Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

4 files changed, 15 insertions, 11 deletions

diff --git a/app/models/ci/build_runner_session.rb b/app/models/ci/build_runner_session.rb
index c6dbb5d0a43..0f37ce70964 100644
--- a/app/models/ci/build_runner_session.rb
+++ b/app/models/ci/build_runner_session.rb
@@ -13,14 +13,15 @@ module Ci
     belongs_to :build, class_name: 'Ci::Build', inverse_of: :runner_session
 
     validates :build, presence: true
-    validates :url, addressable_url: { schemes: %w(https) }
+    validates :url, public_url: { schemes: %w(https) }
 
     def terminal_specification
-      wss_url = Gitlab::UrlHelpers.as_wss(self.url)
+      wss_url = Gitlab::UrlHelpers.as_wss(Addressable::URI.escape(self.url))
       return {} unless wss_url.present?
 
-      wss_url = "#{wss_url}/exec"
-      channel_specification(wss_url, TERMINAL_SUBPROTOCOL)
+      parsed_wss_url = URI.parse(wss_url)
+      parsed_wss_url.path += '/exec'
+      channel_specification(parsed_wss_url, TERMINAL_SUBPROTOCOL)
     end
 
     def service_specification(service: nil, path: nil, port: nil, subprotocols: nil)
@@ -28,20 +29,21 @@ module Ci
 
       port = port.presence || DEFAULT_PORT_NAME
       service = service.presence || DEFAULT_SERVICE_NAME
-      url = "#{self.url}/proxy/#{service}/#{port}/#{path}"
+      parsed_url = URI.parse(Addressable::URI.escape(self.url))
+      parsed_url.path += "/proxy/#{service}/#{port}/#{path}"
       subprotocols = subprotocols.presence || ::Ci::BuildRunnerSession::TERMINAL_SUBPROTOCOL
 
-      channel_specification(url, subprotocols)
+      channel_specification(parsed_url, subprotocols)
     end
 
     private
 
-    def channel_specification(url, subprotocol)
-      return {} if subprotocol.blank? || url.blank?
+    def channel_specification(parsed_url, subprotocol)
+      return {} if subprotocol.blank? || parsed_url.blank?
 
       {
         subprotocols: Array(subprotocol),
-        url: url,
+        url: Addressable::URI.unescape(parsed_url.to_s),
         headers: { Authorization: [authorization.presence] }.compact,
         ca_pem: certificate.presence
       }
diff --git a/app/models/project.rb b/app/models/project.rb
index a07d4147228..0c4f76fb2b9 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2152,8 +2152,8 @@ class Project < ApplicationRecord
   end
 
   def after_import
-    repository.remove_prohibited_branches
     repository.expire_content_cache
+    repository.remove_prohibited_branches
     wiki.repository.expire_content_cache
 
     DetectRepositoryLanguagesWorker.perform_async(id)
diff --git a/app/models/user.rb b/app/models/user.rb
index 24f947183a2..b4b8a7ef7ad 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1556,7 +1556,7 @@ class User < ApplicationRecord
       name: name,
       username: username,
       avatar_url: avatar_url(only_path: false),
-      email: public_email.presence || _('[REDACTED]')
+      email: webhook_email
     }
   end
 
diff --git a/app/policies/packages/policies/group_policy.rb b/app/policies/packages/policies/group_policy.rb
index 32dbcb1b65b..d8c20c7a90a 100644
--- a/app/policies/packages/policies/group_policy.rb
+++ b/app/policies/packages/policies/group_policy.rb
@@ -25,3 +25,5 @@ module Packages
     end
   end
 end
+
+Packages::Policies::GroupPolicy.prepend_mod_with('Packages::Policies::GroupPolicy')