7 files changed, 63 insertions, 27 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 89951498489..94fa174d4dc 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -1276,7 +1276,7 @@ module API
 
     class Release < Grape::Entity
       expose :name
-      expose :tag, as: :tag_name, if: lambda { |_, _| can_download_code? }
+      expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? }
       expose :description
       expose :description_html do |entity|
         MarkupHelper.markdown_field(entity, :description)
@@ -1284,16 +1284,17 @@ module API
       expose :created_at
       expose :released_at
       expose :author, using: Entities::UserBasic, if: -> (release, _) { release.author.present? }
-      expose :commit, using: Entities::Commit, if: lambda { |_, _| can_download_code? }
+      expose :commit, using: Entities::Commit, if: ->(_, _) { can_download_code? }
       expose :upcoming_release?, as: :upcoming_release
       expose :milestones, using: Entities::Milestone, if: -> (release, _) { release.milestones.present? }
-
+      expose :commit_path, if: ->(_, _) { can_download_code? }
+      expose :tag_path, if: ->(_, _) { can_download_code? }
       expose :assets do
         expose :assets_count, as: :count do |release, _|
           assets_to_exclude = can_download_code? ? [] : [:sources]
           release.assets_count(except: assets_to_exclude)
         end
-        expose :sources, using: Entities::Releases::Source, if: lambda { |_, _| can_download_code? }
+        expose :sources, using: Entities::Releases::Source, if: ->(_, _) { can_download_code? }
         expose :links, using: Entities::Releases::Link do |release, options|
           release.links.sorted
         end
@@ -1304,6 +1305,16 @@ module API
       def can_download_code?
         Ability.allowed?(options[:current_user], :download_code, object.project)
       end
+
+      def commit_path
+        return unless object.commit
+
+        Gitlab::Routing.url_helpers.project_commit_path(object.project, object.commit.id)
+      end
+
+      def tag_path
+        Gitlab::Routing.url_helpers.project_tag_path(object.project, object.tag)
+      end
     end
 
     class Tag < Grape::Entity
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index c0390959269..ce0c4c5d974 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -127,7 +127,7 @@ module Backup
         end
 
         tar_file = if ENV['BACKUP'].present?
-                     "#{ENV['BACKUP']}#{FILE_NAME_SUFFIX}"
+                     File.basename(ENV['BACKUP']) + FILE_NAME_SUFFIX
                    else
                      backup_file_list.first
                    end
@@ -235,8 +235,8 @@ module Backup
     end
 
     def tar_file
-      @tar_file ||= if ENV['BACKUP']
-                      ENV['BACKUP'] + "#{FILE_NAME_SUFFIX}"
+      @tar_file ||= if ENV['BACKUP'].present?
+                      File.basename(ENV['BACKUP']) + FILE_NAME_SUFFIX
                     else
                       "#{backup_information[:backup_created_at].strftime('%s_%Y_%m_%d_')}#{backup_information[:gitlab_version]}#{FILE_NAME_SUFFIX}"
                     end
diff --git a/lib/banzai/filter/video_link_filter.rb b/lib/banzai/filter/video_link_filter.rb
index a278fcfdb47..58006cc6c13 100644
--- a/lib/banzai/filter/video_link_filter.rb
+++ b/lib/banzai/filter/video_link_filter.rb
@@ -19,13 +19,13 @@ module Banzai
 
       def query
         @query ||= begin
-          src_query = UploaderHelper::VIDEO_EXT.map do |ext|
+          src_query = UploaderHelper::SAFE_VIDEO_EXT.map do |ext|
             "'.#{ext}' = substring(@src, string-length(@src) - #{ext.size})"
           end
 
           if context[:asset_proxy_enabled].present?
             src_query.concat(
-              UploaderHelper::VIDEO_EXT.map do |ext|
+              UploaderHelper::SAFE_VIDEO_EXT.map do |ext|
                 "'.#{ext}' = substring(@data-canonical-src, string-length(@data-canonical-src) - #{ext.size})"
               end
             )
diff --git a/lib/gitlab/diff/position.rb b/lib/gitlab/diff/position.rb
index dfa80eb4a64..5fe06b9c5e6 100644
--- a/lib/gitlab/diff/position.rb
+++ b/lib/gitlab/diff/position.rb
@@ -118,8 +118,14 @@ module Gitlab
             path: file_path
           }
 
+          # Takes action when creating diff notes (multiple calls are
+          # submitted to this method).
           Gitlab::SafeRequestStore.fetch(key) { find_diff_file(repository) }
         end
+
+        # We need to unfold diff lines according to the position in order
+        # to correctly calculate the line code and trace position changes.
+        @diff_file&.tap { |file| file.unfold_diff_lines(self) }
       end
 
       def diff_options
@@ -152,13 +158,7 @@ module Gitlab
         return unless diff_refs.complete?
         return unless comparison = diff_refs.compare_in(repository.project)
 
-        file = comparison.diffs(diff_options).diff_files.first
-
-        # We need to unfold diff lines according to the position in order
-        # to correctly calculate the line code and trace position changes.
-        file&.unfold_diff_lines(self)
-
-        file
+        comparison.diffs(diff_options).diff_files.first
       end
 
       def get_formatter_class(type)
diff --git a/lib/gitlab/file_markdown_link_builder.rb b/lib/gitlab/file_markdown_link_builder.rb
index 180140e7da2..e9e5172e6f8 100644
--- a/lib/gitlab/file_markdown_link_builder.rb
+++ b/lib/gitlab/file_markdown_link_builder.rb
@@ -10,7 +10,7 @@ module Gitlab
       return unless name = markdown_name
 
       markdown = "[#{name.gsub(']', '\\]')}](#{secure_url})"
-      markdown = "!#{markdown}" if image_or_video? || dangerous?
+      markdown = "!#{markdown}" if image_or_video? || dangerous_image_or_video?
       markdown
     end
 
diff --git a/lib/gitlab/file_type_detection.rb b/lib/gitlab/file_type_detection.rb
index 25ee07cf940..c2b9dfa562d 100644
--- a/lib/gitlab/file_type_detection.rb
+++ b/lib/gitlab/file_type_detection.rb
@@ -1,34 +1,59 @@
 # frozen_string_literal: true
 
-# File helpers methods.
-# It needs the method filename to be defined.
+# The method `filename` must be defined in classes that use this module.
+#
+# This module is intended to be used as a helper and not a security gate
+# to validate that a file is safe, as it identifies files only by the
+# file extension and not its actual contents.
+#
+# An example useage of this module is in `FileMarkdownLinkBuilder` that
+# renders markdown depending on a file name.
+#
+# We use Workhorse to detect the real extension when we serve files with
+# the `SendsBlob` helper methods, and ask Workhorse to set the content
+# type when it serves the file:
+# https://gitlab.com/gitlab-org/gitlab-ce/blob/33e5955/app/helpers/workhorse_helper.rb#L48.
+#
+# Because Workhorse has access to the content when it is downloaded, if
+# the type/extension doesn't match the real type, we adjust the
+# `Content-Type` and `Content-Disposition` to the one we get from the detection.
 module Gitlab
   module FileTypeDetection
-    IMAGE_EXT = %w[png jpg jpeg gif bmp tiff ico].freeze
+    SAFE_IMAGE_EXT = %w[png jpg jpeg gif bmp tiff ico].freeze
     # We recommend using the .mp4 format over .mov. Videos in .mov format can
     # still be used but you really need to make sure they are served with the
     # proper MIME type video/mp4 and not video/quicktime or your videos won't play
     # on IE >= 9.
     # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
-    VIDEO_EXT = %w[mp4 m4v mov webm ogv].freeze
+    SAFE_VIDEO_EXT = %w[mp4 m4v mov webm ogv].freeze
+
     # These extension types can contain dangerous code and should only be embedded inline with
     # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
-    DANGEROUS_EXT = %w[svg].freeze
+    DANGEROUS_IMAGE_EXT = %w[svg].freeze
+    DANGEROUS_VIDEO_EXT = [].freeze # None, yet
 
     def image?
-      extension_match?(IMAGE_EXT)
+      extension_match?(SAFE_IMAGE_EXT)
     end
 
     def video?
-      extension_match?(VIDEO_EXT)
+      extension_match?(SAFE_VIDEO_EXT)
     end
 
     def image_or_video?
       image? || video?
     end
 
-    def dangerous?
-      extension_match?(DANGEROUS_EXT)
+    def dangerous_image?
+      extension_match?(DANGEROUS_IMAGE_EXT)
+    end
+
+    def dangerous_video?
+      extension_match?(DANGEROUS_VIDEO_EXT)
+    end
+
+    def dangerous_image_or_video?
+      dangerous_image? || dangerous_video?
     end
 
     private
diff --git a/lib/gitlab/usage_data.rb b/lib/gitlab/usage_data.rb
index ed2693aaedf..c5303dad558 100644
--- a/lib/gitlab/usage_data.rb
+++ b/lib/gitlab/usage_data.rb
@@ -17,7 +17,6 @@ module Gitlab
           .merge(features_usage_data)
           .merge(components_usage_data)
           .merge(cycle_analytics_usage_data)
-          .merge(usage_counters)
       end
 
       def to_json(force_refresh: false)
@@ -99,6 +98,7 @@ module Gitlab
             web_hooks: count(WebHook)
           }.merge(services_usage)
             .merge(approximate_counts)
+            .merge(usage_counters)
         }.tap do |data|
           data[:counts][:user_preferences] = user_preferences_usage
         end