Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-29 23:54:01 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-29 23:54:01 +0000
commit: 22afa6177e5cdd2843502d425cb584135a35df60 (patch)
tree: 57a0d0b688f058b395f41445bdbc2372dc5da85e /lib
parent: 52dd3cdae10174cc35af6698b280acd1431cc4f8 (diff)
download: gitlab-ce-22afa6177e5cdd2843502d425cb584135a35df60.tar.gz
2 files changed, 25 insertions, 5 deletions
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 334c04f2b59..50d4aac70cc 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'uri'
+
 module Banzai
   module Filter
     class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -15,7 +17,8 @@ module Banzai
         doc.document.create_element(
           'div',
           class: 'js-render-observability',
-          'data-frame-url': url
+          'data-frame-url': url,
+          'data-observability-url': Gitlab::Observability.observability_url
         )
       end
 
@@ -28,8 +31,15 @@ module Banzai
       # obtained from the target link
       def element_to_embed(node)
         url = node['href']
-
-        create_element(url)
+        uri = URI.parse(url)
+        observability_uri = URI.parse(Gitlab::Observability.observability_url)
+
+        if uri.scheme == observability_uri.scheme &&
+            uri.port == observability_uri.port &&
+            uri.host.casecmp?(observability_uri.host) &&
+            uri.path.downcase.exclude?("auth/start")
+          create_element(url)
+        end
       end
 
       private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-
+  BRANCH_REF_TYPE = 'heads'
+  TAG_REF_TYPE = 'tags'
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -91,7 +92,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == 'tags' ? 'tags' : 'heads'
+    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
   end
 
   private
@@ -154,4 +155,13 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
+
+  def ambiguous_ref?(project, ref)
+    return true if project.repository.ambiguous_ref?(ref)
+
+    return false unless ref&.starts_with?('refs/')
+
+    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+    project.repository.commit(unprefixed_ref).present?
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-29 23:54:01 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-29 23:54:01 +0000
commit	22afa6177e5cdd2843502d425cb584135a35df60 (patch)
tree	57a0d0b688f058b395f41445bdbc2372dc5da85e /lib
parent	52dd3cdae10174cc35af6698b280acd1431cc4f8 (diff)
download	gitlab-ce-22afa6177e5cdd2843502d425cb584135a35df60.tar.gz