Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

5 files changed, 23 insertions, 5 deletions

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 672f36dedc0..05573255066 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -19,7 +19,7 @@ class UsersController < ApplicationController
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
   before_action :user, except: [:exists, :suggests]
   before_action :authorize_read_user_profile!,
-                only: [:calendar, :calendar_activities, :groups, :projects, :contributed_projects, :starred_projects, :snippets]
+                only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets]
 
   feature_category :users
 
diff --git a/app/finders/starred_projects_finder.rb b/app/finders/starred_projects_finder.rb
index fcb469d1d17..e209960c471 100644
--- a/app/finders/starred_projects_finder.rb
+++ b/app/finders/starred_projects_finder.rb
@@ -1,11 +1,22 @@
 # frozen_string_literal: true
 
 class StarredProjectsFinder < ProjectsFinder
+  include Gitlab::Allowable
+
   def initialize(user, params: {}, current_user: nil)
+    @user = user
+
     super(
       params: params,
       current_user: current_user,
       project_ids_relation: user.starred_projects.select(:id)
     )
   end
+
+  def execute
+    # Do not show starred projects if the user has a private profile.
+    return Project.none unless can?(current_user, :read_user_profile, @user)
+
+    super
+  end
 end
diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb
index 97c56b84434..7cfedc2233a 100644
--- a/app/services/todos/destroy/entity_leave_service.rb
+++ b/app/services/todos/destroy/entity_leave_service.rb
@@ -22,7 +22,7 @@ module Todos
         # if at least reporter, all entities including confidential issues can be accessed
         return if user_has_reporter_access?
 
-        remove_confidential_issue_todos
+        remove_confidential_resource_todos
 
         if entity.private?
           remove_project_todos
@@ -40,7 +40,7 @@ module Todos
         end
       end
 
-      def remove_confidential_issue_todos
+      def remove_confidential_resource_todos
         Todo
           .for_target(confidential_issues.select(:id))
           .for_type(Issue.name)
@@ -133,3 +133,5 @@ module Todos
     end
   end
 end
+
+Todos::Destroy::EntityLeaveService.prepend_if_ee('EE::Todos::Destroy::EntityLeaveService')
diff --git a/app/validators/zoom_url_validator.rb b/app/validators/zoom_url_validator.rb
index dc4ca6b9501..e0f8e4e34a2 100644
--- a/app/validators/zoom_url_validator.rb
+++ b/app/validators/zoom_url_validator.rb
@@ -5,8 +5,13 @@
 # Custom validator for zoom urls
 #
 class ZoomUrlValidator < ActiveModel::EachValidator
+  ALLOWED_SCHEMES = %w(https).freeze
+
   def validate_each(record, attribute, value)
-    return if Gitlab::ZoomLinkExtractor.new(value).links.size == 1
+    links_count = Gitlab::ZoomLinkExtractor.new(value).links.size
+    valid = Gitlab::UrlSanitizer.valid?(value, allowed_schemes: ALLOWED_SCHEMES)
+
+    return if links_count == 1 && valid
 
     record.errors.add(:url, 'must contain one valid Zoom URL')
   end
diff --git a/app/views/devise/confirmations/new.html.haml b/app/views/devise/confirmations/new.html.haml
index 49112ed6cd5..770a29a629e 100644
--- a/app/views/devise/confirmations/new.html.haml
+++ b/app/views/devise/confirmations/new.html.haml
@@ -6,7 +6,7 @@
         = render "devise/shared/error_messages", resource: resource
       .form-group
         = f.label :email
-        = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.'
+        = f.email_field :email, class: "form-control", required: true, title: 'Please provide a valid email address.', value: nil
       .clearfix
         = f.submit "Resend", class: 'gl-button btn btn-success'