Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

15 files changed, 358 insertions, 42 deletions

diff --git a/spec/features/tags/developer_views_tags_spec.rb b/spec/features/tags/developer_views_tags_spec.rb
index 57e1f7da04e..e2399dd9978 100644
--- a/spec/features/tags/developer_views_tags_spec.rb
+++ b/spec/features/tags/developer_views_tags_spec.rb
@@ -53,6 +53,8 @@ RSpec.describe 'Developer views tags' do
     end
 
     it 'views a specific tag page' do
+      create(:release, project: project, tag: 'v1.0.0', name: 'v1.0.0', description: nil)
+
       click_on 'v1.0.0'
 
       expect(page).to have_current_path(
diff --git a/spec/fixtures/packages/nuget/corrupted_package.nupkg b/spec/fixtures/packages/nuget/corrupted_package.nupkg
new file mode 100644
index 00000000000..54f05c62aea
--- /dev/null
+++ b/spec/fixtures/packages/nuget/corrupted_package.nupkg
diff --git a/spec/lib/gitlab/git/repository_spec.rb b/spec/lib/gitlab/git/repository_spec.rb
index 5e27979cbf3..197662943a0 100644
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@@ -524,12 +524,13 @@ RSpec.describe Gitlab::Git::Repository do
         prune: false,
         check_tags_changed: false,
         refmap: nil,
-        http_authorization_header: ""
+        http_authorization_header: "",
+        resolved_address: '172.16.123.1'
       }
 
       expect(repository.gitaly_repository_client).to receive(:fetch_remote).with(url, expected_opts)
 
-      repository.fetch_remote(url, ssh_auth: ssh_auth, forced: true, no_tags: true, prune: false, check_tags_changed: false)
+      repository.fetch_remote(url, ssh_auth: ssh_auth, forced: true, no_tags: true, prune: false, check_tags_changed: false, resolved_address: '172.16.123.1')
     end
 
     it_behaves_like 'wrapping gRPC errors', Gitlab::GitalyClient::RepositoryService, :fetch_remote do
@@ -2448,7 +2449,7 @@ RSpec.describe Gitlab::Git::Repository do
 
     it 'delegates to Gitaly' do
       expect_next_instance_of(Gitlab::GitalyClient::RepositoryService) do |svc|
-        expect(svc).to receive(:import_repository).with(url, http_authorization_header: '', mirror: false).and_return(nil)
+        expect(svc).to receive(:import_repository).with(url, http_authorization_header: '', mirror: false, resolved_address: '').and_return(nil)
       end
 
       repository.import_repository(url)
diff --git a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
index 58ace05b0d3..5aef250afac 100644
--- a/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/repository_service_spec.rb
@@ -133,6 +133,40 @@ RSpec.describe Gitlab::GitalyClient::RepositoryService do
     end
   end
 
+  describe '#import_repository' do
+    let(:source) { 'https://example.com/git/repo.git' }
+
+    it 'sends a create_repository_from_url message' do
+      expected_request = gitaly_request_with_params(
+        url: source,
+        resolved_address: ''
+      )
+
+      expect_any_instance_of(Gitaly::RepositoryService::Stub)
+        .to receive(:create_repository_from_url)
+        .with(expected_request, kind_of(Hash))
+        .and_return(double(value: true))
+
+      client.import_repository(source)
+    end
+
+    context 'when http_host is provided' do
+      it 'sends a create_repository_from_url message with http_host provided in the request' do
+        expected_request = gitaly_request_with_params(
+          url: source,
+          resolved_address: '172.16.123.1'
+        )
+
+        expect_any_instance_of(Gitaly::RepositoryService::Stub)
+          .to receive(:create_repository_from_url)
+          .with(expected_request, kind_of(Hash))
+          .and_return(double(value: true))
+
+        client.import_repository(source, resolved_address: '172.16.123.1')
+      end
+    end
+  end
+
   describe '#fetch_remote' do
     let(:url) { 'https://example.com/git/repo.git' }
 
@@ -141,7 +175,8 @@ RSpec.describe Gitlab::GitalyClient::RepositoryService do
         remote_params: Gitaly::Remote.new(
           url: url,
           http_authorization_header: "",
-          mirror_refmaps: []
+          mirror_refmaps: [],
+          resolved_address: ''
         ),
         ssh_key: '',
         known_hosts: '',
@@ -159,6 +194,32 @@ RSpec.describe Gitlab::GitalyClient::RepositoryService do
       client.fetch_remote(url, refmap: nil, ssh_auth: nil, forced: false, no_tags: false, timeout: 1, check_tags_changed: false)
     end
 
+    context 'with resolved address' do
+      it 'sends a fetch_remote_request message' do
+        expected_request = gitaly_request_with_params(
+          remote_params: Gitaly::Remote.new(
+            url: url,
+            http_authorization_header: "",
+            mirror_refmaps: [],
+            resolved_address: '172.16.123.1'
+          ),
+          ssh_key: '',
+          known_hosts: '',
+          force: false,
+          no_tags: false,
+          no_prune: false,
+          check_tags_changed: false
+        )
+
+        expect_any_instance_of(Gitaly::RepositoryService::Stub)
+          .to receive(:fetch_remote)
+          .with(expected_request, kind_of(Hash))
+          .and_return(double(value: true))
+
+        client.fetch_remote(url, refmap: nil, ssh_auth: nil, forced: false, no_tags: false, timeout: 1, check_tags_changed: false, resolved_address: '172.16.123.1')
+      end
+    end
+
     context 'SSH auth' do
       where(:ssh_mirror_url, :ssh_key_auth, :ssh_private_key, :ssh_known_hosts, :expected_params) do
         false | false | 'key' | 'known_hosts' | {}
diff --git a/spec/models/hooks/web_hook_log_spec.rb b/spec/models/hooks/web_hook_log_spec.rb
index fafca144cae..2f0bfbd4fed 100644
--- a/spec/models/hooks/web_hook_log_spec.rb
+++ b/spec/models/hooks/web_hook_log_spec.rb
@@ -188,4 +188,22 @@ RSpec.describe WebHookLog do
       it { expect(web_hook_log.internal_error?).to be_truthy }
     end
   end
+
+  describe '#request_headers' do
+    let(:hook) { build(:project_hook, :token) }
+    let(:web_hook_log) { build(:web_hook_log, request_headers: request_headers) }
+    let(:expected_headers) { { 'X-Gitlab-Token' => _('[REDACTED]') } }
+
+    context 'with redacted headers token' do
+      let(:request_headers) { { 'X-Gitlab-Token' => _('[REDACTED]') } }
+
+      it { expect(web_hook_log.request_headers).to eq(expected_headers) }
+    end
+
+    context 'with exposed headers token' do
+      let(:request_headers) { { 'X-Gitlab-Token' => hook.token } }
+
+      it { expect(web_hook_log.request_headers).to eq(expected_headers) }
+    end
+  end
 end
diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb
index db854670cc3..9b55db15f3b 100644
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -195,6 +195,36 @@ RSpec.describe WebHook do
       end
     end
 
+    describe 'before_validation :reset_token' do
+      subject(:hook) { build_stubbed(:project_hook, :token, project: project) }
+
+      it 'resets token if url changed' do
+        hook.url = 'https://webhook.example.com/new-hook'
+
+        expect(hook).to be_valid
+        expect(hook.token).to be_nil
+      end
+
+      it 'does not reset token if new url is set together with the same token' do
+        hook.url = 'https://webhook.example.com/new-hook'
+        current_token = hook.token
+        hook.token = current_token
+
+        expect(hook).to be_valid
+        expect(hook.token).to eq(current_token)
+        expect(hook.url).to eq('https://webhook.example.com/new-hook')
+      end
+
+      it 'does not reset token if new url is set together with a new token' do
+        hook.url = 'https://webhook.example.com/new-hook'
+        hook.token = 'token'
+
+        expect(hook).to be_valid
+        expect(hook.token).to eq('token')
+        expect(hook.url).to eq('https://webhook.example.com/new-hook')
+      end
+    end
+
     it "only consider these branch filter strategies are valid" do
       expected_valid_types = %w[all_branches regex wildcard]
       expect(described_class.branch_filter_strategies.keys).to contain_exactly(*expected_valid_types)
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index 819dad9d46d..af1112cf50d 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -230,9 +230,12 @@ RSpec.describe Integrations::Jira do
 
     where(:url, :result) do
       'https://abc.atlassian.net' | true
+      'http://abc.atlassian.net'  | false
       'abc.atlassian.net'         | false # This is how it behaves currently, but we may need to consider adding scheme if missing
       'https://somethingelse.com' | false
-      nil                         | false
+      'javascript://test.atlassian.net/%250dalert(document.domain)' | false
+      'https://example.com".atlassian.net' | false
+      nil | false
     end
 
     with_them do
@@ -289,7 +292,7 @@ RSpec.describe Integrations::Jira do
         let(:server_info_results) { { 'deploymentType' => 'FutureCloud' } }
 
         context 'and URL ends in .atlassian.net' do
-          let(:api_url) { 'http://example-api.atlassian.net' }
+          let(:api_url) { 'https://example-api.atlassian.net' }
 
           it 'deployment_type is set to cloud' do
             expect(integration.jira_tracker_data).to be_deployment_cloud
@@ -297,7 +300,7 @@ RSpec.describe Integrations::Jira do
         end
 
         context 'and URL is something else' do
-          let(:api_url) { 'http://my-jira-api.someserver.com' }
+          let(:api_url) { 'https://my-jira-api.someserver.com' }
 
           it 'deployment_type is set to server' do
             expect(integration.jira_tracker_data).to be_deployment_server
@@ -309,7 +312,7 @@ RSpec.describe Integrations::Jira do
         let(:server_info_results) { {} }
 
         context 'and URL ends in .atlassian.net' do
-          let(:api_url) { 'http://example-api.atlassian.net' }
+          let(:api_url) { 'https://example-api.atlassian.net' }
 
           it 'deployment_type is set to cloud' do
             expect(Gitlab::AppLogger).to receive(:warn).with(message: "Jira API returned no ServerInfo, setting deployment_type from URL", server_info: server_info_results, url: api_url)
@@ -318,7 +321,7 @@ RSpec.describe Integrations::Jira do
         end
 
         context 'and URL is something else' do
-          let(:api_url) { 'http://my-jira-api.someserver.com' }
+          let(:api_url) { 'https://my-jira-api.someserver.com' }
 
           it 'deployment_type is set to server' do
             expect(Gitlab::AppLogger).to receive(:warn).with(message: "Jira API returned no ServerInfo, setting deployment_type from URL", server_info: server_info_results, url: api_url)
diff --git a/spec/models/project_import_state_spec.rb b/spec/models/project_import_state_spec.rb
index db79185d759..ba1a29a8b27 100644
--- a/spec/models/project_import_state_spec.rb
+++ b/spec/models/project_import_state_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe ProjectImportState, type: :model do
 
     before do
       allow_any_instance_of(Gitlab::GitalyClient::RepositoryService).to receive(:import_repository)
-        .with(project.import_url, http_authorization_header: '', mirror: false).and_return(true)
+        .with(project.import_url, http_authorization_header: '', mirror: false, resolved_address: '').and_return(true)
 
       # Works around https://github.com/rspec/rspec-mocks/issues/910
       allow(Project).to receive(:find).with(project.id).and_return(project)
diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb
index 93872bcd827..c17e180f282 100644
--- a/spec/models/repository_spec.rb
+++ b/spec/models/repository_spec.rb
@@ -1223,11 +1223,22 @@ RSpec.describe Repository do
     it 'fetches the URL without creating a remote' do
       expect(repository)
         .to receive(:fetch_remote)
-        .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "")
+        .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "", resolved_address: '')
         .and_return(nil)
 
       repository.fetch_as_mirror(url)
     end
+
+    context 'with http_host provided' do
+      it 'fetches the URL with resolved_address value' do
+        expect(repository)
+          .to receive(:fetch_remote)
+          .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "", resolved_address: '172.16.123.1')
+          .and_return(nil)
+
+        repository.fetch_as_mirror(url, resolved_address: '172.16.123.1')
+      end
+    end
   end
 
   describe '#fetch_ref' do
diff --git a/spec/requests/jira_connect/users_controller_spec.rb b/spec/requests/jira_connect/users_controller_spec.rb
index c648d28c1bc..6e927aaba91 100644
--- a/spec/requests/jira_connect/users_controller_spec.rb
+++ b/spec/requests/jira_connect/users_controller_spec.rb
@@ -31,5 +31,16 @@ RSpec.describe JiraConnect::UsersController do
         expect(response.body).not_to include('Return to GitLab')
       end
     end
+
+    context 'with a script injected' do
+      let(:return_to) { 'javascript://test.atlassian.net/%250dalert(document.domain)' }
+
+      it 'does not include a return url' do
+        get '/-/jira_connect/users', params: { return_to: return_to }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.body).not_to include('Return to GitLab')
+      end
+    end
   end
 end
diff --git a/spec/services/markup/rendering_service_spec.rb b/spec/services/markup/rendering_service_spec.rb
index a5711a8cbc4..d54bc71f0a4 100644
--- a/spec/services/markup/rendering_service_spec.rb
+++ b/spec/services/markup/rendering_service_spec.rb
@@ -110,9 +110,12 @@ RSpec.describe Markup::RenderingService do
 
     context 'when file is a regular text file' do
       let(:file_name) { 'foo.txt' }
+      let(:text) { 'Noël <form>' }
 
       it 'returns html (rendered by ActionView::TagHelper)' do
-        is_expected.to eq('<pre class="plain-readme">Noël</pre>')
+        expect(ActionController::Base.helpers).to receive(:content_tag).and_call_original
+
+        is_expected.to eq('<pre class="plain-readme">Noël &lt;form&gt;</pre>')
       end
     end
 
diff --git a/spec/services/packages/nuget/metadata_extraction_service_spec.rb b/spec/services/packages/nuget/metadata_extraction_service_spec.rb
index fc21cfd502e..12bab30b4a7 100644
--- a/spec/services/packages/nuget/metadata_extraction_service_spec.rb
+++ b/spec/services/packages/nuget/metadata_extraction_service_spec.rb
@@ -114,5 +114,16 @@ RSpec.describe Packages::Nuget::MetadataExtractionService do
 
       it { expect { subject }.to raise_error(::Packages::Nuget::MetadataExtractionService::ExtractionError, 'nuspec file too big') }
     end
+
+    context 'with a corrupted nupkg file with a wrong entry size' do
+      let(:nupkg_fixture_path) { expand_fixture_path('packages/nuget/corrupted_package.nupkg') }
+      let(:expected_error) { "nuspec file has the wrong entry size: entry 'DummyProject.DummyPackage.nuspec' should be 255B, but is larger when inflated." }
+
+      before do
+        allow(Zip::File).to receive(:new).and_return(Zip::File.new(nupkg_fixture_path, false, false))
+      end
+
+      it { expect { subject }.to raise_error(::Packages::Nuget::MetadataExtractionService::ExtractionError, expected_error) }
+    end
   end
 end
diff --git a/spec/services/projects/import_service_spec.rb b/spec/services/projects/import_service_spec.rb
index 6dc72948541..b3f8980a7bd 100644
--- a/spec/services/projects/import_service_spec.rb
+++ b/spec/services/projects/import_service_spec.rb
@@ -127,30 +127,67 @@ RSpec.describe Projects::ImportService do
           project.import_type = 'bitbucket'
         end
 
-        it 'succeeds if repository import is successful' do
-          expect(project.repository).to receive(:import_repository).and_return(true)
-          expect_next_instance_of(Gitlab::BitbucketImport::Importer) do |importer|
-            expect(importer).to receive(:execute).and_return(true)
+        context 'when importer supports refmap' do
+          before do
+            project.import_type = 'gitea'
           end
 
-          expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
-            expect(service).to receive(:execute).and_return(status: :success)
+          it 'succeeds if repository fetch as mirror is successful' do
+            expect(project).to receive(:ensure_repository)
+            expect(project.repository).to receive(:fetch_as_mirror).with('https://bitbucket.org/vim/vim.git', refmap: Gitlab::LegacyGithubImport::Importer.refmap, resolved_address: '').and_return(true)
+            expect_next_instance_of(Gitlab::LegacyGithubImport::Importer) do |importer|
+              expect(importer).to receive(:execute).and_return(true)
+            end
+
+            expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+              expect(service).to receive(:execute).and_return(status: :success)
+            end
+
+            result = subject.execute
+
+            expect(result[:status]).to eq :success
           end
 
-          result = subject.execute
+          it 'fails if repository fetch as mirror fails' do
+            expect(project).to receive(:ensure_repository)
+            expect(project.repository)
+              .to receive(:fetch_as_mirror)
+              .and_raise(Gitlab::Git::CommandError, 'Failed to import the repository /a/b/c')
 
-          expect(result[:status]).to eq :success
+            result = subject.execute
+
+            expect(result[:status]).to eq :error
+            expect(result[:message]).to eq "Error importing repository #{project.safe_import_url} into #{project.full_path} - Failed to import the repository [FILTERED]"
+          end
         end
 
-        it 'fails if repository import fails' do
-          expect(project.repository)
-            .to receive(:import_repository)
-            .and_raise(Gitlab::Git::CommandError, 'Failed to import the repository /a/b/c')
+        context 'when importer does not support refmap' do
+          it 'succeeds if repository import is successful' do
+            expect(project.repository).to receive(:import_repository).and_return(true)
+            expect_next_instance_of(Gitlab::BitbucketImport::Importer) do |importer|
+              expect(importer).to receive(:execute).and_return(true)
+            end
 
-          result = subject.execute
+            expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+              expect(service).to receive(:execute).and_return(status: :success)
+            end
 
-          expect(result[:status]).to eq :error
-          expect(result[:message]).to eq "Error importing repository #{project.safe_import_url} into #{project.full_path} - Failed to import the repository [FILTERED]"
+            result = subject.execute
+
+            expect(result[:status]).to eq :success
+          end
+
+          it 'fails if repository import fails' do
+            expect(project.repository)
+              .to receive(:import_repository)
+              .with('https://bitbucket.org/vim/vim.git', resolved_address: '')
+              .and_raise(Gitlab::Git::CommandError, 'Failed to import the repository /a/b/c')
+
+            result = subject.execute
+
+            expect(result[:status]).to eq :error
+            expect(result[:message]).to eq "Error importing repository #{project.safe_import_url} into #{project.full_path} - Failed to import the repository [FILTERED]"
+          end
         end
 
         context 'when lfs import fails' do
@@ -287,6 +324,102 @@ RSpec.describe Projects::ImportService do
       end
     end
 
+    context 'when DNS rebind protection is disabled' do
+      before do
+        allow(Gitlab::CurrentSettings).to receive(:dns_rebinding_protection_enabled?).and_return(false)
+        project.import_url = "https://example.com/group/project"
+
+        allow(Gitlab::UrlBlocker).to receive(:validate!)
+          .with(project.import_url, ports: Project::VALID_IMPORT_PORTS, schemes: Project::VALID_IMPORT_PROTOCOLS, dns_rebind_protection: false)
+          .and_return([Addressable::URI.parse("https://example.com/group/project"), nil])
+      end
+
+      it 'imports repository with url without additional resolved address' do
+        expect(project.repository).to receive(:import_repository).with('https://example.com/group/project', resolved_address: '').and_return(true)
+
+        expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+          expect(service).to receive(:execute).and_return(status: :success)
+        end
+
+        result = subject.execute
+
+        expect(result[:status]).to eq(:success)
+      end
+    end
+
+    context 'when DNS rebind protection is enabled' do
+      before do
+        allow(Gitlab::CurrentSettings).to receive(:http_proxy_env?).and_return(false)
+        allow(Gitlab::CurrentSettings).to receive(:dns_rebinding_protection_enabled?).and_return(true)
+      end
+
+      context 'when https url is provided' do
+        before do
+          project.import_url = "https://example.com/group/project"
+
+          allow(Gitlab::UrlBlocker).to receive(:validate!)
+            .with(project.import_url, ports: Project::VALID_IMPORT_PORTS, schemes: Project::VALID_IMPORT_PROTOCOLS, dns_rebind_protection: true)
+            .and_return([Addressable::URI.parse("https://172.16.123.1/group/project"), 'example.com'])
+        end
+
+        it 'imports repository with url and additional resolved address' do
+          expect(project.repository).to receive(:import_repository).with('https://example.com/group/project', resolved_address: '172.16.123.1').and_return(true)
+
+          expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+            expect(service).to receive(:execute).and_return(status: :success)
+          end
+
+          result = subject.execute
+
+          expect(result[:status]).to eq(:success)
+        end
+      end
+
+      context 'when http url is provided' do
+        before do
+          project.import_url = "http://example.com/group/project"
+
+          allow(Gitlab::UrlBlocker).to receive(:validate!)
+            .with(project.import_url, ports: Project::VALID_IMPORT_PORTS, schemes: Project::VALID_IMPORT_PROTOCOLS, dns_rebind_protection: true)
+            .and_return([Addressable::URI.parse("http://172.16.123.1/group/project"), 'example.com'])
+        end
+
+        it 'imports repository with url and additional resolved address' do
+          expect(project.repository).to receive(:import_repository).with('http://example.com/group/project', resolved_address: '172.16.123.1').and_return(true)
+
+          expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+            expect(service).to receive(:execute).and_return(status: :success)
+          end
+
+          result = subject.execute
+
+          expect(result[:status]).to eq(:success)
+        end
+      end
+
+      context 'when git address is provided' do
+        before do
+          project.import_url = "git://example.com/group/project.git"
+
+          allow(Gitlab::UrlBlocker).to receive(:validate!)
+            .with(project.import_url, ports: Project::VALID_IMPORT_PORTS, schemes: Project::VALID_IMPORT_PROTOCOLS, dns_rebind_protection: true)
+            .and_return([Addressable::URI.parse("git://172.16.123.1/group/project"), 'example.com'])
+        end
+
+        it 'imports repository with url and without resolved address' do
+          expect(project.repository).to receive(:import_repository).with('git://example.com/group/project.git', resolved_address: '').and_return(true)
+
+          expect_next_instance_of(Projects::LfsPointers::LfsImportService) do |service|
+            expect(service).to receive(:execute).and_return(status: :success)
+          end
+
+          result = subject.execute
+
+          expect(result[:status]).to eq(:success)
+        end
+      end
+    end
+
     it_behaves_like 'measurable service' do
       let(:base_log_data) do
         {
diff --git a/spec/services/web_hooks/log_execution_service_spec.rb b/spec/services/web_hooks/log_execution_service_spec.rb
index 1b8ff9f2a05..fd97d01fa9f 100644
--- a/spec/services/web_hooks/log_execution_service_spec.rb
+++ b/spec/services/web_hooks/log_execution_service_spec.rb
@@ -11,14 +11,15 @@ RSpec.describe WebHooks::LogExecutionService do
       travel_to(Time.current) { example.run }
     end
 
-    let_it_be_with_reload(:project_hook) { create(:project_hook) }
+    let_it_be_with_reload(:project_hook) { create(:project_hook, :token) }
 
     let(:response_category) { :ok }
+    let(:request_headers) { { 'Header' => 'header value' } }
     let(:data) do
       {
         trigger: 'trigger_name',
         url: 'https://example.com',
-        request_headers: { 'Header' => 'header value' },
+        request_headers: request_headers,
         request_data: { 'Request Data' => 'request data value' },
         response_body: 'Response body',
         response_status: '200',
@@ -163,5 +164,15 @@ RSpec.describe WebHooks::LogExecutionService do
         service.execute
       end
     end
+
+    context 'with X-Gitlab-Token' do
+      let(:request_headers) { { 'X-Gitlab-Token' => project_hook.token } }
+
+      it 'redacts the token' do
+        service.execute
+
+        expect(WebHookLog.recent.first.request_headers).to include('X-Gitlab-Token' => '[REDACTED]')
+      end
+    end
   end
 end
diff --git a/spec/support/shared_examples/features/user_views_tag_shared_examples.rb b/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
index 989de1dbfbb..702964a2610 100644
--- a/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
+++ b/spec/support/shared_examples/features/user_views_tag_shared_examples.rb
@@ -2,33 +2,54 @@
 
 RSpec.shared_examples 'user views tag' do
   context 'when user views with the tag' do
-    let(:project) { create(:project, :repository) }
+    let(:project) { create(:project, :repository, :public) }
     let(:user) { create(:user) }
     let(:tag_name) { "stable" }
-    let!(:release) { create(:release, project: project, tag: tag_name, name: "ReleaseName") }
+    let(:release_name) { 'ReleaseName' }
+    let(:release_notes) { 'Release notes' }
+    let!(:release) do
+      create(:release, project: project, tag: tag_name, name: release_name, description: release_notes)
+    end
 
     before do
-      project.add_developer(user)
       project.repository.add_tag(user, tag_name, project.default_branch_or_main)
-
       sign_in(user)
     end
 
-    shared_examples 'shows tag' do
-      it do
-        visit tag_page
+    context 'and user is authorized to read release' do
+      before do
+        project.add_developer(user)
+      end
+
+      shared_examples 'shows tag' do
+        it do
+          visit tag_page
+
+          expect(page).to have_content tag_name
+          expect(page).to have_link(release_name, href: project_release_path(project, release))
+        end
+      end
 
-        expect(page).to have_content tag_name
-        expect(page).to have_link("ReleaseName", href: project_release_path(project, release))
+      it_behaves_like 'shows tag'
+
+      context 'when tag name contains a slash' do
+        let(:tag_name) { "stable/v0.1" }
+
+        it_behaves_like 'shows tag'
       end
     end
 
-    it_behaves_like 'shows tag'
+    context 'and user is not authorized to read release' do
+      before do
+        project.project_feature.update!(releases_access_level: Featurable::PRIVATE)
+      end
 
-    context 'when tag name contains a slash' do
-      let(:tag_name) { "stable/v0.1" }
+      it 'hides release link and notes', :aggregate_failures do
+        visit tag_page
 
-      it_behaves_like 'shows tag'
+        expect(page).not_to have_link(release_name, href: project_release_path(project, release))
+        expect(page).not_to have_text(release_notes)
+      end
     end
   end
 end