12 files changed, 135 insertions, 24 deletions

diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index b7801de6ed9..a4d3e352051 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -125,3 +125,5 @@ module Banzai
     end
   end
 end
+
+Banzai::Filter::LabelReferenceFilter.prepend_if_ee('EE::Banzai::Filter::LabelReferenceFilter')
diff --git a/lib/banzai/filter/reference_filter.rb b/lib/banzai/filter/reference_filter.rb
index 9afcfee2fe8..1959336ea1b 100644
--- a/lib/banzai/filter/reference_filter.rb
+++ b/lib/banzai/filter/reference_filter.rb
@@ -53,7 +53,6 @@ module Banzai
         attributes[:reference_type] ||= self.class.reference_type
         attributes[:container] ||= 'body'
         attributes[:placement] ||= 'top'
-        attributes[:html] ||= 'true'
         attributes.delete(:original) if context[:no_original_data]
         attributes.map do |key, value|
           %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}")
diff --git a/lib/gitlab/base_doorkeeper_controller.rb b/lib/gitlab/base_doorkeeper_controller.rb
index b78993aba30..0f370850b5b 100644
--- a/lib/gitlab/base_doorkeeper_controller.rb
+++ b/lib/gitlab/base_doorkeeper_controller.rb
@@ -5,6 +5,8 @@
 module Gitlab
   class BaseDoorkeeperController < ActionController::Base
     include Gitlab::Allowable
+    include EnforcesTwoFactorAuthentication
+
     helper_method :can?
   end
 end
diff --git a/lib/gitlab/checks/branch_check.rb b/lib/gitlab/checks/branch_check.rb
index 7be0ef05a49..ad2a718ef67 100644
--- a/lib/gitlab/checks/branch_check.rb
+++ b/lib/gitlab/checks/branch_check.rb
@@ -12,7 +12,8 @@ module Gitlab
         push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
         create_protected_branch: 'You are not allowed to create protected branches on this project.',
         invalid_commit_create_protected_branch: 'You can only use an existing protected branch ref as the basis of a new protected branch.',
-        non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.'
+        non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.',
+        prohibited_hex_branch_name: 'You cannot create a branch with a 40-character hexadecimal branch name.'
       }.freeze
 
       LOG_MESSAGES = {
@@ -32,11 +33,20 @@ module Gitlab
           end
         end
 
+        prohibited_branch_checks
         protected_branch_checks
       end
 
       private
 
+      def prohibited_branch_checks
+        return unless Feature.enabled?(:prohibit_hexadecimal_branch_names, project, default_enabled: true)
+
+        if branch_name =~ /\A\h{40}\z/
+          raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name]
+        end
+      end
+
       def protected_branch_checks
         logger.log_timed(LOG_MESSAGES[:protected_branch_checks]) do
           return unless ProtectedBranch.protected?(project, branch_name) # rubocop:disable Cop/AvoidReturnFromBlocks
diff --git a/lib/gitlab/ci/config/entry/product/parallel.rb b/lib/gitlab/ci/config/entry/product/parallel.rb
index da7079a8328..cd9eabbbc66 100644
--- a/lib/gitlab/ci/config/entry/product/parallel.rb
+++ b/lib/gitlab/ci/config/entry/product/parallel.rb
@@ -10,7 +10,7 @@ module Gitlab
         module Product
           class Parallel < ::Gitlab::Config::Entry::Simplifiable
             strategy :ParallelBuilds, if: -> (config) { config.is_a?(Numeric) }
-            strategy :MatrixBuilds, if: -> (config) { ::Gitlab::Ci::Features.parallel_matrix_enabled? && config.is_a?(Hash) }
+            strategy :MatrixBuilds, if: -> (config) { config.is_a?(Hash) }
 
             PARALLEL_LIMIT = 50
 
diff --git a/lib/gitlab/ci/config/normalizer/factory.rb b/lib/gitlab/ci/config/normalizer/factory.rb
index 972da4bbf9a..bf813f8e878 100644
--- a/lib/gitlab/ci/config/normalizer/factory.rb
+++ b/lib/gitlab/ci/config/normalizer/factory.rb
@@ -29,11 +29,7 @@ module Gitlab
           end
 
           def strategies
-            if ::Gitlab::Ci::Features.parallel_matrix_enabled?
-              [NumberStrategy, MatrixStrategy]
-            else
-              [NumberStrategy]
-            end
+            [NumberStrategy, MatrixStrategy]
           end
         end
       end
diff --git a/lib/gitlab/ci/features.rb b/lib/gitlab/ci/features.rb
index 67ff0beea82..0ce40d873db 100644
--- a/lib/gitlab/ci/features.rb
+++ b/lib/gitlab/ci/features.rb
@@ -62,10 +62,6 @@ module Gitlab
         ::Feature.enabled?(:destroy_only_unlocked_expired_artifacts, default_enabled: false)
       end
 
-      def self.parallel_matrix_enabled?
-        ::Feature.enabled?(:ci_parallel_matrix_enabled)
-      end
-
       def self.bulk_insert_on_create?(project)
         ::Feature.enabled?(:ci_bulk_insert_on_create, project, default_enabled: true)
       end
diff --git a/lib/gitlab/import_export/decompressed_archive_size_validator.rb b/lib/gitlab/import_export/decompressed_archive_size_validator.rb
new file mode 100644
index 00000000000..219821a7150
--- /dev/null
+++ b/lib/gitlab/import_export/decompressed_archive_size_validator.rb
@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'zlib'
+
+module Gitlab
+  module ImportExport
+    class DecompressedArchiveSizeValidator
+      include Gitlab::Utils::StrongMemoize
+
+      DEFAULT_MAX_BYTES = 10.gigabytes.freeze
+      CHUNK_SIZE = 4096.freeze
+
+      attr_reader :error
+
+      def initialize(archive_path:, max_bytes: self.class.max_bytes)
+        @archive_path = archive_path
+        @max_bytes = max_bytes
+        @bytes_read = 0
+        @total_reads = 0
+        @denominator = 5
+        @error = nil
+      end
+
+      def valid?
+        strong_memoize(:valid) do
+          validate
+        end
+      end
+
+      def self.max_bytes
+        DEFAULT_MAX_BYTES
+      end
+
+      def archive_file
+        @archive_file ||= File.open(@archive_path)
+      end
+
+      private
+
+      def validate
+        until archive_file.eof?
+          compressed_chunk = archive_file.read(CHUNK_SIZE)
+
+          inflate_stream.inflate(compressed_chunk) do |chunk|
+            @bytes_read += chunk.size
+            @total_reads += 1
+          end
+
+          # Start garbage collection every 5 reads in order
+          # to prevent memory bloat during archive decompression
+          GC.start if gc_start?
+
+          if @bytes_read > @max_bytes
+            @error = error_message
+
+            return false
+          end
+        end
+
+        true
+      rescue => e
+        @error = error_message
+
+        Gitlab::ErrorTracking.track_exception(e)
+
+        Gitlab::Import::Logger.info(
+          message: @error,
+          error: e.message
+        )
+
+        false
+      ensure
+        inflate_stream.close
+        archive_file.close
+      end
+
+      def inflate_stream
+        @inflate_stream ||= Zlib::Inflate.new(Zlib::MAX_WBITS + 32)
+      end
+
+      def gc_start?
+        @total_reads % @denominator == 0
+      end
+
+      def error_message
+        _('Decompressed archive size validation failed.')
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 9d04d55770d..3cb1eb72ceb 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -28,6 +28,7 @@ module Gitlab
         copy_archive
 
         wait_for_archived_file do
+          validate_decompressed_archive_size if Feature.enabled?(:validate_import_decompressed_archive_size, default_enabled: true)
           decompress_archive
         end
       rescue => e
@@ -82,6 +83,14 @@ module Gitlab
       def extracted_files
         Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
       end
+
+      def validate_decompressed_archive_size
+        raise ImporterError.new(size_validator.error) unless size_validator.valid?
+      end
+
+      def size_validator
+        @size_validator ||= DecompressedArchiveSizeValidator.new(archive_path: @archive_file)
+      end
     end
   end
 end
diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb
index 467bb1be62b..9e3cf58bb1e 100644
--- a/lib/gitlab/kubernetes/kube_client.rb
+++ b/lib/gitlab/kubernetes/kube_client.rb
@@ -116,15 +116,15 @@ module Gitlab
       def self.graceful_request(cluster_id)
         { status: :connected, response: yield }
       rescue *Gitlab::Kubernetes::Errors::CONNECTION
-        { status: :unreachable }
+        { status: :unreachable, connection_error: :connection_error }
       rescue *Gitlab::Kubernetes::Errors::AUTHENTICATION
-        { status: :authentication_failure }
+        { status: :authentication_failure, connection_error: :authentication_error }
       rescue Kubeclient::HttpError => e
-        { status: kubeclient_error_status(e.message) }
+        { status: kubeclient_error_status(e.message), connection_error: :http_error }
       rescue => e
         Gitlab::ErrorTracking.track_exception(e, cluster_id: cluster_id)
 
-        { status: :unknown_failure }
+        { status: :unknown_failure, connection_error: :unknown_error }
       end
 
       # KubeClient uses the same error class
diff --git a/lib/gitlab/kubernetes/node.rb b/lib/gitlab/kubernetes/node.rb
index bd765ef3852..d516bdde6f6 100644
--- a/lib/gitlab/kubernetes/node.rb
+++ b/lib/gitlab/kubernetes/node.rb
@@ -8,22 +8,29 @@ module Gitlab
       end
 
       def all
-        nodes.map do |node|
-          attributes = node(node)
-          attributes.merge(node_metrics(node))
-        end
+        {
+          nodes: metadata.presence,
+          node_connection_error: nodes_from_cluster[:connection_error],
+          metrics_connection_error: nodes_metrics_from_cluster[:connection_error]
+        }.compact
       end
 
       private
 
       attr_reader :cluster
 
+      def metadata
+        nodes.map do |node|
+          base_data(node).merge(node_metrics(node))
+        end
+      end
+
       def nodes_from_cluster
-        graceful_request { cluster.kubeclient.get_nodes }
+        @nodes_from_cluster ||= graceful_request { cluster.kubeclient.get_nodes }
       end
 
       def nodes_metrics_from_cluster
-        graceful_request { cluster.kubeclient.metrics_client.get_nodes }
+        @nodes_metrics_from_cluster ||= graceful_request { cluster.kubeclient.metrics_client.get_nodes }
       end
 
       def nodes
@@ -44,7 +51,7 @@ module Gitlab
         ::Gitlab::Kubernetes::KubeClient.graceful_request(cluster.id, &block)
       end
 
-      def node(node)
+      def base_data(node)
         {
           'metadata' => {
             'name' => node.metadata.name
diff --git a/lib/gitlab/markdown_cache.rb b/lib/gitlab/markdown_cache.rb
index 21797bf988d..ac3492dbe33 100644
--- a/lib/gitlab/markdown_cache.rb
+++ b/lib/gitlab/markdown_cache.rb
@@ -3,7 +3,7 @@
 module Gitlab
   module MarkdownCache
     # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 23
+    CACHE_COMMONMARK_VERSION        = 24
     CACHE_COMMONMARK_VERSION_START  = 10
 
     BaseError = Class.new(StandardError)