Merge branch 'master' into 4009-external-users4009-external-users

4 files changed, 43 insertions, 10 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 4b3ad1443bb..71197205f34 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -409,13 +409,6 @@ module API
       expose :id, :status, :stage, :name, :ref, :tag, :coverage
       expose :created_at, :started_at, :finished_at
       expose :user, with: User
-      # TODO: download_url in Ci:Build model is an GitLab Web Interface URL, not API URL. We should think on some API
-      #       for downloading of artifacts (see: https://gitlab.com/gitlab-org/gitlab-ce/issues/4255)
-      expose :download_url do |repo_obj, options|
-        if options[:user_can_download_artifacts]
-          repo_obj.artifacts_download_url
-        end
-      end
       expose :artifacts_file, using: BuildArtifactFile, if: -> (build, opts) { build.artifacts? }
       expose :commit, with: RepoCommit do |repo_obj, _options|
         if repo_obj.respond_to?(:commit)
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index abd79b329ae..e8011519608 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -7,7 +7,7 @@ module Banzai
     #
     # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
     class SanitizationFilter < HTML::Pipeline::SanitizationFilter
-      UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
+      UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
 
       def whitelist
         whitelist = super
@@ -64,7 +64,12 @@ module Banzai
           return unless node.name == 'a'
           return unless node.has_attribute?('href')
 
-          if node['href'].start_with?(*UNSAFE_PROTOCOLS)
+          begin
+            uri = Addressable::URI.parse(node['href'])
+            uri.scheme.strip! if uri.scheme
+
+            node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
+          rescue Addressable::URI::InvalidURIError
             node.remove_attribute('href')
           end
         end
diff --git a/lib/ci/gitlab_ci_yaml_processor.rb b/lib/ci/gitlab_ci_yaml_processor.rb
index 28e074cd289..c89e1b51019 100644
--- a/lib/ci/gitlab_ci_yaml_processor.rb
+++ b/lib/ci/gitlab_ci_yaml_processor.rb
@@ -5,7 +5,9 @@ module Ci
     DEFAULT_STAGES = %w(build test deploy)
     DEFAULT_STAGE = 'test'
     ALLOWED_YAML_KEYS = [:before_script, :image, :services, :types, :stages, :variables, :cache]
-    ALLOWED_JOB_KEYS = [:tags, :script, :only, :except, :type, :image, :services, :allow_failure, :type, :stage, :when, :artifacts, :cache]
+    ALLOWED_JOB_KEYS = [:tags, :script, :only, :except, :type, :image, :services,
+                        :allow_failure, :type, :stage, :when, :artifacts, :cache,
+                        :dependencies]
 
     attr_reader :before_script, :image, :services, :variables, :path, :cache
 
@@ -60,6 +62,7 @@ module Ci
 
       @jobs = {}
       @config.each do |key, job|
+        next if key.to_s.start_with?('.')
         stage = job[:stage] || job[:type] || DEFAULT_STAGE
         @jobs[key] = { stage: stage }.merge(job)
       end
@@ -81,6 +84,7 @@ module Ci
           services: job[:services] || @services,
           artifacts: job[:artifacts],
           cache: job[:cache] || @cache,
+          dependencies: job[:dependencies],
         }.compact
       }
     end
@@ -143,6 +147,7 @@ module Ci
       validate_job_stage!(name, job) if job[:stage]
       validate_job_cache!(name, job) if job[:cache]
       validate_job_artifacts!(name, job) if job[:artifacts]
+      validate_job_dependencies!(name, job) if job[:dependencies]
     end
 
     private
@@ -216,6 +221,10 @@ module Ci
     end
 
     def validate_job_artifacts!(name, job)
+      if job[:artifacts][:name] && !validate_string(job[:artifacts][:name])
+        raise ValidationError, "#{name} job: artifacts:name parameter should be a string"
+      end
+
       if job[:artifacts][:untracked] && !validate_boolean(job[:artifacts][:untracked])
         raise ValidationError, "#{name} job: artifacts:untracked parameter should be an boolean"
       end
@@ -225,6 +234,22 @@ module Ci
       end
     end
 
+    def validate_job_dependencies!(name, job)
+      if !validate_array_of_strings(job[:dependencies])
+        raise ValidationError, "#{name} job: dependencies parameter should be an array of strings"
+      end
+
+      stage_index = stages.index(job[:stage])
+
+      job[:dependencies].each do |dependency|
+        raise ValidationError, "#{name} job: undefined dependency: #{dependency}" unless @jobs[dependency]
+
+        unless stages.index(@jobs[dependency][:stage]) < stage_index
+          raise ValidationError, "#{name} job: dependency #{dependency} is not defined in prior stages"
+        end
+      end
+    end
+
     def validate_array_of_strings(values)
       values.is_a?(Array) && values.all? { |value| validate_string(value) }
     end
diff --git a/lib/tasks/scss-lint.rake b/lib/tasks/scss-lint.rake
new file mode 100644
index 00000000000..250fd8699e4
--- /dev/null
+++ b/lib/tasks/scss-lint.rake
@@ -0,0 +1,10 @@
+unless Rails.env.production?
+  require 'scss_lint/rake_task'
+
+  SCSSLint::RakeTask.new do |t|
+    t.config = '.scss-lint.yml'
+    # See https://github.com/brigade/scss-lint/issues/726
+    # Hack, otherwise linter won't respect scss_files option in config file.
+    t.files = []
+  end
+end