Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

4 files changed, 29 insertions, 7 deletions

diff --git a/app/assets/javascripts/projects/settings/access_dropdown.js b/app/assets/javascripts/projects/settings/access_dropdown.js
index 7fb7a416dca..79dfa166b1a 100644
--- a/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -537,7 +537,7 @@ export default class AccessDropdown {
     return `
       <li>
         <a href="#" class="${isActiveClass}">
-          <strong>${key.title}</strong>
+          <strong>${escape(key.title)}</strong>
           <p>
             ${sprintf(
               __('Owned by %{image_tag}'),
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index bed0eab5a58..1ac4cbac1da 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -3,7 +3,7 @@
 module Clusters
   module Applications
     class Runner < ApplicationRecord
-      VERSION = '0.41.0'
+      VERSION = '0.42.1'
 
       self.table_name = 'clusters_applications_runners'
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 6ddd83544bc..2594310c498 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -59,7 +59,13 @@ class ProjectPolicy < BasePolicy
 
   desc "Container registry is disabled"
   condition(:container_registry_disabled, scope: :subject) do
-    !access_allowed_to?(:container_registry)
+    if user.is_a?(DeployToken)
+      (!user.read_registry? && !user.write_registry?) ||
+      user.revoked? ||
+      !project.container_registry_enabled?
+    else
+      !access_allowed_to?(:container_registry)
+    end
   end
 
   desc "Container registry is enabled for everyone with access to the project"
@@ -88,6 +94,16 @@ class ProjectPolicy < BasePolicy
     user.is_a?(DeployKey) && user.can_push_to?(project)
   end
 
+  desc "Deploy token with read_container_image scope"
+  condition(:read_container_image_deploy_token) do
+    user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry?
+  end
+
+  desc "Deploy token with create_container_image scope"
+  condition(:create_container_image_deploy_token) do
+    user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry?
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
@@ -697,6 +713,14 @@ class ProjectPolicy < BasePolicy
     enable :push_code
   end
 
+  rule { read_container_image_deploy_token }.policy do
+    enable :read_container_image
+  end
+
+  rule { create_container_image_deploy_token }.policy do
+    enable :create_container_image
+  end
+
   rule { read_package_registry_deploy_token }.policy do
     enable :read_package
     enable :read_project
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 6d6d8641d9d..e806bef46fe 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -215,15 +215,13 @@ module Auth
     def deploy_token_can_pull?(requested_project)
       has_authentication_ability?(:read_container_image) &&
         deploy_token.present? &&
-        deploy_token.has_access_to?(requested_project) &&
-        deploy_token.read_registry?
+        can?(deploy_token, :read_container_image, requested_project)
     end
 
     def deploy_token_can_push?(requested_project)
       has_authentication_ability?(:create_container_image) &&
         deploy_token.present? &&
-        deploy_token.has_access_to?(requested_project) &&
-        deploy_token.write_registry?
+        can?(deploy_token, :create_container_image, requested_project)
     end
 
     ##