do
+          let(:impersonator) { create(:admin) }
+
+          before do
+            allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
+
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when impersonated user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
+
+        context 'when user is not being impersonated' do
+          before do
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
       end
     end
   end
diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb
index 887a5ba598f..ec92d92e2a9 100644
--- a/spec/controllers/projects/blob_controller_spec.rb
+++ b/spec/controllers/projects/blob_controller_spec.rb
@@ -2,15 +2,16 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::BlobController do
+RSpec.describe Projects::BlobController, feature_category: :source_code_management do
   include ProjectForksHelper
 
   let(:project) { create(:project, :public, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
 
   describe "GET show" do
-    def request
-      get(:show, params: { namespace_id: project.namespace, project_id: project, id: id })
+    let(:params) { { namespace_id: project.namespace, project_id: project, id: id } }
+    let(:request) do
+      get(:show, params: params)
     end
 
     render_views
@@ -18,10 +19,34 @@ RSpec.describe Projects::BlobController do
     context 'with file path' do
       before do
         expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
-
+        project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+        project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
         request
       end
 
+      context 'when the ref is ambiguous' do
+        let(:ref) { 'ambiguous_ref' }
+        let(:path) { 'README.md' }
+        let(:id) { "#{ref}/#{path}" }
+        let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+        context 'and explicitly requesting a branch' do
+          let(:ref_type) { 'heads' }
+
+          it 'redirects to blob#show with sha for the branch' do
+            expect(response).to redirect_to(project_blob_path(project, "#{RepoHelpers.another_sample_commit.id}/#{path}"))
+          end
+        end
+
+        context 'and explicitly requesting a tag' do
+          let(:ref_type) { 'tags' }
+
+          it 'responds with success' do
+            expect(response).to be_ok
+          end
+        end
+      end
+
       context "valid branch, valid file" do
         let(:id) { 'master/README.md' }
 
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index a4f7c92f5cd..c7d2b1fa3af 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
   include GoogleApi::CloudPlatformHelpers
   include KubernetesHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
 
   let(:user) { create(:user) }
 
@@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
index 68d50cf19f0..6b0c164e432 100644
--- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
+++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Projects::Environments::PrometheusApiController do
   let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:proxyable) { create(:environment, project: project) }
 
   before do
@@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 end
diff --git a/spec/controllers/projects/refs_controller_spec.rb b/spec/controllers/projects/refs_controller_spec.rb
index a0d119baf16..7a511ab676e 100644
--- a/spec/controllers/projects/refs_controller_spec.rb
+++ b/spec/controllers/projects/refs_controller_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Projects::RefsController, feature_category: :source_code_manageme
       'tree'           | nil     | lazy { project_tree_path(project, id) }
       'tree'           | 'heads' | lazy { project_tree_path(project, id) }
       'blob'           | nil     | lazy { project_blob_path(project, id) }
-      'blob'           | 'heads' | lazy { project_blob_path(project, id) }
+      'blob'           | 'heads' | lazy { project_blob_path(project, id, ref_type: 'heads') }
       'graph'          | nil     | lazy { project_network_path(project, id) }
       'graph'          | 'heads' | lazy { project_network_path(project, id, ref_type: 'heads') }
       'graphs'         | nil     | lazy { project_graph_path(project, id) }
diff --git a/spec/controllers/projects/tree_controller_spec.rb b/spec/controllers/projects/tree_controller_spec.rb
index 9bc3065b6da..37149e1d3ca 100644
--- a/spec/controllers/projects/tree_controller_spec.rb
+++ b/spec/controllers/projects/tree_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::TreeController do
+RSpec.describe Projects::TreeController, feature_category: :source_code_management do
   let(:project) { create(:project, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
   let(:user) { create(:user) }
@@ -15,18 +15,41 @@ RSpec.describe Projects::TreeController do
   end
 
   describe "GET show" do
+    let(:params) do
+      {
+        namespace_id: project.namespace.to_param, project_id: project, id: id
+      }
+    end
+
     # Make sure any errors accessing the tree in our views bubble up to this spec
     render_views
 
     before do
       expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
+      project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+      project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
+      get :show, params: params
+    end
 
-      get(:show,
-          params: {
-            namespace_id: project.namespace.to_param,
-            project_id: project,
-            id: id
-          })
+    context 'when the ref is ambiguous' do
+      let(:id) { 'ambiguous_ref' }
+      let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+      context 'and explicitly requesting a branch' do
+        let(:ref_type) { 'heads' }
+
+        it 'redirects to blob#show with sha for the branch' do
+          expect(response).to redirect_to(project_tree_path(project, RepoHelpers.another_sample_commit.id))
+        end
+      end
+
+      context 'and explicitly requesting a tag' do
+        let(:ref_type) { 'tags' }
+
+        it 'responds with success' do
+          expect(response).to be_ok
+        end
+      end
     end
 
     context "valid branch, no path" do
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 51f8a3b1197..c5ec6651ab3 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -163,6 +163,69 @@ RSpec.describe ProjectsController, feature_category: :projects do
             expect(assigns(:notification_setting).level).to eq("watch")
           end
         end
+
+        context 'when there is a tag with the same name as the default branch' do
+          let_it_be(:tagged_project) { create(:project, :public, :custom_repo, files: ['somefile']) }
+          let(:tree_with_default_branch) do
+            branch = tagged_project.repository.find_branch(tagged_project.default_branch)
+            project_tree_path(tagged_project, branch.target)
+          end
+
+          before do
+            tagged_project.repository.create_file(
+              tagged_project.creator,
+              'file_for_tag',
+              'content for file',
+              message: "Automatically created file",
+              branch_name: 'branch-to-tag'
+            )
+
+            tagged_project.repository.add_tag(
+              tagged_project.creator,
+              tagged_project.default_branch, # tag name
+              'branch-to-tag' # target
+            )
+          end
+
+          it 'redirects to tree view for the default branch' do
+            get :show, params: { namespace_id: tagged_project.namespace, id: tagged_project }
+            expect(response).to redirect_to(tree_with_default_branch)
+          end
+        end
+
+        context 'when the default branch name can resolve to another ref' do
+          let!(:project_with_default_branch) do
+            create(:project, :public, :custom_repo, files: ['somefile']).tap do |p|
+              p.repository.create_branch("refs/heads/refs/heads/#{other_ref}", 'master')
+              p.change_head("refs/heads/#{other_ref}")
+            end.reload
+          end
+
+          let(:other_ref) { 'branch-name' }
+
+          context 'but there is no other ref' do
+            it 'responds with ok' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to be_ok
+            end
+          end
+
+          context 'and that other ref exists' do
+            let(:tree_with_default_branch) do
+              branch = project_with_default_branch.repository.find_branch(project_with_default_branch.default_branch)
+              project_tree_path(project_with_default_branch, branch.target)
+            end
+
+            before do
+              project_with_default_branch.repository.create_branch(other_ref, 'master')
+            end
+
+            it 'redirects to tree view for the default branch' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to redirect_to(tree_with_default_branch)
+            end
+          end
+        end
       end
 
       describe "when project repository is disabled" do
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb
index 1552d4e6187..66129617220 100644
--- a/spec/features/admin/users/user_spec.rb
+++ b/spec/features/admin/users/user_spec.rb
@@ -271,6 +271,36 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
           icon = first('[data-testid="incognito-icon"]')
           expect(icon).not_to be nil
         end
+
+        context 'when viewing the confirm email warning', :js do
+          let_it_be(:another_user) { create(:user, :unconfirmed) }
+
+          let(:warning_alert) { page.find(:css, '[data-testid="alert-warning"]') }
+          let(:expected_styling) { { 'pointer-events' => 'none', 'cursor' => 'default' } }
+
+          context 'with an email that does not contain HTML' do
+            before do
+              subject
+            end
+
+            it 'displays the warning alert including the email' do
+              expect(warning_alert.text).to include("Please check your email (#{another_user.email}) to verify")
+            end
+          end
+
+          context 'with an email that contains HTML' do
+            let(:malicious_email) { "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>" }
+            let(:another_user) { create(:user, confirmed_at: nil, unconfirmed_email: malicious_email) }
+
+            before do
+              subject
+            end
+
+            it 'displays the impersonation alert, excludes email, and disables links' do
+              expect(warning_alert.text).to include("check your email (#{another_user.unconfirmed_email}) to verify")
+            end
+          end
+        end
       end
 
       context 'ending impersonation' do
diff --git a/spec/frontend/behaviors/markdown/render_observability_spec.js b/spec/frontend/behaviors/markdown/render_observability_spec.js
index c87d11742dc..03a0cb2fcc2 100644
--- a/spec/frontend/behaviors/markdown/render_observability_spec.js
+++ b/spec/frontend/behaviors/markdown/render_observability_spec.js
@@ -16,7 +16,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders an observability iframe', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"  data-observability-url="https://observe.gitlab.com/" ></div>`;
 
     expect(findObservabilityIframes()).toHaveLength(0);
 
@@ -26,7 +26,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders iframe with dark param when GL has dark theme', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
     jest.spyOn(ColorUtils, 'darkModeEnabled').mockImplementation(() => true);
 
     expect(findObservabilityIframes('dark')).toHaveLength(0);
@@ -35,4 +35,12 @@ describe('Observability iframe renderer', () => {
 
     expect(findObservabilityIframes('dark')).toHaveLength(1);
   });
+
+  it('does not render if url is different from observability url', () => {
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://example.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
+
+    renderEmbeddedObservability();
+
+    expect(findObservabilityIframes()).toHaveLength(0);
+  });
 });
diff --git a/spec/frontend/repository/utils/ref_switcher_utils_spec.js b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
index 7f708f13eaa..220dbf17398 100644
--- a/spec/frontend/repository/utils/ref_switcher_utils_spec.js
+++ b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
@@ -1,5 +1,6 @@
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
 import setWindowLocation from 'helpers/set_window_location_helper';
+import { TEST_HOST } from 'spec/test_constants';
 import { refWithSpecialCharMock, encodedRefWithSpecialCharMock } from '../mock_data';
 
 const projectRootPath = 'root/Project1';
@@ -16,16 +17,38 @@ describe('generateRefDestinationPath', () => {
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/test.js`}           | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js`}      | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js#L123`}
-  `('generates the correct destination path for  $currentPath', ({ currentPath, result }) => {
+  `('generates the correct destination path for $currentPath', ({ currentPath, result }) => {
     setWindowLocation(currentPath);
-    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(result);
+    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(
+      `${TEST_HOST}/${result}`,
+    );
+  });
+
+  describe('when using symbolic ref names', () => {
+    it.each`
+      currentPath                                                         | nextRef                                             | result
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'someHash'}                                       | ${`${projectRootPath}/-/blob/someHash/dir1/dir2/test.js#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/refs/heads/branchNameContainsPrefix'} | ${`${projectRootPath}/-/tree/refs/heads/branchNameContainsPrefix/dir1/dir2/test.js?ref_type=heads#L123`}
+    `(
+      'generates the correct destination path for $currentPath with ref type when it can be extracted',
+      ({ currentPath, result, nextRef }) => {
+        setWindowLocation(currentPath);
+        expect(generateRefDestinationPath(projectRootPath, currentRef, nextRef)).toBe(
+          `${TEST_HOST}/${result}`,
+        );
+      },
+    );
   });
 
   it('encodes the selected ref', () => {
     const result = `${projectRootPath}/-/tree/${encodedRefWithSpecialCharMock}`;
 
     expect(generateRefDestinationPath(projectRootPath, currentRef, refWithSpecialCharMock)).toBe(
-      result,
+      `${TEST_HOST}/${result}`,
     );
   });
 });
diff --git a/spec/lib/banzai/filter/inline_observability_filter_spec.rb b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
index fb1ba46e76c..69a9dc96c2c 100644
--- a/spec/lib/banzai/filter/inline_observability_filter_spec.rb
+++ b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
@@ -34,6 +34,58 @@ RSpec.describe Banzai::Filter::InlineObservabilityFilter do
       end
     end
 
+    context 'when the document contains an embeddable observability link with redirect' do
+      let(:url) { 'https://observe.gitlab.com@example.com/12345' }
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with different port' do
+      let(:url) { 'https://observe.gitlab.com:3000/12345' }
+      let(:observe_url) { 'https://observe.gitlab.com:3001' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with auth/start' do
+      let(:url) { 'https://observe.gitlab.com/auth/start' }
+      let(:observe_url) { 'https://observe.gitlab.com' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
     context 'when feature flag is disabled' do
       let(:url) { 'https://observe.gitlab.com/12345' }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index c29446c1f38..0c359b80fb5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
     end
   end
 
+  describe 'read_prometheus', feature_category: :metrics do
+    using RSpec::Parameterized::TableSyntax
+
+    before do
+      project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+    end
+
+    let(:policy) { :read_prometheus }
+
+    where(:project_visibility, :role, :allowed) do
+      :public   | :anonymous | false
+      :public   | :guest     | false
+      :public   | :reporter  | true
+      :internal | :anonymous | false
+      :internal | :guest     | false
+      :internal | :reporter  | true
+      :private  | :anonymous | false
+      :private  | :guest     | false
+      :private  | :reporter  | true
+    end
+
+    with_them do
+      let(:current_user) { public_send(role) }
+      let(:project) { public_send("#{project_visibility}_project") }
+
+      if params[:allowed]
+        it { is_expected.to be_allowed(policy) }
+      else
+        it { is_expected.not_to be_allowed(policy) }
+      end
+    end
+  end
+
   describe 'update_max_artifacts_size' do
     context 'when no user' do
       let(:current_user) { anonymous }
@@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
@@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
@@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end