Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee

4 files changed, 33 insertions, 1 deletions

diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 32d1ddf920e..6d1ffc1f2e8 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -5,6 +5,7 @@ class AutocompleteController < ApplicationController
 
   skip_before_action :authenticate_user!, only: [:users, :award_emojis, :merge_request_target_branches]
   before_action :check_search_rate_limit!, only: [:users, :projects]
+  before_action :authorize_admin_project, only: :deploy_keys_with_owners
 
   feature_category :users, [:users, :user]
   feature_category :projects, [:projects]
@@ -69,6 +70,10 @@ class AutocompleteController < ApplicationController
 
   private
 
+  def authorize_admin_project
+    render_403 unless Ability.allowed?(current_user, :admin_project, project)
+  end
+
   def project
     @project ||= Autocomplete::ProjectFinder
       .new(current_user, params)
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 8ecf0c158e0..47b2a460e6f 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -483,10 +483,14 @@ class IssuableFinder
   end
 
   def by_crm_contact(items)
+    return items unless can_filter_by_crm_contact?
+
     Issuables::CrmContactFilter.new(params: original_params).filter(items)
   end
 
   def by_crm_organization(items)
+    return items unless can_filter_by_crm_organization?
+
     Issuables::CrmOrganizationFilter.new(params: original_params).filter(items)
   end
 
@@ -499,4 +503,20 @@ class IssuableFinder
   def feature_flag_scope
     params.group || params.project
   end
+
+  def can_filter_by_crm_contact?
+    current_user&.can?(:read_crm_contact, root_group)
+  end
+
+  def can_filter_by_crm_organization?
+    current_user&.can?(:read_crm_organization, root_group)
+  end
+
+  def root_group
+    strong_memoize(:root_group) do
+      base_group = params.group || params.project&.group
+
+      base_group&.root_ancestor
+    end
+  end
 end
diff --git a/app/models/hooks/web_hook_log.rb b/app/models/hooks/web_hook_log.rb
index 2f03b3591cf..24e5f193a32 100644
--- a/app/models/hooks/web_hook_log.rb
+++ b/app/models/hooks/web_hook_log.rb
@@ -22,6 +22,7 @@ class WebHookLog < ApplicationRecord
   validates :web_hook, presence: true
 
   before_save :obfuscate_basic_auth
+  before_save :redact_author_email
 
   def self.recent
     where('created_at >= ?', 2.days.ago.beginning_of_day)
@@ -52,4 +53,10 @@ class WebHookLog < ApplicationRecord
   def obfuscate_basic_auth
     self.url = safe_url
   end
+
+  def redact_author_email
+    return unless self.request_data.dig('commit', 'author', 'email').present?
+
+    self.request_data['commit']['author']['email'] = _('[REDACTED]')
+  end
 end
diff --git a/app/serializers/build_details_entity.rb b/app/serializers/build_details_entity.rb
index 5f72259f34a..dc7b5e95361 100644
--- a/app/serializers/build_details_entity.rb
+++ b/app/serializers/build_details_entity.rb
@@ -151,7 +151,7 @@ class BuildDetailsEntity < Ci::JobEntity
     # We do not return the invalid_dependencies for all scenarios see https://gitlab.com/gitlab-org/gitlab/-/issues/287772#note_914406387
     punctuation = invalid_dependencies.empty? ? '.' : ': '
     _("This job could not start because it could not retrieve the needed artifacts%{punctuation}%{invalid_dependencies}") %
-      { invalid_dependencies: invalid_dependencies, punctuation: punctuation }
+      { invalid_dependencies: html_escape(invalid_dependencies), punctuation: punctuation }
   end
 
   def help_message(docs_url)