Merge branch 'master' into feature/multi-level-container-registry-images

* master: (94 commits)
  Merge branch 'open-redirect-fix-continue-to' into 'security'
  Merge branch 'open-redirect-host-fix' into 'security'
  Merge branch 'path-disclosure-proj-import-export' into 'security'
  Merge branch '29364-private-projects-mr-fix'
  Merge branch '30125-markdown-security'
  Issue title realtime
  Update CHANGELOG.md for 8.16.9
  Update CHANGELOG.md for 8.17.5
  Update CHANGELOG.md for 9.0.4
  Add "search" optional param and docs for V4
  Use PDFLab to render PDFs in GitLab
  Separate Scala from Java in CI examples
  Fix broken link
  Reorganize CI examples, add more links
  Refactor CI index page
  Remove deprecated field from workhorse response
  Use gitlab-workhorse 1.4.3
  Document how ETag caching middleware handles query parameters
  Make group skip validation in the frontend
  Use NamespaceValidator::WILDCARD_ROUTES in ETag caching middleware
  ...

7 files changed, 34 insertions, 14 deletions

diff --git a/app/controllers/concerns/continue_params.rb b/app/controllers/concerns/continue_params.rb
index 0a995c45bdf..eb3a623acdd 100644
--- a/app/controllers/concerns/continue_params.rb
+++ b/app/controllers/concerns/continue_params.rb
@@ -7,6 +7,7 @@ module ContinueParams
 
     continue_params = continue_params.permit(:to, :notice, :notice_now)
     return unless continue_params[:to] && continue_params[:to].start_with?('/')
+    return if continue_params[:to].start_with?('//')
 
     continue_params
   end
diff --git a/app/controllers/concerns/issuable_collections.rb b/app/controllers/concerns/issuable_collections.rb
index 85ae4985e58..c8a501d7319 100644
--- a/app/controllers/concerns/issuable_collections.rb
+++ b/app/controllers/concerns/issuable_collections.rb
@@ -15,6 +15,9 @@ module IssuableCollections
     # a new order into the collection.
     # We cannot use reorder to not mess up the paginated collection.
     issuable_ids = issuable_collection.map(&:id)
+
+    return {} if issuable_ids.empty?
+
     issuable_note_count = Note.count_for_collection(issuable_ids, @collection_type)
     issuable_votes_count = AwardEmoji.votes_for_collection(issuable_ids, @collection_type)
     issuable_merge_requests_count =
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index 498690e8f11..4d7d45787fc 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -7,7 +7,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
     @sort = params[:sort]
     @todos = @todos.page(params[:page])
     if @todos.out_of_range? && @todos.total_pages != 0
-      redirect_to url_for(params.merge(page: @todos.total_pages))
+      redirect_to url_for(params.merge(page: @todos.total_pages, only_path: true))
     end
   end
 
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index c411c21bb80..8b69c18d689 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -10,6 +10,7 @@ class Groups::ApplicationController < ApplicationController
     unless @group
       id = params[:group_id] || params[:id]
       @group = Group.find_by_full_path(id)
+      @group_merge_requests = MergeRequestsFinder.new(current_user, group_id: @group.id).execute
 
       unless @group && can?(current_user, :read_group, @group)
         @group = nil
diff --git a/app/controllers/import/base_controller.rb b/app/controllers/import/base_controller.rb
index eeee027ef2d..9de0297ecfd 100644
--- a/app/controllers/import/base_controller.rb
+++ b/app/controllers/import/base_controller.rb
@@ -1,17 +1,27 @@
 class Import::BaseController < ApplicationController
   private
 
-  def find_or_create_namespace(name, owner)
-    return current_user.namespace if name == owner
+  def find_or_create_namespace(names, owner)
+    return current_user.namespace if names == owner
     return current_user.namespace unless current_user.can_create_group?
 
-    begin
-      name = params[:target_namespace].presence || name
-      namespace = Group.create!(name: name, path: name, owner: current_user)
-      namespace.add_owner(current_user)
-      namespace
-    rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
-      Namespace.find_by_full_path(name)
+    names = params[:target_namespace].presence || names
+    full_path_namespace = Namespace.find_by_full_path(names)
+
+    return full_path_namespace if full_path_namespace
+
+    names.split('/').inject(nil) do |parent, name|
+      begin
+        namespace = Group.create!(name: name,
+                                  path: name,
+                                  owner: current_user,
+                                  parent: parent)
+        namespace.add_owner(current_user)
+
+        namespace
+      rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
+        Namespace.where(parent: parent).find_by_path_or_name(name)
+      end
     end
   end
 end
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index d984e6d3918..a50e16fa4ff 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -11,10 +11,10 @@ class Projects::IssuesController < Projects::ApplicationController
   before_action :redirect_to_external_issue_tracker, only: [:index, :new]
   before_action :module_enabled
   before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests,
-                               :related_branches, :can_create_branch]
+                               :related_branches, :can_create_branch, :rendered_title]
 
   # Allow read any issue
-  before_action :authorize_read_issue!, only: [:show]
+  before_action :authorize_read_issue!, only: [:show, :rendered_title]
 
   # Allow write(create) issue
   before_action :authorize_create_issue!, only: [:new, :create]
@@ -31,7 +31,7 @@ class Projects::IssuesController < Projects::ApplicationController
     @issuable_meta_data = issuable_meta_data(@issues, @collection_type)
 
     if @issues.out_of_range? && @issues.total_pages != 0
-      return redirect_to url_for(params.merge(page: @issues.total_pages))
+      return redirect_to url_for(params.merge(page: @issues.total_pages, only_path: true))
     end
 
     if params[:label_name].present?
@@ -200,6 +200,11 @@ class Projects::IssuesController < Projects::ApplicationController
     end
   end
 
+  def rendered_title
+    Gitlab::PollingInterval.set_header(response, interval: 3_000)
+    render json: { title: view_context.markdown_field(@issue, :title) }
+  end
+
   protected
 
   def issue
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 37e3ac05916..a79d801991a 100755
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -43,7 +43,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
     @issuable_meta_data = issuable_meta_data(@merge_requests, @collection_type)
 
     if @merge_requests.out_of_range? && @merge_requests.total_pages != 0
-      return redirect_to url_for(params.merge(page: @merge_requests.total_pages))
+      return redirect_to url_for(params.merge(page: @merge_requests.total_pages, only_path: true))
     end
 
     if params[:label_name].present?