Add latest changes from gitlab-org/gitlab@master

12 files changed, 104 insertions, 38 deletions

diff --git a/lib/api/helpers/internal_helpers.rb b/lib/api/helpers/internal_helpers.rb
index 69b53ea6c2f..12b0a053e79 100644
--- a/lib/api/helpers/internal_helpers.rb
+++ b/lib/api/helpers/internal_helpers.rb
@@ -31,8 +31,7 @@ module API
       def access_checker_for(actor, protocol)
         access_checker_klass.new(actor.key_or_user, container, protocol,
           authentication_abilities: ssh_authentication_abilities,
-          namespace_path: namespace_path,
-          repository_path: project_path,
+          repository_path: repository_path,
           redirected_path: redirected_path)
       end
 
@@ -71,18 +70,22 @@ module API
         false
       end
 
-      def project_path
-        project&.path || project_path_match[:project_path]
-      end
-
-      def namespace_path
-        project&.namespace&.full_path || project_path_match[:namespace_path]
-      end
-
       private
 
-      def project_path_match
-        @project_path_match ||= params[:project].match(Gitlab::PathRegex.full_project_git_path_regex) || {}
+      def repository_path
+        if container
+          "#{container.full_path}.git"
+        elsif params[:project]
+          # When the project doesn't exist, we still need to pass on the path
+          # to support auto-creation in `GitAccessProject`.
+          #
+          # For consistency with the Git HTTP controllers, we normalize the path
+          # to remove a leading slash and ensure a trailing `.git`.
+          #
+          # NOTE: For GitLab Shell, `params[:project]` is the full repository path
+          # from the SSH command, with an optional trailing `.git`.
+          "#{params[:project].delete_prefix('/').delete_suffix('.git')}.git"
+        end
       end
 
       # rubocop:disable Gitlab/ModuleWithInstanceVariables
@@ -96,7 +99,7 @@ module API
       end
       # rubocop:enable Gitlab/ModuleWithInstanceVariables
 
-      # Project id to pass between components that don't share/don't have
+      # Repository id to pass between components that don't share/don't have
       # access to the same filesystem mounts
       def gl_repository
         repo_type.identifier_for_container(container)
@@ -106,8 +109,9 @@ module API
         repository.full_path
       end
 
-      # Return the repository depending on whether we want the wiki or the
-      # regular repository
+      # Return the repository for the detected type and container
+      #
+      # @returns [Repository]
       def repository
         @repository ||= repo_type.repository_for(container)
       end
diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb
index 3e9cf2ab320..d41490d2ebd 100644
--- a/lib/constraints/project_url_constrainer.rb
+++ b/lib/constraints/project_url_constrainer.rb
@@ -4,7 +4,7 @@ module Constraints
   class ProjectUrlConstrainer
     def matches?(request, existence_check: true)
       namespace_path = request.params[:namespace_id]
-      project_path = request.params[:project_id] || request.params[:id] || request.params[:repository_id]
+      project_path = request.params[:project_id] || request.params[:id]
       full_path = [namespace_path, project_path].join('/')
 
       return false unless ProjectPathValidator.valid_path?(full_path)
diff --git a/lib/constraints/repository_redirect_url_constrainer.rb b/lib/constraints/repository_redirect_url_constrainer.rb
new file mode 100644
index 00000000000..44df670d8d3
--- /dev/null
+++ b/lib/constraints/repository_redirect_url_constrainer.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Constraints
+  class RepositoryRedirectUrlConstrainer
+    def matches?(request)
+      path = request.params[:repository_path].delete_suffix('.git')
+      query = request.query_string
+
+      git_request?(query) && container_path?(path)
+    end
+
+    # Allow /info/refs, /info/refs?service=git-upload-pack, and
+    # /info/refs?service=git-receive-pack, but nothing else.
+    def git_request?(query)
+      query.blank? ||
+        query == 'service=git-upload-pack' ||
+        query == 'service=git-receive-pack'
+    end
+
+    # Check if the path matches any known repository containers.
+    # These also cover wikis, since a `.wiki` suffix is valid in project/group paths too.
+    def container_path?(path)
+      NamespacePathValidator.valid_path?(path) ||
+        ProjectPathValidator.valid_path?(path) ||
+        path =~ Gitlab::PathRegex.full_snippets_repository_path_regex
+    end
+  end
+end
diff --git a/lib/gitlab/application_context.rb b/lib/gitlab/application_context.rb
index b4bbb309c36..84fe3d1c959 100644
--- a/lib/gitlab/application_context.rb
+++ b/lib/gitlab/application_context.rb
@@ -30,7 +30,7 @@ module Gitlab
       Labkit::Context.current.to_h.include?(Labkit::Context.log_key(attribute_name))
     end
 
-    def initialize(args)
+    def initialize(**args)
       unknown_attributes = args.keys - APPLICATION_ATTRIBUTES.map(&:name)
       raise ArgumentError, "#{unknown_attributes} are not known keys" if unknown_attributes.any?
 
diff --git a/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
new file mode 100644
index 00000000000..a0564a16c07
--- /dev/null
+++ b/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml
@@ -0,0 +1,24 @@
+stages:
+  - build
+  - test
+  - deploy
+  - dast
+
+variables:
+  DAST_VERSION: 1
+  # Setting this variable will affect all Security templates
+  # (SAST, Dependency Scanning, ...)
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+
+dast:
+  stage: dast
+  image:
+    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION"
+  variables:
+    GIT_STRATEGY: none
+  allow_failure: true
+  script:
+    - /analyze
+  artifacts:
+    reports:
+      dast: gl-dast-report.json
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 0576d1dd9db..5ed4322341e 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -43,7 +43,7 @@ module Gitlab
     ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
 
     attr_reader :actor, :protocol, :authentication_abilities,
-                :namespace_path, :redirected_path, :auth_result_type,
+                :repository_path, :redirected_path, :auth_result_type,
                 :cmd, :changes
     attr_accessor :container
 
@@ -57,21 +57,16 @@ module Gitlab
       raise ArgumentError, "No error message defined for #{key}"
     end
 
-    def initialize(actor, container, protocol, authentication_abilities:, namespace_path: nil, repository_path: nil, redirected_path: nil, auth_result_type: nil)
+    def initialize(actor, container, protocol, authentication_abilities:, repository_path: nil, redirected_path: nil, auth_result_type: nil)
       @actor     = actor
       @container = container
       @protocol  = protocol
       @authentication_abilities = Array(authentication_abilities)
-      @namespace_path = namespace_path
       @repository_path = repository_path
       @redirected_path = redirected_path
       @auth_result_type = auth_result_type
     end
 
-    def repository_path
-      @repository_path ||= project&.path
-    end
-
     def check(cmd, changes)
       @changes = changes
       @cmd = cmd
diff --git a/lib/gitlab/git_access_project.rb b/lib/gitlab/git_access_project.rb
index cdefcc84f7d..7e9bab4a8e6 100644
--- a/lib/gitlab/git_access_project.rb
+++ b/lib/gitlab/git_access_project.rb
@@ -35,7 +35,19 @@ module Gitlab
     end
 
     def namespace
-      @namespace ||= Namespace.find_by_full_path(namespace_path)
+      strong_memoize(:namespace) { Namespace.find_by_full_path(namespace_path) }
+    end
+
+    def namespace_path
+      strong_memoize(:namespace_path) { repository_path_match[:namespace_path] }
+    end
+
+    def project_path
+      strong_memoize(:project_path) { repository_path_match[:project_path] }
+    end
+
+    def repository_path_match
+      strong_memoize(:repository_path_match) { repository_path.match(Gitlab::PathRegex.full_project_git_path_regex) || {} }
     end
 
     def ensure_project_on_push!
@@ -44,7 +56,7 @@ module Gitlab
       return unless user&.can?(:create_projects, namespace)
 
       project_params = {
-        path: repository_path,
+        path: project_path,
         namespace_id: namespace.id,
         visibility_level: Gitlab::VisibilityLevel::PRIVATE
       }
diff --git a/lib/gitlab/graphql/expose_permissions.rb b/lib/gitlab/graphql/expose_permissions.rb
index 365b7cca24f..ab9ed354673 100644
--- a/lib/gitlab/graphql/expose_permissions.rb
+++ b/lib/gitlab/graphql/expose_permissions.rb
@@ -9,7 +9,7 @@ module Gitlab
           field :user_permissions, permission_type,
                 description: description,
                 null: false,
-                resolve: -> (obj, _, _) { obj }
+                method: :itself
         end
       end
     end
diff --git a/lib/gitlab/legacy_github_import/project_creator.rb b/lib/gitlab/legacy_github_import/project_creator.rb
index b484b69c932..c54325bcdf5 100644
--- a/lib/gitlab/legacy_github_import/project_creator.rb
+++ b/lib/gitlab/legacy_github_import/project_creator.rb
@@ -5,7 +5,7 @@ module Gitlab
     class ProjectCreator
       attr_reader :repo, :name, :namespace, :current_user, :session_data, :type
 
-      def initialize(repo, name, namespace, current_user, session_data, type: 'github')
+      def initialize(repo, name, namespace, current_user, type: 'github', **session_data)
         @repo = repo
         @name = name
         @namespace = namespace
diff --git a/lib/gitlab/path_regex.rb b/lib/gitlab/path_regex.rb
index ad0a5c80604..2ff23980ebd 100644
--- a/lib/gitlab/path_regex.rb
+++ b/lib/gitlab/path_regex.rb
@@ -180,12 +180,16 @@ module Gitlab
       end
     end
 
-    def project_git_route_regex
-      @project_git_route_regex ||= /#{project_route_regex}\.git/.freeze
+    def repository_route_regex
+      @repository_route_regex ||= /#{full_namespace_route_regex}|#{personal_snippet_repository_path_regex}/.freeze
     end
 
-    def project_wiki_git_route_regex
-      @project_wiki_git_route_regex ||= /#{PATH_REGEX_STR}\.wiki/.freeze
+    def repository_git_route_regex
+      @repository_git_route_regex ||= /#{repository_route_regex}\.git/.freeze
+    end
+
+    def repository_wiki_git_route_regex
+      @repository_wiki_git_route_regex ||= /#{full_namespace_route_regex}\.wiki\.git/.freeze
     end
 
     def full_namespace_path_regex
@@ -250,10 +254,6 @@ module Gitlab
       %r{\A(#{personal_snippet_repository_path_regex}|#{project_snippet_repository_path_regex})\z}
     end
 
-    def personal_and_project_snippets_path_regex
-      %r{#{personal_snippet_path_regex}|#{project_snippet_path_regex}}
-    end
-
     def container_image_regex
       @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze
     end
diff --git a/lib/gitlab/repo_path.rb b/lib/gitlab/repo_path.rb
index 9ee6f67e455..79cf081b9dc 100644
--- a/lib/gitlab/repo_path.rb
+++ b/lib/gitlab/repo_path.rb
@@ -5,7 +5,7 @@ module Gitlab
     NotFoundError = Class.new(StandardError)
 
     def self.parse(path)
-      repo_path = path.sub(/\.git\z/, '').sub(%r{\A/}, '')
+      repo_path = path.delete_prefix('/').delete_suffix('.git')
       redirected_path = nil
 
       # Detect the repo type based on the path, the first one tried is the project
diff --git a/lib/tasks/gitlab/assets.rake b/lib/tasks/gitlab/assets.rake
index ab2d77eeaf0..54e74fd9c8b 100644
--- a/lib/tasks/gitlab/assets.rake
+++ b/lib/tasks/gitlab/assets.rake
@@ -81,7 +81,10 @@ namespace :gitlab do
 
       if head_assets_md5 != master_assets_md5 || !public_assets_webpack_dir_exists
         FileUtils.rm_r(Tasks::Gitlab::Assets::PUBLIC_ASSETS_WEBPACK_DIR) if public_assets_webpack_dir_exists
-        system('yarn webpack')
+
+        unless system('yarn webpack')
+          abort 'Error: Unable to compile webpack production bundle.'.color(:red)
+        end
       end
     end