Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

7 files changed, 54 insertions, 13 deletions

diff --git a/app/assets/javascripts/behaviors/markdown/render_mermaid.js b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
index 233c5f84340..602f156dbf0 100644
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -18,7 +18,13 @@ import { __, sprintf } from '~/locale';
 //
 
 // This is an arbitrary number; Can be iterated upon when suitable.
-const MAX_CHAR_LIMIT = 5000;
+const MAX_CHAR_LIMIT = 2000;
+// Max # of mermaid blocks that can be rendered in a page.
+const MAX_MERMAID_BLOCK_LIMIT = 50;
+// Keep a map of mermaid blocks we've already rendered.
+const elsProcessingMap = new WeakMap();
+let renderedMermaidBlocks = 0;
+
 let mermaidModule = {};
 
 function importMermaidModule() {
@@ -110,13 +116,22 @@ function renderMermaids($els) {
       let renderedChars = 0;
 
       $els.each((i, el) => {
+        // Skipping all the elements which we've already queued in requestIdleCallback
+        if (elsProcessingMap.has(el)) {
+          return;
+        }
+
         const { source } = fixElementSource(el);
         /**
-         * Restrict the rendering to a certain amount of character to
-         * prevent mermaidjs from hanging up the entire thread and
-         * causing a DoS.
+         * Restrict the rendering to a certain amount of character
+         * and mermaid blocks to prevent mermaidjs from hanging
+         * up the entire thread and causing a DoS.
          */
-        if ((source && source.length > MAX_CHAR_LIMIT) || renderedChars > MAX_CHAR_LIMIT) {
+        if (
+          (source && source.length > MAX_CHAR_LIMIT) ||
+          renderedChars > MAX_CHAR_LIMIT ||
+          renderedMermaidBlocks >= MAX_MERMAID_BLOCK_LIMIT
+        ) {
           const html = `
           <div class="alert gl-alert gl-alert-warning alert-dismissible lazy-render-mermaid-container js-lazy-render-mermaid-container fade show" role="alert">
             <div>
@@ -146,8 +161,13 @@ function renderMermaids($els) {
         }
 
         renderedChars += source.length;
+        renderedMermaidBlocks += 1;
+
+        const requestId = window.requestIdleCallback(() => {
+          renderMermaidEl(el);
+        });
 
-        renderMermaidEl(el);
+        elsProcessingMap.set(el, requestId);
       });
     })
     .catch(err => {
diff --git a/app/controllers/explore/projects_controller.rb b/app/controllers/explore/projects_controller.rb
index 42795e418a4..7a485eebfe3 100644
--- a/app/controllers/explore/projects_controller.rb
+++ b/app/controllers/explore/projects_controller.rb
@@ -8,6 +8,8 @@ class Explore::ProjectsController < Explore::ApplicationController
   include SortingHelper
   include SortingPreference
 
+  MIN_SEARCH_LENGTH = 3
+
   before_action :set_non_archived_param
   before_action :set_sorting
 
@@ -72,7 +74,7 @@ class Explore::ProjectsController < Explore::ApplicationController
   def load_projects
     load_project_counts
 
-    projects = ProjectsFinder.new(current_user: current_user, params: params).execute
+    projects = ProjectsFinder.new(current_user: current_user, params: params.merge(minimum_search_length: MIN_SEARCH_LENGTH)).execute
 
     projects = preload_associations(projects)
     projects = projects.page(params[:page]).without_count
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 4b21edc98d5..c92b3457640 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -144,7 +144,6 @@ class SearchController < ApplicationController
     payload[:metadata] ||= {}
     payload[:metadata]['meta.search.group_id'] = params[:group_id]
     payload[:metadata]['meta.search.project_id'] = params[:project_id]
-    payload[:metadata]['meta.search.search'] = params[:search]
     payload[:metadata]['meta.search.scope'] = params[:scope]
     payload[:metadata]['meta.search.filters.confidential'] = params[:confidential]
     payload[:metadata]['meta.search.filters.state'] = params[:state]
diff --git a/app/finders/projects_finder.rb b/app/finders/projects_finder.rb
index 14b84d0bfa6..05dc69ebff6 100644
--- a/app/finders/projects_finder.rb
+++ b/app/finders/projects_finder.rb
@@ -18,6 +18,7 @@
 #     personal: boolean
 #     search: string
 #     search_namespaces: boolean
+#     minimum_search_length: int
 #     non_archived: boolean
 #     archived: 'only' or boolean
 #     min_access_level: integer
@@ -182,6 +183,9 @@ class ProjectsFinder < UnionFinder
 
   def by_search(items)
     params[:search] ||= params[:name]
+
+    return items.none if params[:search].present? && params[:minimum_search_length].present? && params[:search].length < params[:minimum_search_length].to_i
+
     items.optionally_search(params[:search], include_namespace: params[:search_namespaces].present?)
   end
 
diff --git a/app/graphql/types/user_type.rb b/app/graphql/types/user_type.rb
index 2bb2284f8b0..783a0d8425a 100644
--- a/app/graphql/types/user_type.rb
+++ b/app/graphql/types/user_type.rb
@@ -30,8 +30,7 @@ module Types
           resolver: Resolvers::TodoResolver,
           description: 'Todos of the user'
     field :group_memberships, Types::GroupMemberType.connection_type, null: true,
-          description: 'Group memberships of the user',
-          method: :group_members
+          description: 'Group memberships of the user'
     field :group_count, GraphQL::INT_TYPE, null: true,
           resolver: Resolvers::Users::GroupCountResolver,
           description: 'Group count for the user',
@@ -39,8 +38,7 @@ module Types
     field :status, Types::UserStatusType, null: true,
            description: 'User status'
     field :project_memberships, Types::ProjectMemberType.connection_type, null: true,
-          description: 'Project memberships of the user',
-          method: :project_members
+          description: 'Project memberships of the user'
     field :starred_projects, Types::ProjectType.connection_type, null: true,
           description: 'Projects starred by the user',
           resolver: Resolvers::UserStarredProjectsResolver
diff --git a/app/presenters/user_presenter.rb b/app/presenters/user_presenter.rb
index f201b36346f..0028e6d9ef0 100644
--- a/app/presenters/user_presenter.rb
+++ b/app/presenters/user_presenter.rb
@@ -2,4 +2,18 @@
 
 class UserPresenter < Gitlab::View::Presenter::Delegated
   presents :user
+
+  def group_memberships
+    should_be_private? ? GroupMember.none : user.group_members
+  end
+
+  def project_memberships
+    should_be_private? ? ProjectMember.none : user.project_members
+  end
+
+  private
+
+  def should_be_private?
+    !can?(current_user, :read_user_profile, user)
+  end
 end
diff --git a/app/views/explore/projects/_projects.html.haml b/app/views/explore/projects/_projects.html.haml
index 4275f76c046..b2154f71082 100644
--- a/app/views/explore/projects/_projects.html.haml
+++ b/app/views/explore/projects/_projects.html.haml
@@ -1 +1,5 @@
-= render 'shared/projects/list', projects: projects, user: current_user, explore_page: true, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)
+- if params[:name].present? && params[:name].size < Explore::ProjectsController::MIN_SEARCH_LENGTH
+  .nothing-here-block
+    %h5= _('Enter at least three characters to search')
+- else
+  = render 'shared/projects/list', projects: projects, user: current_user, explore_page: true, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)