Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

3 files changed, 20 insertions, 4 deletions

diff --git a/lib/api/entities/tag.rb b/lib/api/entities/tag.rb
index 713bae64d5c..5047258dd97 100644
--- a/lib/api/entities/tag.rb
+++ b/lib/api/entities/tag.rb
@@ -3,6 +3,8 @@
 module API
   module Entities
     class Tag < Grape::Entity
+      include RequestAwareEntity
+
       expose :name, documentation: { type: 'string', example: 'v1.0.0' }
       expose :message, documentation: { type: 'string', example: 'Release v1.0.0' }
       expose :target, documentation: { type: 'string', example: '2695effb5807a22ff3d138d593fd856244e155e7' }
@@ -12,7 +14,7 @@ module API
       end
 
       # rubocop: disable CodeReuse/ActiveRecord
-      expose :release, using: Entities::TagRelease do |repo_tag, options|
+      expose :release, using: Entities::TagRelease, if: ->(*) { can_read_release? } do |repo_tag, options|
         options[:project].releases.find_by(tag: repo_tag.name)
       end
       # rubocop: enable CodeReuse/ActiveRecord
@@ -20,6 +22,10 @@ module API
       expose :protected, documentation: { type: 'boolean', example: true } do |repo_tag, options|
         ::ProtectedTag.protected?(options[:project], repo_tag.name)
       end
+
+      def can_read_release?
+        can?(options[:current_user], :read_release, options[:project])
+      end
     end
   end
 end
diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index 4ddf22c726f..f918fb997bf 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -45,7 +45,13 @@ module API
 
         paginated_tags = Gitlab::Pagination::GitalyKeysetPager.new(self, user_project).paginate(tags_finder)
 
-        present_cached paginated_tags, with: Entities::Tag, project: user_project, cache_context: -> (_tag) { user_project.cache_key }
+        present_cached paginated_tags,
+                       with: Entities::Tag,
+                       project: user_project,
+                       current_user: current_user,
+                       cache_context: -> (_tag) do
+                         [user_project.cache_key, can?(current_user, :read_release, user_project)].join(':')
+                       end
 
       rescue Gitlab::Git::InvalidPageToken => e
         unprocessable_entity!(e.message)
@@ -68,7 +74,7 @@ module API
         tag = user_project.repository.find_tag(params[:tag_name])
         not_found!('Tag') unless tag
 
-        present tag, with: Entities::Tag, project: user_project
+        present tag, with: Entities::Tag, project: user_project, current_user: current_user
       end
 
       desc 'Create a new repository tag' do
diff --git a/lib/banzai/filter/kroki_filter.rb b/lib/banzai/filter/kroki_filter.rb
index 26f42c6b194..2b9e2a22c11 100644
--- a/lib/banzai/filter/kroki_filter.rb
+++ b/lib/banzai/filter/kroki_filter.rb
@@ -9,6 +9,8 @@ module Banzai
     # HTML that replaces all diagrams supported by Kroki with the corresponding img tags.
     # If the source content is large then the hidden attribute is added to the img tag.
     class KrokiFilter < HTML::Pipeline::Filter
+      include ActionView::Helpers::TagHelper
+
       MAX_CHARACTER_LIMIT = 2000
 
       def call
@@ -27,9 +29,11 @@ module Banzai
         diagram_format = "svg"
         doc.xpath(xpath).each do |node|
           diagram_type = node.parent['lang'] || node['lang']
+          next unless diagram_selectors.include?(diagram_type)
+
           diagram_src = node.content
           image_src = create_image_src(diagram_type, diagram_format, diagram_src)
-          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{image_src}" />))
+          img_tag = Nokogiri::HTML::DocumentFragment.parse(content_tag(:img, nil, src: image_src))
           img_tag = img_tag.children.first
 
           next if img_tag.nil?