Add latest changes from gitlab-org/security/gitlab@12-7-stable-ee

4 files changed, 28 insertions, 3 deletions

diff --git a/lib/api/triggers.rb b/lib/api/triggers.rb
index ab83d84284f..76af29b2977 100644
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -4,6 +4,8 @@ module API
   class Triggers < Grape::API
     include PaginationParams
 
+    HTTP_GITLAB_EVENT_HEADER = "HTTP_#{WebHookService::GITLAB_EVENT_HEADER}".underscore.upcase
+
     params do
       requires :id, type: String, desc: 'The ID of a project'
     end
@@ -19,6 +21,8 @@ module API
       post ":id/(ref/:ref/)trigger/pipeline", requirements: { ref: /.+/ } do
         Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-foss/issues/42283')
 
+        forbidden! if gitlab_pipeline_hook_request?
+
         # validate variables
         params[:variables] = params[:variables].to_h
         unless params[:variables].all? { |key, value| key.is_a?(String) && value.is_a?(String) }
@@ -128,5 +132,11 @@ module API
         destroy_conditionally!(trigger)
       end
     end
+
+    helpers do
+      def gitlab_pipeline_hook_request?
+        request.get_header(HTTP_GITLAB_EVENT_HEADER) == WebHookService.hook_to_event(:pipeline_hooks)
+      end
+    end
   end
 end
diff --git a/lib/gitlab/dependency_linker/base_linker.rb b/lib/gitlab/dependency_linker/base_linker.rb
index dd7ab92c6ae..a4e265eba88 100644
--- a/lib/gitlab/dependency_linker/base_linker.rb
+++ b/lib/gitlab/dependency_linker/base_linker.rb
@@ -7,6 +7,8 @@ module Gitlab
       GIT_INVALID_URL_REGEX = /^git\+#{URL_REGEX}/.freeze
       REPO_REGEX = %r{[^/'" ]+/[^/'" ]+}.freeze
 
+      include ActionView::Helpers::SanitizeHelper
+
       class_attribute :file_type
 
       def self.support?(blob_name)
@@ -62,7 +64,10 @@ module Gitlab
       end
 
       def link_tag(name, url)
-        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
+        sanitize(
+          %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>},
+          attributes: %w[href rel target]
+        )
       end
 
       # Links package names based on regex.
diff --git a/lib/gitlab/project_authorizations.rb b/lib/gitlab/project_authorizations.rb
index d65e8759ec9..ff90a009b2e 100644
--- a/lib/gitlab/project_authorizations.rb
+++ b/lib/gitlab/project_authorizations.rb
@@ -62,6 +62,7 @@ module Gitlab
       cte = Gitlab::SQL::RecursiveCTE.new(:namespaces_cte)
       members = Member.arel_table
       namespaces = Namespace.arel_table
+      group_group_links = GroupGroupLink.arel_table
 
       # Namespaces the user is a member of.
       cte << user.groups
@@ -69,7 +70,10 @@ module Gitlab
         .except(:order)
 
       # Namespaces shared with any of the group
-      cte << Group.select([namespaces[:id], 'group_group_links.group_access AS access_level'])
+      cte << Group.select([namespaces[:id],
+                           least(members[:access_level],
+                                 group_group_links[:group_access],
+                                 'access_level')])
                   .joins(join_group_group_links)
                   .joins(join_members_on_group_group_links)
 
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 097b502316e..a00e72f7aad 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -67,7 +67,13 @@ module Gitlab
       return false unless can_access_git?
       return false unless project
 
-      return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)
+      # Checking for an internal project to prevent an infinite loop:
+      # https://gitlab.com/gitlab-org/gitlab/issues/36805
+      if project.internal?
+        return false unless user.can?(:push_code, project)
+      else
+        return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)
+      end
 
       if protected?(ProtectedBranch, project, ref)
         protected_branch_accessible_to?(ref, action: :push)