Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

6 files changed, 62 insertions, 3 deletions

diff --git a/app/models/note.rb b/app/models/note.rb
index daac489757b..54453b184d5 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -706,6 +706,10 @@ class Note < ApplicationRecord
     super.sub!('task', 'checklist item')
   end
 
+  def issuable_ability_name
+    confidential? ? :read_confidential_notes : :read_note
+  end
+
   private
 
   def system_note_viewable_by?(user)
diff --git a/config/routes/repository_deprecated.rb b/config/routes/repository_deprecated.rb
index e611b4f665b..32682000941 100644
--- a/config/routes/repository_deprecated.rb
+++ b/config/routes/repository_deprecated.rb
@@ -18,8 +18,12 @@ scope format: false do
     constraints: { id: Gitlab::PathRegex.git_reference_regex }
 
   get '/refs/:id/logs_tree/*path',
-    to: redirect('%{namespace_id}/%{project_id}/-/refs/%{id}/logs_tree/%{path}'),
-    constraints: { id: /.*/, path: /[^\0]*/ }
+    constraints: { id: /.*/, path: /[^\0]*/ },
+    to: redirect { |params, _request|
+      path = params[:path]
+      path.gsub!('@', '-/')
+      Addressable::URI.escape("#{params[:namespace_id]}/#{params[:project_id]}/-/refs/#{params[:id]}/logs_tree/#{path}")
+    }
 
   scope constraints: { id: /[^\0]+/ } do
     # Deprecated. Keep for compatibility.
diff --git a/lib/api/award_emoji.rb b/lib/api/award_emoji.rb
index fd36b364d56..e419a025508 100644
--- a/lib/api/award_emoji.rb
+++ b/lib/api/award_emoji.rb
@@ -100,7 +100,7 @@ module API
       def read_ability(awardable)
         case awardable
         when Note
-          read_ability(awardable.noteable)
+          awardable.issuable_ability_name
         when Snippet, ProjectSnippet
           :read_snippet
         else
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb
index 1fce1f97dcb..1ee071f35fa 100644
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -1882,4 +1882,20 @@ RSpec.describe Note do
       end
     end
   end
+
+  describe '#issuable_ability_name' do
+    subject { note.issuable_ability_name }
+
+    context 'when not confidential note' do
+      let(:note) { build(:note) }
+
+      it { is_expected.to eq :read_note }
+    end
+
+    context 'when confidential note' do
+      let(:note) { build(:note, :confidential) }
+
+      it { is_expected.to eq :read_confidential_notes }
+    end
+  end
 end
diff --git a/spec/requests/api/award_emoji_spec.rb b/spec/requests/api/award_emoji_spec.rb
index 67ddaf2fda5..bb563f93bfe 100644
--- a/spec/requests/api/award_emoji_spec.rb
+++ b/spec/requests/api/award_emoji_spec.rb
@@ -191,6 +191,36 @@ RSpec.describe API::AwardEmoji do
       expect(json_response['name']).to eq(rocket.name)
     end
 
+    context 'when a confidential note' do
+      subject(:perform_request) { get api(request_path, current_user) }
+
+      let_it_be(:group) { create(:group) }
+      let_it_be(:project) { create(:project, :public, namespace: group) }
+      let_it_be(:issue) { create(:issue, project: project) }
+      let_it_be(:note) { create(:note, :confidential, project: project, noteable: issue, author: user) }
+
+      context 'with sufficient persmissions' do
+        let(:current_user) { user }
+
+        it 'returns an award emoji' do
+          perform_request
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response['name']).to eq(rocket.name)
+        end
+      end
+
+      context 'with insufficient permissions' do
+        let(:current_user) { nil }
+
+        it 'returns 404' do
+          perform_request
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+
     it_behaves_like 'unauthenticated request to public awardable'
     it_behaves_like 'request with insufficient permissions', :get
   end
diff --git a/spec/routing/project_routing_spec.rb b/spec/routing/project_routing_spec.rb
index 9317a661188..875a54de3d1 100644
--- a/spec/routing/project_routing_spec.rb
+++ b/spec/routing/project_routing_spec.rb
@@ -189,6 +189,7 @@ RSpec.describe 'project routing' do
     end
 
     it 'to #logs_tree' do
+      expect(get('/gitlab/gitlabhq/-/refs/stable/logs_tree/..%2F..%2F..%2F..%2F..%2F@example.com/tree/a')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'stable', path: '../../../../../@example.com/tree/a')
       expect(get('/gitlab/gitlabhq/-/refs/stable/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'stable')
       expect(get('/gitlab/gitlabhq/-/refs/feature%2345/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'feature#45')
       expect(get('/gitlab/gitlabhq/-/refs/feature%2B45/logs_tree')).to route_to('projects/refs#logs_tree', namespace_id: 'gitlab', project_id: 'gitlabhq', id: 'feature+45')
@@ -214,6 +215,10 @@ RSpec.describe 'project routing' do
     it_behaves_like 'redirecting a legacy path',
       '/gitlab/gitlabhq/refs/stable/logs_tree/new%0A%0Aline.txt',
       '/gitlab/gitlabhq/-/refs/stable/logs_tree/new%0A%0Aline.txt'
+
+    it_behaves_like 'redirecting a legacy path',
+      '/gitlab/gitlabhq/refs/feature%2345/logs_tree/../../../../../@example.com/tree/a',
+      '/gitlab/gitlabhq/-/refs/feature#45/logs_tree/../../../../../-/example.com/tree/a'
   end
 
   describe Projects::MergeRequestsController, 'routing' do