From ef77d7f75069ca5f71261d80bc9caea59168cba2 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:48:15 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 .../environments/environment_names_finder.rb       | 11 +---
 app/models/concerns/taskable.rb                    | 36 +++++++++-----
 app/models/project_feature.rb                      |  3 +-
 .../explore/projects/page_out_of_bounds.html.haml  |  2 +-
 lib/gitlab/regex.rb                                | 58 +++++++++++-----------
 lib/gitlab/untrusted_regexp.rb                     | 11 ++++
 .../environments/environment_names_finder_spec.rb  | 26 ++++++++--
 spec/lib/gitlab/regex_spec.rb                      | 10 ++--
 spec/lib/gitlab/untrusted_regexp_spec.rb           | 32 ++++++++++++
 spec/models/concerns/taskable_spec.rb              |  6 +--
 spec/policies/project_policy_spec.rb               |  4 +-
 .../projects/page_out_of_bounds.html.haml_spec.rb  | 26 ++++++++++
 12 files changed, 156 insertions(+), 69 deletions(-)
 create mode 100644 spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb

diff --git a/app/finders/environments/environment_names_finder.rb b/app/finders/environments/environment_names_finder.rb
index d4928f0fc84..ffb689f45e2 100644
--- a/app/finders/environments/environment_names_finder.rb
+++ b/app/finders/environments/environment_names_finder.rb
@@ -32,18 +32,9 @@ module Environments
     end
 
     def namespace_environments
-      # We assume reporter access is needed for the :read_environment permission
-      # here. This expection is also present in
-      # IssuableFinder::Params#min_access_level, which is used for filtering out
-      # merge requests that don't have the right permissions.
-      #
-      # We use this approach so we don't need to load every project into memory
-      # just to verify if we can see their environments. Doing so would not be
-      # efficient, and possibly mess up pagination if certain projects are not
-      # meant to be visible.
       projects = project_or_group
         .all_projects
-        .public_or_visible_to_user(current_user, Gitlab::Access::REPORTER)
+        .filter_by_feature_visibility(:environments, current_user)
 
       Environment.for_project(projects)
     end
diff --git a/app/models/concerns/taskable.rb b/app/models/concerns/taskable.rb
index f9eba4cc2fe..dee1c820f23 100644
--- a/app/models/concerns/taskable.rb
+++ b/app/models/concerns/taskable.rb
@@ -24,25 +24,37 @@ module Taskable
     (\s.+)                        # followed by whitespace and some text.
   }x.freeze
 
+  ITEM_PATTERN_UNTRUSTED =
+    '^' \
+    '(?:(?:>\s{0,4})*)' \
+    '(?P<prefix>(?:\s*(?:[-+*]|(?:\d+\.)))+)' \
+    '\s+' \
+    '(?P<checkbox>' \
+    "#{COMPLETE_PATTERN.source}|#{INCOMPLETE_PATTERN.source}" \
+    ')' \
+    '(?P<label>\s.+)'.freeze
+
   # ignore tasks in code or html comment blocks.  HTML blocks
   # are ok as we allow tasks inside <detail> blocks
-  REGEX = %r{
-      #{::Gitlab::Regex.markdown_code_or_html_comments}
-    |
-      (?<task_item>
-        #{ITEM_PATTERN}
-      )
-  }mx.freeze
+  REGEX =
+    "#{::Gitlab::Regex.markdown_code_or_html_comments_untrusted}" \
+    "|" \
+    "(?P<task_item>" \
+    "#{ITEM_PATTERN_UNTRUSTED}" \
+    ")".freeze
 
   def self.get_tasks(content)
     items = []
 
-    content.to_s.scan(REGEX) do
-      next unless $~[:task_item]
+    regex = Gitlab::UntrustedRegexp.new(REGEX, multiline: true)
+    regex.scan(content.to_s).each do |match|
+      next unless regex.extract_named_group(:task_item, match)
+
+      prefix = regex.extract_named_group(:prefix, match)
+      checkbox = regex.extract_named_group(:checkbox, match)
+      label = regex.extract_named_group(:label, match)
 
-      $~[:task_item].scan(ITEM_PATTERN) do |prefix, checkbox, label|
-        items << TaskList::Item.new("#{prefix.strip} #{checkbox}", label.strip)
-      end
+      items << TaskList::Item.new("#{prefix.strip} #{checkbox}", label.strip)
     end
 
     items
diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb
index 168646bbe41..23b0665cb74 100644
--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -36,7 +36,8 @@ class ProjectFeature < ApplicationRecord
     merge_requests: Gitlab::Access::REPORTER,
     metrics_dashboard: Gitlab::Access::REPORTER,
     container_registry: Gitlab::Access::REPORTER,
-    package_registry: Gitlab::Access::REPORTER
+    package_registry: Gitlab::Access::REPORTER,
+    environments: Gitlab::Access::REPORTER
   }.freeze
   PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT = { repository: Gitlab::Access::REPORTER }.freeze
 
diff --git a/app/views/explore/projects/page_out_of_bounds.html.haml b/app/views/explore/projects/page_out_of_bounds.html.haml
index ef5ee2c679e..e13768a3ccb 100644
--- a/app/views/explore/projects/page_out_of_bounds.html.haml
+++ b/app/views/explore/projects/page_out_of_bounds.html.haml
@@ -18,5 +18,5 @@
       %h5= _("Maximum page reached")
       %p= _("Sorry, you have exceeded the maximum browsable page number. Please use the API to explore further.")
 
-      = render Pajamas::ButtonComponent.new(href: request.params.merge(page: @max_page_number)) do
+      = render Pajamas::ButtonComponent.new(href: safe_params.merge(page: @max_page_number)) do
         = _("Back to page %{number}") % { number: @max_page_number }
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 93d23add5eb..943218a9972 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -448,6 +448,17 @@ module Gitlab
       )
     }mx.freeze
 
+    # Code blocks:
+    # ```
+    # Anything, including `>>>` blocks which are ignored by this filter
+    # ```
+    MARKDOWN_CODE_BLOCK_REGEX_UNTRUSTED =
+      '(?P<code>' \
+        '^```\n' \
+        '(?:\n|.)*?' \
+        '\n```\ *$' \
+      ')'.freeze
+
     MARKDOWN_HTML_BLOCK_REGEX = %r{
       (?<html>
         # HTML block:
@@ -461,27 +472,19 @@ module Gitlab
       )
     }mx.freeze
 
-    MARKDOWN_HTML_COMMENT_LINE_REGEX = %r{
-      (?<html_comment_line>
-        # HTML comment line:
-        # <!-- some commented text -->
-
-        ^<!--\ .*?\ -->\ *$
-      )
-    }mx.freeze
-
-    MARKDOWN_HTML_COMMENT_BLOCK_REGEX = %r{
-      (?<html_comment_block>
-        # HTML comment block:
-        # <!-- some commented text
-        # additional text
-        # -->
+    # HTML comment line:
+    # <!-- some commented text -->
+    MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED =
+      '(?P<html_comment_line>' \
+        '^<!--\ .*?\ -->\ *$' \
+      ')'.freeze
 
-        ^<!--.*\n
-        .+?
-        \n-->\ *$
-      )
-    }mx.freeze
+    MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED =
+      '(?P<html_comment_block>' \
+        '^<!--.*?\n' \
+        '(?:\n|.)*?' \
+        '\n.*?-->\ *$' \
+      ')'.freeze
 
     def markdown_code_or_html_blocks
       @markdown_code_or_html_blocks ||= %r{
@@ -491,14 +494,13 @@ module Gitlab
       }mx.freeze
     end
 
-    def markdown_code_or_html_comments
-      @markdown_code_or_html_comments ||= %r{
-          #{MARKDOWN_CODE_BLOCK_REGEX}
-        |
-          #{MARKDOWN_HTML_COMMENT_LINE_REGEX}
-        |
-          #{MARKDOWN_HTML_COMMENT_BLOCK_REGEX}
-      }mx.freeze
+    def markdown_code_or_html_comments_untrusted
+      @markdown_code_or_html_comments_untrusted ||=
+        "#{MARKDOWN_CODE_BLOCK_REGEX_UNTRUSTED}" \
+        "|" \
+        "#{MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED}" \
+        "|" \
+        "#{MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED}"
     end
 
     # Based on Jira's project key format
diff --git a/lib/gitlab/untrusted_regexp.rb b/lib/gitlab/untrusted_regexp.rb
index 96e74f00c78..7c7bda3a8f9 100644
--- a/lib/gitlab/untrusted_regexp.rb
+++ b/lib/gitlab/untrusted_regexp.rb
@@ -47,6 +47,17 @@ module Gitlab
       RE2.Replace(text, regexp, rewrite)
     end
 
+    # #scan returns an array of the groups captured, rather than MatchData.
+    # Use this to give the capture group name and grab the proper value
+    def extract_named_group(name, match)
+      return unless match
+
+      match_position = regexp.named_capturing_groups[name.to_s]
+      raise RegexpError, "Invalid named capture group: #{name}" unless match_position
+
+      match[match_position - 1]
+    end
+
     def ==(other)
       self.source == other.source
     end
diff --git a/spec/finders/environments/environment_names_finder_spec.rb b/spec/finders/environments/environment_names_finder_spec.rb
index 438f9e9ea7c..c2336c59119 100644
--- a/spec/finders/environments/environment_names_finder_spec.rb
+++ b/spec/finders/environments/environment_names_finder_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do
   describe '#execute' do
     let!(:group) { create(:group) }
     let!(:public_project) { create(:project, :public, namespace: group) }
+    let_it_be_with_reload(:public_project_with_private_environments) { create(:project, :public) }
     let!(:private_project) { create(:project, :private, namespace: group) }
     let!(:user) { create(:user) }
 
@@ -14,6 +15,11 @@ RSpec.describe Environments::EnvironmentNamesFinder do
       create(:environment, name: 'gprd', project: public_project)
       create(:environment, name: 'gprd', project: private_project)
       create(:environment, name: 'gcny', project: private_project)
+      create(:environment, name: 'gprivprd', project: public_project_with_private_environments)
+      create(:environment, name: 'gprivstg', project: public_project_with_private_environments)
+
+      public_project_with_private_environments.update!(namespace: group)
+      public_project_with_private_environments.project_feature.update!(environments_access_level: Featurable::PRIVATE)
     end
 
     context 'using a group' do
@@ -23,7 +29,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do
 
           names = described_class.new(group, user).execute
 
-          expect(names).to eq(%w[gcny gprd gstg])
+          expect(names).to eq(%w[gcny gprd gprivprd gprivstg gstg])
         end
       end
 
@@ -33,7 +39,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do
 
           names = described_class.new(group, user).execute
 
-          expect(names).to eq(%w[gcny gprd gstg])
+          expect(names).to eq(%w[gcny gprd gprivprd gprivstg gstg])
         end
       end
 
@@ -57,8 +63,18 @@ RSpec.describe Environments::EnvironmentNamesFinder do
         end
       end
 
+      context 'with a public project reporter which has private environments' do
+        it 'returns environment names for public projects' do
+          public_project_with_private_environments.add_reporter(user)
+
+          names = described_class.new(group, user).execute
+
+          expect(names).to eq(%w[gprd gprivprd gprivstg gstg])
+        end
+      end
+
       context 'with a group guest' do
-        it 'returns environment names for all public projects' do
+        it 'returns environment names for public projects' do
           group.add_guest(user)
 
           names = described_class.new(group, user).execute
@@ -68,7 +84,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do
       end
 
       context 'with a non-member' do
-        it 'returns environment names for all public projects' do
+        it 'returns environment names for only public projects with public environments' do
           names = described_class.new(group, user).execute
 
           expect(names).to eq(%w[gprd gstg])
@@ -76,7 +92,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do
       end
 
       context 'without a user' do
-        it 'returns environment names for all public projects' do
+        it 'returns environment names for only public projects with public environments' do
           names = described_class.new(group).execute
 
           expect(names).to eq(%w[gprd gstg])
diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb
index 31de4068bc5..bc0f9e22d50 100644
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -1140,7 +1140,7 @@ RSpec.describe Gitlab::Regex, feature_category: :tooling do
     end
 
     context 'HTML comment lines' do
-      subject { described_class::MARKDOWN_HTML_COMMENT_LINE_REGEX }
+      subject { Gitlab::UntrustedRegexp.new(described_class::MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED, multiline: true) }
 
       let(:expected) { [['<!-- an HTML comment -->'], ['<!-- another HTML comment -->']] }
       let(:markdown) do
@@ -1158,20 +1158,20 @@ RSpec.describe Gitlab::Regex, feature_category: :tooling do
       it { is_expected.to match(%(<!-- single line comment -->)) }
       it { is_expected.not_to match(%(<!--\nblock comment\n-->)) }
       it { is_expected.not_to match(%(must start in first column <!-- comment -->)) }
-      it { expect(markdown.scan(subject)).to eq expected }
+      it { expect(subject.scan(markdown)).to eq expected }
     end
 
     context 'HTML comment blocks' do
-      subject { described_class::MARKDOWN_HTML_COMMENT_BLOCK_REGEX }
+      subject { Gitlab::UntrustedRegexp.new(described_class::MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED, multiline: true) }
 
-      let(:expected) { %(<!-- the start of an HTML comment\n- [ ] list item commented out\n-->) }
+      let(:expected) { %(<!-- the start of an HTML comment\n- [ ] list item commented out\nmore text -->) }
       let(:markdown) do
         <<~MARKDOWN
         Regular text
 
         <!-- the start of an HTML comment
         - [ ] list item commented out
-        -->
+        more text -->
         MARKDOWN
       end
 
diff --git a/spec/lib/gitlab/untrusted_regexp_spec.rb b/spec/lib/gitlab/untrusted_regexp_spec.rb
index 270c4beec97..66675b20107 100644
--- a/spec/lib/gitlab/untrusted_regexp_spec.rb
+++ b/spec/lib/gitlab/untrusted_regexp_spec.rb
@@ -137,6 +137,38 @@ RSpec.describe Gitlab::UntrustedRegexp do
     end
   end
 
+  describe '#extract_named_group' do
+    let(:re) { described_class.new('(?P<name>\w+) (?P<age>\d+)|(?P<name_only>\w+)') }
+    let(:text) { 'Bob 40' }
+
+    it 'returns values for both named groups' do
+      matched = re.scan(text).first
+
+      expect(re.extract_named_group(:name, matched)).to eq 'Bob'
+      expect(re.extract_named_group(:age, matched)).to eq '40'
+    end
+
+    it 'returns nil if there was no match for group' do
+      matched = re.scan('Bob').first
+
+      expect(re.extract_named_group(:name, matched)).to be_nil
+      expect(re.extract_named_group(:age, matched)).to be_nil
+      expect(re.extract_named_group(:name_only, matched)).to eq 'Bob'
+    end
+
+    it 'returns nil if match is nil' do
+      matched = '(?P<age>\d+)'.scan(text).first
+
+      expect(re.extract_named_group(:age, matched)).to be_nil
+    end
+
+    it 'raises if name is not a capture group' do
+      matched = re.scan(text).first
+
+      expect { re.extract_named_group(:foo, matched) }.to raise_error('Invalid named capture group: foo')
+    end
+  end
+
   describe '#match' do
     context 'when there are matches' do
       it 'returns a match object' do
diff --git a/spec/models/concerns/taskable_spec.rb b/spec/models/concerns/taskable_spec.rb
index 14f346f353b..20de8995d13 100644
--- a/spec/models/concerns/taskable_spec.rb
+++ b/spec/models/concerns/taskable_spec.rb
@@ -35,11 +35,7 @@ RSpec.describe Taskable, feature_category: :team_planning do
         TaskList::Item.new('- [ ]', 'First item'),
         TaskList::Item.new('- [x]', 'Second item'),
         TaskList::Item.new('* [x]', 'First item'),
-        TaskList::Item.new('* [ ]', 'Second item'),
-        TaskList::Item.new('+ [ ]', 'No-break space (U+00A0)'),
-        TaskList::Item.new('+ [ ]', 'Figure space (U+2007)'),
-        TaskList::Item.new('+ [ ]', 'Narrow no-break space (U+202F)'),
-        TaskList::Item.new('+ [ ]', 'Thin space (U+2009)')
+        TaskList::Item.new('* [ ]', 'Second item')
       ]
     end
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index b2fb310aca3..c29446c1f38 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2016,7 +2016,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
       :public   | ProjectFeature::ENABLED   | :anonymous  | true
       :public   | ProjectFeature::PRIVATE   | :maintainer | true
       :public   | ProjectFeature::PRIVATE   | :developer  | true
-      :public   | ProjectFeature::PRIVATE   | :guest      | true
+      :public   | ProjectFeature::PRIVATE   | :guest      | false
       :public   | ProjectFeature::PRIVATE   | :anonymous  | false
       :public   | ProjectFeature::DISABLED  | :maintainer | false
       :public   | ProjectFeature::DISABLED  | :developer  | false
@@ -2028,7 +2028,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
       :internal | ProjectFeature::ENABLED   | :anonymous  | false
       :internal | ProjectFeature::PRIVATE   | :maintainer | true
       :internal | ProjectFeature::PRIVATE   | :developer  | true
-      :internal | ProjectFeature::PRIVATE   | :guest      | true
+      :internal | ProjectFeature::PRIVATE   | :guest      | false
       :internal | ProjectFeature::PRIVATE   | :anonymous  | false
       :internal | ProjectFeature::DISABLED  | :maintainer | false
       :internal | ProjectFeature::DISABLED  | :developer  | false
diff --git a/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb b/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb
new file mode 100644
index 00000000000..1ace28be5b4
--- /dev/null
+++ b/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'explore/projects/page_out_of_bounds.html.haml', feature_category: :projects do
+  let(:page_limit) { 10 }
+  let(:unsafe_param) { 'hacked_using_unsafe_param!' }
+
+  before do
+    assign(:max_page_number, page_limit)
+
+    controller.params[:action] = 'index'
+    controller.params[:host] = unsafe_param
+    controller.params[:protocol] = unsafe_param
+    controller.params[:sort] = 'name_asc'
+  end
+
+  it 'removes unsafe params from the link' do
+    render
+
+    href = "/explore/projects?page=#{page_limit}&sort=name_asc"
+    button_text = format(_("Back to page %{number}"), number: page_limit)
+    expect(rendered).to have_link(button_text, href: href)
+    expect(rendered).not_to include(unsafe_param)
+  end
+end
-- 
cgit v1.2.1


From 05bbfffcd3692a70849628ff36ecb8eeac4902af Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:48:33 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 app/finders/notes_finder.rb       |  8 ++++++++
 spec/finders/notes_finder_spec.rb | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb
index c542ffbce7e..81017290f12 100644
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -30,6 +30,7 @@ class NotesFinder
     notes = init_collection
     notes = since_fetch_at(notes)
     notes = notes.with_notes_filter(@params[:notes_filter]) if notes_filter?
+    notes = redact_internal(notes)
     sort(notes)
   end
 
@@ -181,6 +182,13 @@ class NotesFinder
 
     notes.order_by(sort)
   end
+
+  def redact_internal(notes)
+    subject = @project || target
+    return notes if Ability.allowed?(@current_user, :read_internal_note, subject)
+
+    notes.not_internal
+  end
 end
 
 NotesFinder.prepend_mod_with('NotesFinder')
diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb
index 792a14e3064..1255a882114 100644
--- a/spec/finders/notes_finder_spec.rb
+++ b/spec/finders/notes_finder_spec.rb
@@ -106,6 +106,26 @@ RSpec.describe NotesFinder do
       end
     end
 
+    context 'for notes on public issue in public project' do
+      let_it_be(:public_project) { create(:project, :public) }
+      let_it_be(:guest_member) { create(:user) }
+      let_it_be(:reporter_member) { create(:user) }
+      let_it_be(:guest_project_member) { create(:project_member, :guest, user: guest_member, project: public_project) }
+      let_it_be(:reporter_project_member) { create(:project_member, :reporter, user: reporter_member, project: public_project) }
+      let_it_be(:internal_note) { create(:note_on_issue, project: public_project, internal: true) }
+      let_it_be(:public_note) { create(:note_on_issue, project: public_project) }
+
+      it 'shows all notes when the current_user has reporter access' do
+        notes = described_class.new(reporter_member, project: public_project).execute
+        expect(notes).to contain_exactly internal_note, public_note
+      end
+
+      it 'shows only public notes when the current_user has guest access' do
+        notes = described_class.new(guest_member, project: public_project).execute
+        expect(notes).to contain_exactly public_note
+      end
+    end
+
     context 'for target type' do
       let(:project) { create(:project, :repository) }
       let!(:note1) { create :note_on_issue, project: project }
-- 
cgit v1.2.1


From 38dadcee569adfbbb1c9dc99634bba4e9a9128bc Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:49:08 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 .../merge_requests/push_options_handler_service.rb | 10 ++-
 ..._nullify_last_error_from_project_mirror_data.rb | 26 +++++++
 db/schema_migrations/20230208131808                |  1 +
 .../nullify_last_error_from_project_mirror_data.rb | 17 ++++
 lib/gitlab/url_sanitizer.rb                        | 90 ++++++++++++++--------
 ...ify_last_error_from_project_mirror_data_spec.rb | 84 ++++++++++++++++++++
 spec/lib/gitlab/url_sanitizer_spec.rb              | 31 +++++---
 ...ify_last_error_from_project_mirror_data_spec.rb | 37 +++++++++
 .../push_options_handler_service_spec.rb           | 15 ++++
 9 files changed, 267 insertions(+), 44 deletions(-)
 create mode 100644 db/post_migrate/20230208131808_nullify_last_error_from_project_mirror_data.rb
 create mode 100644 db/schema_migrations/20230208131808
 create mode 100644 lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data.rb
 create mode 100644 spec/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data_spec.rb
 create mode 100644 spec/migrations/nullify_last_error_from_project_mirror_data_spec.rb

diff --git a/app/services/merge_requests/push_options_handler_service.rb b/app/services/merge_requests/push_options_handler_service.rb
index 235dc6678df..e9abafceb13 100644
--- a/app/services/merge_requests/push_options_handler_service.rb
+++ b/app/services/merge_requests/push_options_handler_service.rb
@@ -54,7 +54,15 @@ module MergeRequests
     end
 
     def validate_service
-      errors << 'User is required' if current_user.nil?
+      if current_user.nil?
+        errors << 'User is required'
+        return
+      end
+
+      unless current_user&.can?(:read_code, target_project)
+        errors << 'User access was denied'
+        return
+      end
 
       unless target_project.merge_requests_enabled?
         errors << "Merge requests are not enabled for project #{target_project.full_path}"
diff --git a/db/post_migrate/20230208131808_nullify_last_error_from_project_mirror_data.rb b/db/post_migrate/20230208131808_nullify_last_error_from_project_mirror_data.rb
new file mode 100644
index 00000000000..73e6f257498
--- /dev/null
+++ b/db/post_migrate/20230208131808_nullify_last_error_from_project_mirror_data.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class NullifyLastErrorFromProjectMirrorData < Gitlab::Database::Migration[2.1]
+  MIGRATION = 'NullifyLastErrorFromProjectMirrorData'
+  INTERVAL = 2.minutes
+  BATCH_SIZE = 10_000
+  SUB_BATCH_SIZE = 1_000
+
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :project_mirror_data,
+      :id,
+      job_interval: INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :project_mirror_data, :id, [])
+  end
+end
diff --git a/db/schema_migrations/20230208131808 b/db/schema_migrations/20230208131808
new file mode 100644
index 00000000000..24c5b21f6ad
--- /dev/null
+++ b/db/schema_migrations/20230208131808
@@ -0,0 +1 @@
+784f8f189eee7b5cf3136f0a859874a1d170d2b148f4c260f968b144816f1322
\ No newline at end of file
diff --git a/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data.rb b/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data.rb
new file mode 100644
index 00000000000..6ea5c17353b
--- /dev/null
+++ b/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # Nullifies last_error value from project_mirror_data table as they
+    # potentially included sensitive data.
+    # https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3041
+    class NullifyLastErrorFromProjectMirrorData < BatchedMigrationJob
+      feature_category :source_code_management
+      operation_name :update_all
+
+      def perform
+        each_sub_batch { |rel| rel.update_all(last_error: nil) }
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index e3bf11b00b4..79e124a58f5 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -2,15 +2,37 @@
 
 module Gitlab
   class UrlSanitizer
+    include Gitlab::Utils::StrongMemoize
+
     ALLOWED_SCHEMES = %w[http https ssh git].freeze
     ALLOWED_WEB_SCHEMES = %w[http https].freeze
+    SCHEMIFIED_SCHEME = 'glschemelessuri'
+    SCHEMIFY_PLACEHOLDER = "#{SCHEMIFIED_SCHEME}://".freeze
+    # URI::DEFAULT_PARSER.make_regexp will only match URLs with schemes or
+    # relative URLs. This section will match schemeless URIs with userinfo
+    # e.g. user:pass@gitlab.com but will not match scp-style URIs e.g.
+    # user@server:path/to/file)
+    #
+    # The userinfo part is very loose compared to URI's implementation so we
+    # also match non-escaped userinfo e.g foo:b?r@gitlab.com which should be
+    # encoded as foo:b%3Fr@gitlab.com
+    URI_REGEXP = %r{
+    (?:
+       #{URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES)}
+     |
+       (?:(?:(?!@)[%#{URI::REGEXP::PATTERN::UNRESERVED}#{URI::REGEXP::PATTERN::RESERVED}])+(?:@))
+       (?# negative lookahead ensures this isn't an SCP-style URL: [host]:[rel_path|abs_path] server:path/to/file)
+       (?!#{URI::REGEXP::PATTERN::HOST}:(?:#{URI::REGEXP::PATTERN::REL_PATH}|#{URI::REGEXP::PATTERN::ABS_PATH}))
+       #{URI::REGEXP::PATTERN::HOSTPORT}
+    )
+    }x
 
     def self.sanitize(content)
-      regexp = URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES)
-
-      content.gsub(regexp) { |url| new(url).masked_url }
-    rescue Addressable::URI::InvalidURIError
-      content.gsub(regexp, '')
+      content.gsub(URI_REGEXP) do |url|
+        new(url).masked_url
+      rescue Addressable::URI::InvalidURIError
+        ''
+      end
     end
 
     def self.valid?(url, allowed_schemes: ALLOWED_SCHEMES)
@@ -37,34 +59,45 @@ module Gitlab
       @url = parse_url(url)
     end
 
+    def credentials
+      @credentials ||= { user: @url.user.presence, password: @url.password.presence }
+    end
+
+    def user
+      credentials[:user]
+    end
+
     def sanitized_url
-      @sanitized_url ||= safe_url.to_s
+      safe_url = @url.dup
+      safe_url.password = nil
+      safe_url.user = nil
+      reverse_schemify(safe_url.to_s)
     end
+    strong_memoize_attr :sanitized_url
 
     def masked_url
       url = @url.dup
       url.password = "*****" if url.password.present?
       url.user = "*****" if url.user.present?
-      url.to_s
-    end
-
-    def credentials
-      @credentials ||= { user: @url.user.presence, password: @url.password.presence }
-    end
-
-    def user
-      credentials[:user]
+      reverse_schemify(url.to_s)
     end
+    strong_memoize_attr :masked_url
 
     def full_url
-      @full_url ||= generate_full_url.to_s
+      return reverse_schemify(@url.to_s) unless valid_credentials?
+
+      url = @url.dup
+      url.password = encode_percent(credentials[:password]) if credentials[:password].present?
+      url.user = encode_percent(credentials[:user]) if credentials[:user].present?
+      reverse_schemify(url.to_s)
     end
+    strong_memoize_attr :full_url
 
     private
 
     def parse_url(url)
-      url             = url.to_s.strip
-      match           = url.match(%r{\A(?:git|ssh|http(?:s?))\://(?:(.+)(?:@))?(.+)})
+      url = schemify(url.to_s.strip)
+      match = url.match(%r{\A(?:(?:#{SCHEMIFIED_SCHEME}|git|ssh|http(?:s?)):)?//(?:(.+)(?:@))?(.+)}o)
       raw_credentials = match[1] if match
 
       if raw_credentials.present?
@@ -83,24 +116,19 @@ module Gitlab
       url
     end
 
-    def generate_full_url
-      return @url unless valid_credentials?
-
-      @url.dup.tap do |generated|
-        generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
-        generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
-      end
+    def schemify(url)
+      # Prepend the placeholder scheme unless the URL has a scheme or is relative
+      url.prepend(SCHEMIFY_PLACEHOLDER) unless url.starts_with?(%r{(?:#{URI::REGEXP::PATTERN::SCHEME}:)?//}o)
+      url
     end
 
-    def safe_url
-      safe_url = @url.dup
-      safe_url.password = nil
-      safe_url.user = nil
-      safe_url
+    def reverse_schemify(url)
+      url.slice!(SCHEMIFY_PLACEHOLDER) if url.starts_with?(SCHEMIFY_PLACEHOLDER)
+      url
     end
 
     def valid_credentials?
-      credentials && credentials.is_a?(Hash) && credentials.any?
+      credentials.is_a?(Hash) && credentials.values.any?
     end
 
     def encode_percent(string)
diff --git a/spec/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data_spec.rb b/spec/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data_spec.rb
new file mode 100644
index 00000000000..62f908ed79b
--- /dev/null
+++ b/spec/lib/gitlab/background_migration/nullify_last_error_from_project_mirror_data_spec.rb
@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::BackgroundMigration::NullifyLastErrorFromProjectMirrorData, feature_category: :source_code_management do # rubocop:disable Layout/LineLength
+  it 'nullifies last_error column on all rows' do
+    namespaces = table(:namespaces)
+    projects = table(:projects)
+    project_import_states = table(:project_mirror_data)
+
+    group = namespaces.create!(name: 'gitlab', path: 'gitlab-org')
+
+    project_namespace_1 = namespaces.create!(name: 'gitlab', path: 'gitlab-org')
+    project_namespace_2 = namespaces.create!(name: 'gitlab', path: 'gitlab-org')
+    project_namespace_3 = namespaces.create!(name: 'gitlab', path: 'gitlab-org')
+
+    project_1 = projects.create!(
+      namespace_id: group.id,
+      project_namespace_id: project_namespace_1.id,
+      name: 'test1'
+    )
+    project_2 = projects.create!(
+      namespace_id: group.id,
+      project_namespace_id: project_namespace_2.id,
+      name: 'test2'
+    )
+    project_3 = projects.create!(
+      namespace_id: group.id,
+      project_namespace_id: project_namespace_3.id,
+      name: 'test3'
+    )
+
+    project_import_state_1 = project_import_states.create!(
+      project_id: project_1.id,
+      status: 0,
+      last_update_started_at: 1.hour.ago,
+      last_update_scheduled_at: 1.hour.ago,
+      last_update_at: 1.hour.ago,
+      last_successful_update_at: 2.days.ago,
+      last_error: '13:fetch remote: "fatal: unable to look up user:pass@gitlab.com (port 9418) (nodename nor servname provided, or not known)\n": exit status 128.', # rubocop:disable Layout/LineLength
+      correlation_id_value: SecureRandom.uuid,
+      jid: SecureRandom.uuid
+    )
+
+    project_import_states.create!(
+      project_id: project_2.id,
+      status: 1,
+      last_update_started_at: 1.hour.ago,
+      last_update_scheduled_at: 1.hour.ago,
+      last_update_at: 1.hour.ago,
+      last_successful_update_at: nil,
+      next_execution_timestamp: 1.day.from_now,
+      last_error: '',
+      correlation_id_value: SecureRandom.uuid,
+      jid: SecureRandom.uuid
+    )
+
+    project_import_state_3 = project_import_states.create!(
+      project_id: project_3.id,
+      status: 2,
+      last_update_started_at: 1.hour.ago,
+      last_update_scheduled_at: 1.hour.ago,
+      last_update_at: 1.hour.ago,
+      last_successful_update_at: 1.hour.ago,
+      next_execution_timestamp: 1.day.from_now,
+      last_error: nil,
+      correlation_id_value: SecureRandom.uuid,
+      jid: SecureRandom.uuid
+    )
+
+    migration = described_class.new(
+      start_id: project_import_state_1.id,
+      end_id: project_import_state_3.id,
+      batch_table: :project_mirror_data,
+      batch_column: :id,
+      sub_batch_size: 1,
+      pause_ms: 0,
+      connection: ApplicationRecord.connection
+    )
+
+    w_last_error_count = -> { project_import_states.where.not(last_error: nil).count } # rubocop:disable CodeReuse/ActiveRecord
+    expect { migration.perform }.to change(&w_last_error_count).from(2).to(0)
+  end
+end
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index 0ffbf5f81e7..c02cbef8328 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -10,29 +10,36 @@ RSpec.describe Gitlab::UrlSanitizer do
       # We want to try with multi-line content because is how error messages are formatted
       described_class.sanitize(%Q{
          remote: Not Found
-         fatal: repository '#{url}' not found
+         fatal: repository `#{url}` not found
       })
     end
 
     where(:input, :output) do
-      'http://user:pass@test.com/root/repoC.git/'  | 'http://*****:*****@test.com/root/repoC.git/'
-      'https://user:pass@test.com/root/repoA.git/' | 'https://*****:*****@test.com/root/repoA.git/'
-      'ssh://user@host.test/path/to/repo.git'      | 'ssh://*****@host.test/path/to/repo.git'
-
-      # git protocol does not support authentication but clean any details anyway
-      'git://user:pass@host.test/path/to/repo.git' | 'git://*****:*****@host.test/path/to/repo.git'
-      'git://host.test/path/to/repo.git'           | 'git://host.test/path/to/repo.git'
+      # http(s), ssh, git, relative, and schemeless URLs should all be masked correctly
+      urls = ['http://', 'https://', 'ssh://', 'git://', '//', ''].flat_map do |protocol|
+        [
+          ["#{protocol}test.com", "#{protocol}test.com"],
+          ["#{protocol}test.com/", "#{protocol}test.com/"],
+          ["#{protocol}test.com/path/to/repo.git", "#{protocol}test.com/path/to/repo.git"],
+          ["#{protocol}user@test.com", "#{protocol}*****@test.com"],
+          ["#{protocol}user:pass@test.com", "#{protocol}*****:*****@test.com"],
+          ["#{protocol}user:@test.com", "#{protocol}*****@test.com"],
+          ["#{protocol}:pass@test.com", "#{protocol}:*****@test.com"]
+        ]
+      end
 
       # SCP-style URLs are left unmodified
-      'user@server:project.git'      | 'user@server:project.git'
-      'user:pass@server:project.git' | 'user:pass@server:project.git'
+      urls << ['user@server:project.git', 'user@server:project.git']
+      urls << ['user:@server:project.git', 'user:@server:project.git']
+      urls << [':pass@server:project.git', ':pass@server:project.git']
+      urls << ['user:pass@server:project.git', 'user:pass@server:project.git']
 
       # return an empty string for invalid URLs
-      'ssh://' | ''
+      urls << ['ssh://', '']
     end
 
     with_them do
-      it { expect(sanitize_url(input)).to include("repository '#{output}' not found") }
+      it { expect(sanitize_url(input)).to include("repository `#{output}` not found") }
     end
   end
 
diff --git a/spec/migrations/nullify_last_error_from_project_mirror_data_spec.rb b/spec/migrations/nullify_last_error_from_project_mirror_data_spec.rb
new file mode 100644
index 00000000000..6c5679b674e
--- /dev/null
+++ b/spec/migrations/nullify_last_error_from_project_mirror_data_spec.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+require_migration!
+
+RSpec.describe NullifyLastErrorFromProjectMirrorData, feature_category: :source_code_management do
+  let(:migration) { described_class::MIGRATION }
+
+  before do
+    migrate!
+  end
+
+  describe '#up' do
+    it 'schedules background jobs for each batch of projects' do
+      expect(migration).to(
+        have_scheduled_batched_migration(
+          table_name: :project_mirror_data,
+          column_name: :id,
+          interval: described_class::INTERVAL,
+          batch_size: described_class::BATCH_SIZE,
+          sub_batch_size: described_class::SUB_BATCH_SIZE
+        )
+      )
+    end
+  end
+
+  describe '#down' do
+    before do
+      schema_migrate_down!
+    end
+
+    it 'deletes all batched migration records' do
+      expect(migration).not_to have_scheduled_batched_migration
+    end
+  end
+end
diff --git a/spec/services/merge_requests/push_options_handler_service_spec.rb b/spec/services/merge_requests/push_options_handler_service_spec.rb
index 251bf6f0d9d..03f3d56cdd2 100644
--- a/spec/services/merge_requests/push_options_handler_service_spec.rb
+++ b/spec/services/merge_requests/push_options_handler_service_spec.rb
@@ -861,6 +861,21 @@ RSpec.describe MergeRequests::PushOptionsHandlerService do
     end
   end
 
+  describe 'when user does not have access to target project' do
+    let(:push_options) { { create: true, target: 'my-branch' } }
+    let(:changes) { default_branch_changes }
+
+    before do
+      allow(user1).to receive(:can?).with(:read_code, project).and_return(false)
+    end
+
+    it 'records an error', :sidekiq_inline do
+      service.execute
+
+      expect(service.errors).to eq(["User access was denied"])
+    end
+  end
+
   describe 'when MRs are not enabled' do
     let(:project) { create(:project, :public, :repository).tap { |pr| pr.add_developer(user1) } }
     let(:push_options) { { create: true } }
-- 
cgit v1.2.1


From 52dd3cdae10174cc35af6698b280acd1431cc4f8 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:52:27 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 app/models/hooks/web_hook.rb                       | 18 +++++++--
 app/policies/project_policy.rb                     |  1 -
 .../output_example_snapshots/snapshot_spec.html    | 16 ++++----
 lib/api/repositories.rb                            |  4 ++
 lib/gitlab/unicode.rb                              |  6 +++
 lib/rouge/formatters/html_gitlab.rb                |  9 ++++-
 spec/controllers/admin/hooks_controller_spec.rb    |  3 +-
 .../projects/clusters_controller_spec.rb           | 23 ++++++++++-
 .../environments/prometheus_api_controller_spec.rb | 23 ++++++++++-
 spec/factories/project_hooks.rb                    |  2 +-
 spec/helpers/hooks_helper_spec.rb                  |  2 +-
 spec/lib/rouge/formatters/html_gitlab_spec.rb      | 21 +++++++++-
 spec/models/hooks/web_hook_spec.rb                 | 28 +++++++++++++
 spec/policies/project_policy_spec.rb               | 46 ++++++++++++++++++++--
 spec/requests/api/repositories_spec.rb             | 16 ++++++++
 spec/services/web_hook_service_spec.rb             |  4 +-
 16 files changed, 198 insertions(+), 24 deletions(-)

diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb
index 819152a38c8..7202a530feb 100644
--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -41,7 +41,7 @@ class WebHook < ApplicationRecord
   after_initialize :initialize_url_variables
 
   before_validation :reset_token
-  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }
+  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }, on: :update
   before_validation :set_branch_filter_nil, if: :branch_filter_strategy_all_branches?
   validates :push_events_branch_filter, untrusted_regexp: true, if: :branch_filter_strategy_regex?
   validates :push_events_branch_filter, "web_hooks/wildcard_branch_filter": true, if: :branch_filter_strategy_wildcard?
@@ -150,7 +150,7 @@ class WebHook < ApplicationRecord
   # See app/validators/json_schemas/web_hooks_url_variables.json
   VARIABLE_REFERENCE_RE = /\{([A-Za-z]+[0-9]*(?:[._-][A-Za-z0-9]+)*)\}/.freeze
 
-  def interpolated_url
+  def interpolated_url(url = self.url, url_variables = self.url_variables)
     return url unless url.include?('{')
 
     vars = url_variables
@@ -176,7 +176,19 @@ class WebHook < ApplicationRecord
   end
 
   def reset_url_variables
-    self.url_variables = {} if url_changed? && !encrypted_url_variables_changed?
+    interpolated_url_was = interpolated_url(decrypt_url_was, url_variables_were)
+
+    return if url_variables_were.empty? || interpolated_url_was == interpolated_url
+
+    self.url_variables = {} if url_changed? && url_variables_were.to_a.intersection(url_variables.to_a).any?
+  end
+
+  def decrypt_url_was
+    self.class.decrypt_url(encrypted_url_was, iv: Base64.decode64(encrypted_url_iv_was))
+  end
+
+  def url_variables_were
+    self.class.decrypt_url_variables(encrypted_url_variables_was, iv: encrypted_url_variables_iv_was)
   end
 
   def next_failure_count
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 875520d24be..3d22002e828 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -412,7 +412,6 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:metrics_dashboard) }.policy do
-    enable :read_prometheus
     enable :read_deployment
   end
 
diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html
index 96131037648..e1ef404ed03 100644
--- a/glfm_specification/output_example_snapshots/snapshot_spec.html
+++ b/glfm_specification/output_example_snapshots/snapshot_spec.html
@@ -7028,7 +7028,7 @@ references and their corresponding code points.</p>
 <copy-code></copy-code>
 </div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="7591:1-7595:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;  &amp;amp; © Æ Ď</span>
+<pre data-sourcepos="7591:1-7595:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;  &amp;amp; © Æ Ď</span>
 <span id="LC2" class="line" lang="plaintext">¾ ℋ ⅆ</span>
 <span id="LC3" class="line" lang="plaintext">∲ ≧̸&lt;/p&gt;</span></code></pre>
 <copy-code></copy-code>
@@ -7344,11 +7344,11 @@ stripped in this way:</p>
 <div>
 <div><a href="#example-343">Example 343</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="7960:1-7962:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` b `</span></code></pre>
+<pre data-sourcepos="7960:1-7962:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` b `</span></code></pre>
 <copy-code></copy-code>
 </div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="7964:1-7966:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;&lt;code&gt; b &lt;/code&gt;&lt;/p&gt;</span></code></pre>
+<pre data-sourcepos="7964:1-7966:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;&lt;code&gt; b &lt;/code&gt;&lt;/p&gt;</span></code></pre>
 <copy-code></copy-code>
 </div>
 </div>
@@ -7356,12 +7356,12 @@ stripped in this way:</p>
 <div>
 <div><a href="#example-344">Example 344</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="7974:1-7977:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` `</span>
+<pre data-sourcepos="7974:1-7977:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` `</span>
 <span id="LC2" class="line" lang="plaintext">`  `</span></code></pre>
 <copy-code></copy-code>
 </div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="7979:1-7982:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;&lt;code&gt; &lt;/code&gt;</span>
+<pre data-sourcepos="7979:1-7982:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;&lt;code&gt; &lt;/code&gt;</span>
 <span id="LC2" class="line" lang="plaintext">&lt;code&gt;  &lt;/code&gt;&lt;/p&gt;</span></code></pre>
 <copy-code></copy-code>
 </div>
@@ -7832,11 +7832,11 @@ not part of a [left-flanking delimiter run]:</p>
 <div>
 <div><a href="#example-363">Example 363</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="8485:1-8487:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">* a *</span></code></pre>
+<pre data-sourcepos="8485:1-8487:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">* a *</span></code></pre>
 <copy-code></copy-code>
 </div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="8489:1-8491:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;* a *&lt;/p&gt;</span></code></pre>
+<pre data-sourcepos="8489:1-8491:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">&lt;p&gt;* a *&lt;/p&gt;</span></code></pre>
 <copy-code></copy-code>
 </div>
 </div>
@@ -9790,7 +9790,7 @@ Other [Unicode whitespace] like non-breaking space doesn't work.</p>
 <div>
 <div><a href="#example-515">Example 515</a></div>
 <div class="gl-relative markdown-code-block js-markdown-code">
-<pre data-sourcepos="10823:1-10825:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">[link](/url "title")</span></code></pre>
+<pre data-sourcepos="10823:1-10825:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">[link](/url "title")</span></code></pre>
 <copy-code></copy-code>
 </div>
 <div class="gl-relative markdown-code-block js-markdown-code">
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 70535496b12..6f8d34ea387 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -203,6 +203,10 @@ module API
           render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400)
         end
 
+        unless can?(current_user, :read_code, target_project)
+          forbidden!("You don't have access to this fork's parent project")
+        end
+
         cache_key = compare_cache_key(current_user, user_project, target_project, declared_params)
 
         cache_action(cache_key, expires_in: 1.minute) do
diff --git a/lib/gitlab/unicode.rb b/lib/gitlab/unicode.rb
index b49c5647dab..f291ea1b4ee 100644
--- a/lib/gitlab/unicode.rb
+++ b/lib/gitlab/unicode.rb
@@ -9,6 +9,12 @@ module Gitlab
     # https://idiosyncratic-ruby.com/41-proper-unicoding.html
     BIDI_REGEXP = /\p{Bidi Control}/.freeze
 
+    # Regular expression for identifying space characters
+    #
+    # In web browsers space characters can be confused with simple
+    # spaces which may be misleading
+    SPACE_REGEXP = /\p{Space_Separator}/.freeze
+
     class << self
       # Warning message used to highlight bidi characters in the GUI
       def bidi_warning
diff --git a/lib/rouge/formatters/html_gitlab.rb b/lib/rouge/formatters/html_gitlab.rb
index 436739bed12..a7e95a96b8b 100644
--- a/lib/rouge/formatters/html_gitlab.rb
+++ b/lib/rouge/formatters/html_gitlab.rb
@@ -25,7 +25,10 @@ module Rouge
           yield %(<span id="LC#{@line_number}" class="line" lang="#{@tag}">)
 
           line.each do |token, value|
-            yield highlight_unicode_control_characters(span(token, value.chomp! || value))
+            value = value.chomp! || value
+            value = replace_space_characters(value)
+
+            yield highlight_unicode_control_characters(span(token, value))
           end
 
           yield ellipsis if @ellipsis_indexes.include?(@line_number - 1) && @ellipsis_svg.present?
@@ -42,6 +45,10 @@ module Rouge
         %(<span class="gl-px-2 gl-rounded-base gl-mx-2 gl-bg-gray-100 gl-cursor-help has-tooltip" title="Content has been trimmed">#{@ellipsis_svg}</span>)
       end
 
+      def replace_space_characters(text)
+        text.gsub(Gitlab::Unicode::SPACE_REGEXP, ' ')
+      end
+
       def highlight_unicode_control_characters(text)
         text.gsub(Gitlab::Unicode::BIDI_REGEXP) do |char|
           %(<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{Gitlab::Unicode.bidi_warning}">#{char}</span>)
diff --git a/spec/controllers/admin/hooks_controller_spec.rb b/spec/controllers/admin/hooks_controller_spec.rb
index 4101bd7f658..4e68ffdda2a 100644
--- a/spec/controllers/admin/hooks_controller_spec.rb
+++ b/spec/controllers/admin/hooks_controller_spec.rb
@@ -59,6 +59,7 @@ RSpec.describe Admin::HooksController do
         enable_ssl_verification: false,
         url_variables: [
           { key: 'token', value: 'some secret value' },
+          { key: 'baz', value: 'qux' },
           { key: 'foo', value: nil }
         ]
       }
@@ -71,7 +72,7 @@ RSpec.describe Admin::HooksController do
       expect(flash[:notice]).to include('was updated')
       expect(hook).to have_attributes(hook_params.except(:url_variables))
       expect(hook).to have_attributes(
-        url_variables: { 'token' => 'some secret value', 'baz' => 'woo' }
+        url_variables: { 'token' => 'some secret value', 'baz' => 'qux' }
       )
     end
   end
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index a4f7c92f5cd..c7d2b1fa3af 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
   include GoogleApi::CloudPlatformHelpers
   include KubernetesHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
 
   let(:user) { create(:user) }
 
@@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
index 68d50cf19f0..6b0c164e432 100644
--- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
+++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Projects::Environments::PrometheusApiController do
   let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:proxyable) { create(:environment, project: project) }
 
   before do
@@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 end
diff --git a/spec/factories/project_hooks.rb b/spec/factories/project_hooks.rb
index 946b3925ee9..d84e287d765 100644
--- a/spec/factories/project_hooks.rb
+++ b/spec/factories/project_hooks.rb
@@ -7,7 +7,7 @@ FactoryBot.define do
     project
 
     trait :url_variables do
-      url_variables { { 'abc' => 'supers3cret' } }
+      url_variables { { 'abc' => 'supers3cret', 'def' => 'foobar' } }
     end
 
     trait :token do
diff --git a/spec/helpers/hooks_helper_spec.rb b/spec/helpers/hooks_helper_spec.rb
index a6cfbfe86ca..d8fa64e099a 100644
--- a/spec/helpers/hooks_helper_spec.rb
+++ b/spec/helpers/hooks_helper_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe HooksHelper do
       it 'returns proper data' do
         expect(subject).to match(
           url: project_hook.url,
-          url_variables: Gitlab::Json.dump([{ key: 'abc' }])
+          url_variables: Gitlab::Json.dump([{ key: 'abc' }, { key: 'def' }])
         )
       end
     end
diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb
index 79bfdb262c0..6fc1b395fc8 100644
--- a/spec/lib/rouge/formatters/html_gitlab_spec.rb
+++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Rouge::Formatters::HTMLGitlab do
+RSpec.describe Rouge::Formatters::HTMLGitlab, feature_category: :source_code_management do
   describe '#format' do
     subject { described_class.format(tokens, **options) }
 
@@ -67,5 +67,24 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do
         is_expected.to include(%{<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{message}">}).exactly(4).times
       end
     end
+
+    context 'when space characters and zero-width spaces are used' do
+      let(:lang) { 'ruby' }
+      let(:tokens) { lexer.lex(code, continue: false) }
+
+      let(:code) do
+        <<~JS
+          def\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u202f\u205f\u3000hello
+        JS
+      end
+
+      it 'replaces the space characters with spaces' do
+        is_expected.to eq(
+          "<span id=\"LC1\" class=\"line\" lang=\"ruby\">" \
+          "<span class=\"k\">def</span><span class=\"err\">                </span><span class=\"n\">hello</span>" \
+          "</span>"
+        )
+      end
+    end
   end
 end
diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb
index 72958a54e10..ad5f01fe056 100644
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -242,6 +242,22 @@ RSpec.describe WebHook, feature_category: :integrations do
         expect(hook.url_variables).to eq({})
       end
 
+      it 'resets url variables if url is changed and url variables are appended' do
+        hook.url = 'http://suspicious.example.com/{abc}/{foo}'
+        hook.url_variables = hook.url_variables.merge('foo' => 'bar')
+
+        expect(hook).not_to be_valid
+        expect(hook.url_variables).to eq({})
+      end
+
+      it 'resets url variables if url is changed and url variables are removed' do
+        hook.url = 'http://suspicious.example.com/{abc}'
+        hook.url_variables = hook.url_variables.except("def")
+
+        expect(hook).not_to be_valid
+        expect(hook.url_variables).to eq({})
+      end
+
       it 'does not reset url variables if both url and url variables are changed' do
         hook.url = 'http://example.com/{one}/{two}'
         hook.url_variables = { 'one' => 'foo', 'two' => 'bar' }
@@ -249,6 +265,18 @@ RSpec.describe WebHook, feature_category: :integrations do
         expect(hook).to be_valid
         expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' })
       end
+
+      context 'without url variables' do
+        subject(:hook) { build_stubbed(:project_hook, project: project, url: 'http://example.com') }
+
+        it 'does not reset url variables' do
+          hook.url = 'http://example.com/{one}/{two}'
+          hook.url_variables = { 'one' => 'foo', 'two' => 'bar' }
+
+          expect(hook).to be_valid
+          expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' })
+        end
+      end
     end
 
     it "only consider these branch filter strategies are valid" do
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index c29446c1f38..0c359b80fb5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
     end
   end
 
+  describe 'read_prometheus', feature_category: :metrics do
+    using RSpec::Parameterized::TableSyntax
+
+    before do
+      project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+    end
+
+    let(:policy) { :read_prometheus }
+
+    where(:project_visibility, :role, :allowed) do
+      :public   | :anonymous | false
+      :public   | :guest     | false
+      :public   | :reporter  | true
+      :internal | :anonymous | false
+      :internal | :guest     | false
+      :internal | :reporter  | true
+      :private  | :anonymous | false
+      :private  | :guest     | false
+      :private  | :reporter  | true
+    end
+
+    with_them do
+      let(:current_user) { public_send(role) }
+      let(:project) { public_send("#{project_visibility}_project") }
+
+      if params[:allowed]
+        it { is_expected.to be_allowed(policy) }
+      else
+        it { is_expected.not_to be_allowed(policy) }
+      end
+    end
+  end
+
   describe 'update_max_artifacts_size' do
     context 'when no user' do
       let(:current_user) { anonymous }
@@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
@@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
@@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 555ba2bc978..be26fe24061 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -573,6 +573,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do
     context 'when authenticated', 'as a developer' do
       it_behaves_like 'repository compare' do
         let(:current_user) { user }
+
+        context 'when user does not have read access to the parent project' do
+          let_it_be(:group) { create(:group) }
+          let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) }
+
+          before do
+            forked_project.add_guest(current_user)
+          end
+
+          it 'returns 403 error' do
+            get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id }
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+            expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project")
+          end
+        end
       end
     end
 
diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb
index 5736bf885be..b4250fcf04d 100644
--- a/spec/services/web_hook_service_spec.rb
+++ b/spec/services/web_hook_service_spec.rb
@@ -130,8 +130,8 @@ RSpec.describe WebHookService, :request_store, :clean_gitlab_redis_shared_state,
       context 'there is userinfo' do
         before do
           project_hook.update!(
-            url: 'http://{one}:{two}@example.com',
-            url_variables: { 'one' => 'a', 'two' => 'b' }
+            url: 'http://{foo}:{bar}@example.com',
+            url_variables: { 'foo' => 'a', 'bar' => 'b' }
           )
           stub_full_request('http://example.com', method: :post)
         end
-- 
cgit v1.2.1


From 22afa6177e5cdd2843502d425cb584135a35df60 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:54:01 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 .../behaviors/markdown/render_observability.js     | 45 ++++++++++------
 app/assets/javascripts/pages/projects/project.js   |  3 +-
 app/assets/javascripts/repository/index.js         |  7 +--
 .../repository/utils/ref_switcher_utils.js         | 27 ++++++----
 app/controllers/concerns/confirm_email_warning.rb  | 14 +++--
 app/controllers/projects/blob_controller.rb        | 10 ++++
 app/controllers/projects/refs_controller.rb        |  2 +-
 app/controllers/projects/tree_controller.rb        |  9 ++++
 app/controllers/projects_controller.rb             | 10 +++-
 app/views/projects/tree/_tree_header.html.haml     |  2 +-
 lib/banzai/filter/inline_observability_filter.rb   | 16 ++++--
 lib/extracts_ref.rb                                | 14 ++++-
 locale/gitlab.pot                                  |  3 ++
 .../concerns/confirm_email_warning_spec.rb         | 34 +++++++++++-
 spec/controllers/projects/blob_controller_spec.rb  | 33 ++++++++++--
 spec/controllers/projects/refs_controller_spec.rb  |  2 +-
 spec/controllers/projects/tree_controller_spec.rb  | 37 ++++++++++---
 spec/controllers/projects_controller_spec.rb       | 63 ++++++++++++++++++++++
 spec/features/admin/users/user_spec.rb             | 30 +++++++++++
 .../markdown/render_observability_spec.js          | 12 ++++-
 .../repository/utils/ref_switcher_utils_spec.js    | 29 ++++++++--
 .../filter/inline_observability_filter_spec.rb     | 52 ++++++++++++++++++
 22 files changed, 395 insertions(+), 59 deletions(-)

diff --git a/app/assets/javascripts/behaviors/markdown/render_observability.js b/app/assets/javascripts/behaviors/markdown/render_observability.js
index 704d85cf22e..d5d46c10efd 100644
--- a/app/assets/javascripts/behaviors/markdown/render_observability.js
+++ b/app/assets/javascripts/behaviors/markdown/render_observability.js
@@ -7,23 +7,36 @@ export function getFrameSrc(url) {
 }
 
 const mountVueComponent = (element) => {
-  const url = [element.dataset.frameUrl];
+  const { frameUrl, observabilityUrl } = element.dataset;
 
-  return new Vue({
-    el: element,
-    render(h) {
-      return h('iframe', {
-        style: {
-          height: '366px',
-          width: '768px',
-        },
-        attrs: {
-          src: getFrameSrc(url),
-          frameBorder: '0',
-        },
-      });
-    },
-  });
+  try {
+    if (
+      !observabilityUrl ||
+      !frameUrl ||
+      new URL(frameUrl)?.host !== new URL(observabilityUrl).host
+    )
+      return;
+
+    // eslint-disable-next-line no-new
+    new Vue({
+      el: element,
+      render(h) {
+        return h('iframe', {
+          style: {
+            height: '366px',
+            width: '768px',
+          },
+          attrs: {
+            src: getFrameSrc(frameUrl),
+            frameBorder: '0',
+          },
+        });
+      },
+    });
+  } catch (e) {
+    // eslint-disable-next-line no-console
+    console.error(e);
+  }
 };
 
 export default function renderObservability(elements) {
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index 5773737c41b..a4b3b83a855 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -110,9 +110,10 @@ export default class Project {
             const urlParams = { [fieldName]: ref };
             if (params.group === BRANCH_GROUP_NAME) {
               urlParams.ref_type = BRANCH_REF_TYPE;
-            } else {
+            } else if (params.group === TAG_GROUP_NAME) {
               urlParams.ref_type = TAG_REF_TYPE;
             }
+
             link.href = mergeUrlParams(urlParams, linkTarget);
           }
 
diff --git a/app/assets/javascripts/repository/index.js b/app/assets/javascripts/repository/index.js
index 494e270a66c..95e0c94527b 100644
--- a/app/assets/javascripts/repository/index.js
+++ b/app/assets/javascripts/repository/index.js
@@ -2,7 +2,7 @@ import { GlButton } from '@gitlab/ui';
 import Vue from 'vue';
 import Vuex from 'vuex';
 import { parseBoolean } from '~/lib/utils/common_utils';
-import { escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
+import { joinPaths, escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import initWebIdeLink from '~/pages/projects/shared/web_ide_link';
 import PerformancePlugin from '~/performance/vue_performance_plugin';
@@ -121,7 +121,7 @@ export default function setupVueRepositoryList() {
 
     if (!refSwitcherEl) return false;
 
-    const { projectId, projectRootPath } = refSwitcherEl.dataset;
+    const { projectId, projectRootPath, refType } = refSwitcherEl.dataset;
 
     return new Vue({
       el: refSwitcherEl,
@@ -129,7 +129,8 @@ export default function setupVueRepositoryList() {
         return createElement(RefSelector, {
           props: {
             projectId,
-            value: ref,
+            value: refType ? joinPaths('refs', refType, ref) : ref,
+            useSymbolicRefNames: true,
           },
           on: {
             input(selectedRef) {
diff --git a/app/assets/javascripts/repository/utils/ref_switcher_utils.js b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
index c62f7f709c4..bcad4a2c822 100644
--- a/app/assets/javascripts/repository/utils/ref_switcher_utils.js
+++ b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
@@ -16,22 +16,29 @@ const getNamespaceTargetRegex = (ref) => new RegExp(`(/-/(blob|tree))/${ref}/(.*
  * @param {string} selectedRef - The selected ref from the ref dropdown.
  */
 export function generateRefDestinationPath(projectRootPath, ref, selectedRef) {
-  const currentPath = window.location.pathname;
-  const encodedHash = '%23';
+  const url = new URL(window.location.href);
+  const currentPath = url.pathname;
+  let refType = null;
   let namespace = '/-/tree';
   let target;
+  let actualRef = selectedRef;
+
+  const matches = selectedRef.match(/^refs\/(heads|tags)\/(.+)/);
+  if (matches) {
+    [, refType, actualRef] = matches;
+  }
+  if (refType) {
+    url.searchParams.set('ref_type', refType);
+  } else {
+    url.searchParams.delete('ref_type');
+  }
+
   const NAMESPACE_TARGET_REGEX = getNamespaceTargetRegex(ref);
   const match = NAMESPACE_TARGET_REGEX.exec(currentPath);
   if (match) {
     [, namespace, , target] = match;
   }
+  url.pathname = joinPaths(projectRootPath, namespace, actualRef, target);
 
-  const destinationPath = joinPaths(
-    projectRootPath,
-    namespace,
-    encodeURI(selectedRef).replace(/#/g, encodedHash),
-    target,
-  );
-
-  return `${destinationPath}${window.location.hash}`;
+  return url.toString();
 }
diff --git a/app/controllers/concerns/confirm_email_warning.rb b/app/controllers/concerns/confirm_email_warning.rb
index ec5140bf223..2711c823275 100644
--- a/app/controllers/concerns/confirm_email_warning.rb
+++ b/app/controllers/concerns/confirm_email_warning.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module ConfirmEmailWarning
+  include Gitlab::Utils::StrongMemoize
   extend ActiveSupport::Concern
 
   included do
@@ -17,11 +18,9 @@ module ConfirmEmailWarning
     return unless current_user
     return if current_user.confirmed?
 
-    email = current_user.unconfirmed_email || current_user.email
-
     flash.now[:warning] = format(
       confirm_warning_message,
-      email: email,
+      email: email_to_display,
       resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
       update_link: view_context.link_to(_('Update it'), profile_path)
     ).html_safe
@@ -29,7 +28,16 @@ module ConfirmEmailWarning
 
   private
 
+  def email
+    current_user.unconfirmed_email || current_user.email
+  end
+  strong_memoize_attr :email
+
   def confirm_warning_message
     _("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.")
   end
+
+  def email_to_display
+    html_escape(email)
+  end
 end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 59cea00e26b..b71af82535a 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -31,6 +31,7 @@ class Projects::BlobController < Projects::ApplicationController
   before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
 
   before_action :commit, except: [:new, :create]
+  before_action :check_for_ambiguous_ref, only: [:show]
   before_action :blob, except: [:new, :create]
   before_action :require_branch_head, only: [:edit, :update]
   before_action :editor_variables, except: [:show, :preview, :diff]
@@ -145,6 +146,15 @@ class Projects::BlobController < Projects::ApplicationController
     end
   end
 
+  def check_for_ambiguous_ref
+    @ref_type = ref_type
+
+    if @ref_type == ExtractsRef::BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      redirect_to project_blob_path(@project, File.join(branch.target, @path))
+    end
+  end
+
   def commit
     @commit ||= @repository.commit(@ref)
 
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 4c2bd2a9d42..f55fc2242a4 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -22,7 +22,7 @@ class Projects::RefsController < Projects::ApplicationController
           when "tree"
             project_tree_path(@project, @id)
           when "blob"
-            project_blob_path(@project, @id)
+            project_blob_path(@project, @id, ref_type: ref_type)
           when "graph"
             project_network_path(@project, @id, ref_type: ref_type)
           when "graphs"
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 737a6290431..1f7912e15df 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -28,6 +28,15 @@ class Projects::TreeController < Projects::ApplicationController
   def show
     return render_404 unless @commit
 
+    @ref_type = ref_type
+    if @ref_type == BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      if branch
+        redirect_to project_tree_path(@project, branch.target)
+        return
+      end
+    end
+
     if tree.entries.empty?
       if @repository.blob_at(@commit.id, @path)
         redirect_to project_blob_path(@project, File.join(@ref, @path))
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 71ad747b6b1..d71b782c62b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -171,11 +171,19 @@ class ProjectsController < Projects::ApplicationController
       flash.now[:alert] = _("Project '%{project_name}' queued for deletion.") % { project_name: @project.name }
     end
 
+    if ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+
+      # The files view would render a ref other than the default branch
+      # This redirect can be removed once the view is fixed
+      redirect_to(project_tree_path(@project, branch.target), alert: _("The default branch of this project clashes with another ref"))
+      return
+    end
+
     respond_to do |format|
       format.html do
         @notification_setting = current_user.notification_settings_for(@project) if current_user
         @project = @project.present(current_user: current_user)
-
         render_landing_page
       end
 
diff --git a/app/views/projects/tree/_tree_header.html.haml b/app/views/projects/tree/_tree_header.html.haml
index 6cd3c584f2a..d494d9cc36d 100644
--- a/app/views/projects/tree/_tree_header.html.haml
+++ b/app/views/projects/tree/_tree_header.html.haml
@@ -2,7 +2,7 @@
 
 .tree-ref-container.gl-display-flex.gl-flex-wrap.gl-gap-2.mb-2.mb-md-0
   .tree-ref-holder.gl-max-w-26
-    #js-tree-ref-switcher{ data: { project_id: @project.id, project_root_path: project_path(@project) } }
+    #js-tree-ref-switcher{ data: { project_id: @project.id, ref_type: @ref_type.to_s, project_root_path: project_path(@project) } }
 
   #js-repo-breadcrumb{ data: breadcrumb_data_attributes }
 
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 334c04f2b59..50d4aac70cc 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'uri'
+
 module Banzai
   module Filter
     class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -15,7 +17,8 @@ module Banzai
         doc.document.create_element(
           'div',
           class: 'js-render-observability',
-          'data-frame-url': url
+          'data-frame-url': url,
+          'data-observability-url': Gitlab::Observability.observability_url
         )
       end
 
@@ -28,8 +31,15 @@ module Banzai
       # obtained from the target link
       def element_to_embed(node)
         url = node['href']
-
-        create_element(url)
+        uri = URI.parse(url)
+        observability_uri = URI.parse(Gitlab::Observability.observability_url)
+
+        if uri.scheme == observability_uri.scheme &&
+            uri.port == observability_uri.port &&
+            uri.host.casecmp?(observability_uri.host) &&
+            uri.path.downcase.exclude?("auth/start")
+          create_element(url)
+        end
       end
 
       private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-
+  BRANCH_REF_TYPE = 'heads'
+  TAG_REF_TYPE = 'tags'
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -91,7 +92,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == 'tags' ? 'tags' : 'heads'
+    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
   end
 
   private
@@ -154,4 +155,13 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
+
+  def ambiguous_ref?(project, ref)
+    return true if project.repository.ambiguous_ref?(ref)
+
+    return false unless ref&.starts_with?('refs/')
+
+    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+    project.repository.commit(unprefixed_ref).present?
+  end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 88a17b7d697..695b567039e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42698,6 +42698,9 @@ msgstr ""
 msgid "The default branch for this project has been changed. Please update your bookmarks."
 msgstr ""
 
+msgid "The default branch of this project clashes with another ref"
+msgstr ""
+
 msgid "The dependency list details information about the components used within your project."
 msgstr ""
 
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index 334c156e1ae..b8a4b94aa66 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ConfirmEmailWarning do
+RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
   before do
     stub_feature_flags(soft_email_confirmation: true)
   end
@@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do
             it { is_expected.to set_confirm_warning_for(user.email) }
           end
         end
+
+        context 'when user is being impersonated' do
+          let(:impersonator) { create(:admin) }
+
+          before do
+            allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
+
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when impersonated user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
+
+        context 'when user is not being impersonated' do
+          before do
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
       end
     end
   end
diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb
index 887a5ba598f..ec92d92e2a9 100644
--- a/spec/controllers/projects/blob_controller_spec.rb
+++ b/spec/controllers/projects/blob_controller_spec.rb
@@ -2,15 +2,16 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::BlobController do
+RSpec.describe Projects::BlobController, feature_category: :source_code_management do
   include ProjectForksHelper
 
   let(:project) { create(:project, :public, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
 
   describe "GET show" do
-    def request
-      get(:show, params: { namespace_id: project.namespace, project_id: project, id: id })
+    let(:params) { { namespace_id: project.namespace, project_id: project, id: id } }
+    let(:request) do
+      get(:show, params: params)
     end
 
     render_views
@@ -18,10 +19,34 @@ RSpec.describe Projects::BlobController do
     context 'with file path' do
       before do
         expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
-
+        project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+        project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
         request
       end
 
+      context 'when the ref is ambiguous' do
+        let(:ref) { 'ambiguous_ref' }
+        let(:path) { 'README.md' }
+        let(:id) { "#{ref}/#{path}" }
+        let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+        context 'and explicitly requesting a branch' do
+          let(:ref_type) { 'heads' }
+
+          it 'redirects to blob#show with sha for the branch' do
+            expect(response).to redirect_to(project_blob_path(project, "#{RepoHelpers.another_sample_commit.id}/#{path}"))
+          end
+        end
+
+        context 'and explicitly requesting a tag' do
+          let(:ref_type) { 'tags' }
+
+          it 'responds with success' do
+            expect(response).to be_ok
+          end
+        end
+      end
+
       context "valid branch, valid file" do
         let(:id) { 'master/README.md' }
 
diff --git a/spec/controllers/projects/refs_controller_spec.rb b/spec/controllers/projects/refs_controller_spec.rb
index a0d119baf16..7a511ab676e 100644
--- a/spec/controllers/projects/refs_controller_spec.rb
+++ b/spec/controllers/projects/refs_controller_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Projects::RefsController, feature_category: :source_code_manageme
       'tree'           | nil     | lazy { project_tree_path(project, id) }
       'tree'           | 'heads' | lazy { project_tree_path(project, id) }
       'blob'           | nil     | lazy { project_blob_path(project, id) }
-      'blob'           | 'heads' | lazy { project_blob_path(project, id) }
+      'blob'           | 'heads' | lazy { project_blob_path(project, id, ref_type: 'heads') }
       'graph'          | nil     | lazy { project_network_path(project, id) }
       'graph'          | 'heads' | lazy { project_network_path(project, id, ref_type: 'heads') }
       'graphs'         | nil     | lazy { project_graph_path(project, id) }
diff --git a/spec/controllers/projects/tree_controller_spec.rb b/spec/controllers/projects/tree_controller_spec.rb
index 9bc3065b6da..37149e1d3ca 100644
--- a/spec/controllers/projects/tree_controller_spec.rb
+++ b/spec/controllers/projects/tree_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::TreeController do
+RSpec.describe Projects::TreeController, feature_category: :source_code_management do
   let(:project) { create(:project, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
   let(:user) { create(:user) }
@@ -15,18 +15,41 @@ RSpec.describe Projects::TreeController do
   end
 
   describe "GET show" do
+    let(:params) do
+      {
+        namespace_id: project.namespace.to_param, project_id: project, id: id
+      }
+    end
+
     # Make sure any errors accessing the tree in our views bubble up to this spec
     render_views
 
     before do
       expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
+      project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+      project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
+      get :show, params: params
+    end
 
-      get(:show,
-          params: {
-            namespace_id: project.namespace.to_param,
-            project_id: project,
-            id: id
-          })
+    context 'when the ref is ambiguous' do
+      let(:id) { 'ambiguous_ref' }
+      let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+      context 'and explicitly requesting a branch' do
+        let(:ref_type) { 'heads' }
+
+        it 'redirects to blob#show with sha for the branch' do
+          expect(response).to redirect_to(project_tree_path(project, RepoHelpers.another_sample_commit.id))
+        end
+      end
+
+      context 'and explicitly requesting a tag' do
+        let(:ref_type) { 'tags' }
+
+        it 'responds with success' do
+          expect(response).to be_ok
+        end
+      end
     end
 
     context "valid branch, no path" do
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 51f8a3b1197..c5ec6651ab3 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -163,6 +163,69 @@ RSpec.describe ProjectsController, feature_category: :projects do
             expect(assigns(:notification_setting).level).to eq("watch")
           end
         end
+
+        context 'when there is a tag with the same name as the default branch' do
+          let_it_be(:tagged_project) { create(:project, :public, :custom_repo, files: ['somefile']) }
+          let(:tree_with_default_branch) do
+            branch = tagged_project.repository.find_branch(tagged_project.default_branch)
+            project_tree_path(tagged_project, branch.target)
+          end
+
+          before do
+            tagged_project.repository.create_file(
+              tagged_project.creator,
+              'file_for_tag',
+              'content for file',
+              message: "Automatically created file",
+              branch_name: 'branch-to-tag'
+            )
+
+            tagged_project.repository.add_tag(
+              tagged_project.creator,
+              tagged_project.default_branch, # tag name
+              'branch-to-tag' # target
+            )
+          end
+
+          it 'redirects to tree view for the default branch' do
+            get :show, params: { namespace_id: tagged_project.namespace, id: tagged_project }
+            expect(response).to redirect_to(tree_with_default_branch)
+          end
+        end
+
+        context 'when the default branch name can resolve to another ref' do
+          let!(:project_with_default_branch) do
+            create(:project, :public, :custom_repo, files: ['somefile']).tap do |p|
+              p.repository.create_branch("refs/heads/refs/heads/#{other_ref}", 'master')
+              p.change_head("refs/heads/#{other_ref}")
+            end.reload
+          end
+
+          let(:other_ref) { 'branch-name' }
+
+          context 'but there is no other ref' do
+            it 'responds with ok' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to be_ok
+            end
+          end
+
+          context 'and that other ref exists' do
+            let(:tree_with_default_branch) do
+              branch = project_with_default_branch.repository.find_branch(project_with_default_branch.default_branch)
+              project_tree_path(project_with_default_branch, branch.target)
+            end
+
+            before do
+              project_with_default_branch.repository.create_branch(other_ref, 'master')
+            end
+
+            it 'redirects to tree view for the default branch' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to redirect_to(tree_with_default_branch)
+            end
+          end
+        end
       end
 
       describe "when project repository is disabled" do
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb
index 1552d4e6187..66129617220 100644
--- a/spec/features/admin/users/user_spec.rb
+++ b/spec/features/admin/users/user_spec.rb
@@ -271,6 +271,36 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
           icon = first('[data-testid="incognito-icon"]')
           expect(icon).not_to be nil
         end
+
+        context 'when viewing the confirm email warning', :js do
+          let_it_be(:another_user) { create(:user, :unconfirmed) }
+
+          let(:warning_alert) { page.find(:css, '[data-testid="alert-warning"]') }
+          let(:expected_styling) { { 'pointer-events' => 'none', 'cursor' => 'default' } }
+
+          context 'with an email that does not contain HTML' do
+            before do
+              subject
+            end
+
+            it 'displays the warning alert including the email' do
+              expect(warning_alert.text).to include("Please check your email (#{another_user.email}) to verify")
+            end
+          end
+
+          context 'with an email that contains HTML' do
+            let(:malicious_email) { "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>" }
+            let(:another_user) { create(:user, confirmed_at: nil, unconfirmed_email: malicious_email) }
+
+            before do
+              subject
+            end
+
+            it 'displays the impersonation alert, excludes email, and disables links' do
+              expect(warning_alert.text).to include("check your email (#{another_user.unconfirmed_email}) to verify")
+            end
+          end
+        end
       end
 
       context 'ending impersonation' do
diff --git a/spec/frontend/behaviors/markdown/render_observability_spec.js b/spec/frontend/behaviors/markdown/render_observability_spec.js
index c87d11742dc..03a0cb2fcc2 100644
--- a/spec/frontend/behaviors/markdown/render_observability_spec.js
+++ b/spec/frontend/behaviors/markdown/render_observability_spec.js
@@ -16,7 +16,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders an observability iframe', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"  data-observability-url="https://observe.gitlab.com/" ></div>`;
 
     expect(findObservabilityIframes()).toHaveLength(0);
 
@@ -26,7 +26,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders iframe with dark param when GL has dark theme', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
     jest.spyOn(ColorUtils, 'darkModeEnabled').mockImplementation(() => true);
 
     expect(findObservabilityIframes('dark')).toHaveLength(0);
@@ -35,4 +35,12 @@ describe('Observability iframe renderer', () => {
 
     expect(findObservabilityIframes('dark')).toHaveLength(1);
   });
+
+  it('does not render if url is different from observability url', () => {
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://example.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
+
+    renderEmbeddedObservability();
+
+    expect(findObservabilityIframes()).toHaveLength(0);
+  });
 });
diff --git a/spec/frontend/repository/utils/ref_switcher_utils_spec.js b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
index 7f708f13eaa..220dbf17398 100644
--- a/spec/frontend/repository/utils/ref_switcher_utils_spec.js
+++ b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
@@ -1,5 +1,6 @@
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
 import setWindowLocation from 'helpers/set_window_location_helper';
+import { TEST_HOST } from 'spec/test_constants';
 import { refWithSpecialCharMock, encodedRefWithSpecialCharMock } from '../mock_data';
 
 const projectRootPath = 'root/Project1';
@@ -16,16 +17,38 @@ describe('generateRefDestinationPath', () => {
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/test.js`}           | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js`}      | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js#L123`}
-  `('generates the correct destination path for  $currentPath', ({ currentPath, result }) => {
+  `('generates the correct destination path for $currentPath', ({ currentPath, result }) => {
     setWindowLocation(currentPath);
-    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(result);
+    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(
+      `${TEST_HOST}/${result}`,
+    );
+  });
+
+  describe('when using symbolic ref names', () => {
+    it.each`
+      currentPath                                                         | nextRef                                             | result
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'someHash'}                                       | ${`${projectRootPath}/-/blob/someHash/dir1/dir2/test.js#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/refs/heads/branchNameContainsPrefix'} | ${`${projectRootPath}/-/tree/refs/heads/branchNameContainsPrefix/dir1/dir2/test.js?ref_type=heads#L123`}
+    `(
+      'generates the correct destination path for $currentPath with ref type when it can be extracted',
+      ({ currentPath, result, nextRef }) => {
+        setWindowLocation(currentPath);
+        expect(generateRefDestinationPath(projectRootPath, currentRef, nextRef)).toBe(
+          `${TEST_HOST}/${result}`,
+        );
+      },
+    );
   });
 
   it('encodes the selected ref', () => {
     const result = `${projectRootPath}/-/tree/${encodedRefWithSpecialCharMock}`;
 
     expect(generateRefDestinationPath(projectRootPath, currentRef, refWithSpecialCharMock)).toBe(
-      result,
+      `${TEST_HOST}/${result}`,
     );
   });
 });
diff --git a/spec/lib/banzai/filter/inline_observability_filter_spec.rb b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
index fb1ba46e76c..69a9dc96c2c 100644
--- a/spec/lib/banzai/filter/inline_observability_filter_spec.rb
+++ b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
@@ -34,6 +34,58 @@ RSpec.describe Banzai::Filter::InlineObservabilityFilter do
       end
     end
 
+    context 'when the document contains an embeddable observability link with redirect' do
+      let(:url) { 'https://observe.gitlab.com@example.com/12345' }
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with different port' do
+      let(:url) { 'https://observe.gitlab.com:3000/12345' }
+      let(:observe_url) { 'https://observe.gitlab.com:3001' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with auth/start' do
+      let(:url) { 'https://observe.gitlab.com/auth/start' }
+      let(:observe_url) { 'https://observe.gitlab.com' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
     context 'when feature flag is disabled' do
       let(:url) { 'https://observe.gitlab.com/12345' }
 
-- 
cgit v1.2.1


From 5825f3338e723e631964bf67d259e3365014a442 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:57:04 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 app/policies/project_policy.rb                     |  1 +
 .../projects/clusters_controller_spec.rb           | 23 +----------
 .../environments/prometheus_api_controller_spec.rb | 23 +----------
 spec/policies/project_policy_spec.rb               | 46 ++--------------------
 4 files changed, 6 insertions(+), 87 deletions(-)

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3d22002e828..875520d24be 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -412,6 +412,7 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:metrics_dashboard) }.policy do
+    enable :read_prometheus
     enable :read_deployment
   end
 
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index c7d2b1fa3af..a4f7c92f5cd 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
   include GoogleApi::CloudPlatformHelpers
   include KubernetesHelpers
 
-  let_it_be_with_reload(:project) { create(:project) }
+  let_it_be(:project) { create(:project) }
 
   let(:user) { create(:user) }
 
@@ -140,27 +140,6 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
           expect(response).to redirect_to(new_user_session_path)
         end
       end
-
-      context 'with a public project' do
-        before do
-          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
-          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
-        end
-
-        context 'with guest user' do
-          let(:prometheus_body) { nil }
-
-          before do
-            project.add_guest(user)
-          end
-
-          it 'returns 404' do
-            get :prometheus_proxy, params: prometheus_proxy_params
-
-            expect(response).to have_gitlab_http_status(:not_found)
-          end
-        end
-      end
     end
   end
 
diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
index 6b0c164e432..68d50cf19f0 100644
--- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
+++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Projects::Environments::PrometheusApiController do
   let_it_be(:user) { create(:user) }
-  let_it_be_with_reload(:project) { create(:project) }
+  let_it_be(:project) { create(:project) }
   let_it_be(:proxyable) { create(:environment, project: project) }
 
   before do
@@ -70,27 +70,6 @@ RSpec.describe Projects::Environments::PrometheusApiController do
           expect(response).to redirect_to(new_user_session_path)
         end
       end
-
-      context 'with a public project' do
-        before do
-          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
-          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
-        end
-
-        context 'with guest user' do
-          let(:prometheus_body) { nil }
-
-          before do
-            project.add_guest(user)
-          end
-
-          it 'returns 404' do
-            get :prometheus_proxy, params: prometheus_proxy_params
-
-            expect(response).to have_gitlab_http_status(:not_found)
-          end
-        end
-      end
     end
   end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 0c359b80fb5..c29446c1f38 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,39 +697,6 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
     end
   end
 
-  describe 'read_prometheus', feature_category: :metrics do
-    using RSpec::Parameterized::TableSyntax
-
-    before do
-      project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
-    end
-
-    let(:policy) { :read_prometheus }
-
-    where(:project_visibility, :role, :allowed) do
-      :public   | :anonymous | false
-      :public   | :guest     | false
-      :public   | :reporter  | true
-      :internal | :anonymous | false
-      :internal | :guest     | false
-      :internal | :reporter  | true
-      :private  | :anonymous | false
-      :private  | :guest     | false
-      :private  | :reporter  | true
-    end
-
-    with_them do
-      let(:current_user) { public_send(role) }
-      let(:project) { public_send("#{project_visibility}_project") }
-
-      if params[:allowed]
-        it { is_expected.to be_allowed(policy) }
-      else
-        it { is_expected.not_to be_allowed(policy) }
-      end
-    end
-  end
-
   describe 'update_max_artifacts_size' do
     context 'when no user' do
       let(:current_user) { anonymous }
@@ -1005,7 +972,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
+          it { is_expected.to be_allowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1015,7 +982,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
+          it { is_expected.to be_allowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
@@ -1041,14 +1008,12 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1071,7 +1036,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
+          it { is_expected.to be_allowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1081,7 +1046,6 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
@@ -1104,14 +1068,12 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1130,14 +1092,12 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
-          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
-- 
cgit v1.2.1


From 1794d7d6a11019da7fe8bb56536f3fce69d1825d Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Mar 2023 23:58:22 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 .../behaviors/markdown/render_observability.js     | 45 ++++++----------
 app/assets/javascripts/pages/projects/project.js   |  3 +-
 app/assets/javascripts/repository/index.js         |  7 ++-
 .../repository/utils/ref_switcher_utils.js         | 27 ++++------
 app/controllers/concerns/confirm_email_warning.rb  | 14 ++---
 app/controllers/projects/blob_controller.rb        | 10 ----
 app/controllers/projects/refs_controller.rb        |  2 +-
 app/controllers/projects/tree_controller.rb        |  9 ----
 app/controllers/projects_controller.rb             | 10 +---
 app/views/projects/tree/_tree_header.html.haml     |  2 +-
 lib/banzai/filter/inline_observability_filter.rb   | 16 ++----
 lib/extracts_ref.rb                                | 14 +----
 locale/gitlab.pot                                  |  3 --
 .../concerns/confirm_email_warning_spec.rb         | 34 +-----------
 spec/controllers/projects/blob_controller_spec.rb  | 33 ++----------
 spec/controllers/projects/refs_controller_spec.rb  |  2 +-
 spec/controllers/projects/tree_controller_spec.rb  | 37 +++----------
 spec/controllers/projects_controller_spec.rb       | 63 ----------------------
 spec/features/admin/users/user_spec.rb             | 30 -----------
 .../markdown/render_observability_spec.js          | 12 +----
 .../repository/utils/ref_switcher_utils_spec.js    | 29 ++--------
 .../filter/inline_observability_filter_spec.rb     | 52 ------------------
 22 files changed, 59 insertions(+), 395 deletions(-)

diff --git a/app/assets/javascripts/behaviors/markdown/render_observability.js b/app/assets/javascripts/behaviors/markdown/render_observability.js
index d5d46c10efd..704d85cf22e 100644
--- a/app/assets/javascripts/behaviors/markdown/render_observability.js
+++ b/app/assets/javascripts/behaviors/markdown/render_observability.js
@@ -7,36 +7,23 @@ export function getFrameSrc(url) {
 }
 
 const mountVueComponent = (element) => {
-  const { frameUrl, observabilityUrl } = element.dataset;
+  const url = [element.dataset.frameUrl];
 
-  try {
-    if (
-      !observabilityUrl ||
-      !frameUrl ||
-      new URL(frameUrl)?.host !== new URL(observabilityUrl).host
-    )
-      return;
-
-    // eslint-disable-next-line no-new
-    new Vue({
-      el: element,
-      render(h) {
-        return h('iframe', {
-          style: {
-            height: '366px',
-            width: '768px',
-          },
-          attrs: {
-            src: getFrameSrc(frameUrl),
-            frameBorder: '0',
-          },
-        });
-      },
-    });
-  } catch (e) {
-    // eslint-disable-next-line no-console
-    console.error(e);
-  }
+  return new Vue({
+    el: element,
+    render(h) {
+      return h('iframe', {
+        style: {
+          height: '366px',
+          width: '768px',
+        },
+        attrs: {
+          src: getFrameSrc(url),
+          frameBorder: '0',
+        },
+      });
+    },
+  });
 };
 
 export default function renderObservability(elements) {
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index a4b3b83a855..5773737c41b 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -110,10 +110,9 @@ export default class Project {
             const urlParams = { [fieldName]: ref };
             if (params.group === BRANCH_GROUP_NAME) {
               urlParams.ref_type = BRANCH_REF_TYPE;
-            } else if (params.group === TAG_GROUP_NAME) {
+            } else {
               urlParams.ref_type = TAG_REF_TYPE;
             }
-
             link.href = mergeUrlParams(urlParams, linkTarget);
           }
 
diff --git a/app/assets/javascripts/repository/index.js b/app/assets/javascripts/repository/index.js
index 95e0c94527b..494e270a66c 100644
--- a/app/assets/javascripts/repository/index.js
+++ b/app/assets/javascripts/repository/index.js
@@ -2,7 +2,7 @@ import { GlButton } from '@gitlab/ui';
 import Vue from 'vue';
 import Vuex from 'vuex';
 import { parseBoolean } from '~/lib/utils/common_utils';
-import { joinPaths, escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
+import { escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import initWebIdeLink from '~/pages/projects/shared/web_ide_link';
 import PerformancePlugin from '~/performance/vue_performance_plugin';
@@ -121,7 +121,7 @@ export default function setupVueRepositoryList() {
 
     if (!refSwitcherEl) return false;
 
-    const { projectId, projectRootPath, refType } = refSwitcherEl.dataset;
+    const { projectId, projectRootPath } = refSwitcherEl.dataset;
 
     return new Vue({
       el: refSwitcherEl,
@@ -129,8 +129,7 @@ export default function setupVueRepositoryList() {
         return createElement(RefSelector, {
           props: {
             projectId,
-            value: refType ? joinPaths('refs', refType, ref) : ref,
-            useSymbolicRefNames: true,
+            value: ref,
           },
           on: {
             input(selectedRef) {
diff --git a/app/assets/javascripts/repository/utils/ref_switcher_utils.js b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
index bcad4a2c822..c62f7f709c4 100644
--- a/app/assets/javascripts/repository/utils/ref_switcher_utils.js
+++ b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
@@ -16,29 +16,22 @@ const getNamespaceTargetRegex = (ref) => new RegExp(`(/-/(blob|tree))/${ref}/(.*
  * @param {string} selectedRef - The selected ref from the ref dropdown.
  */
 export function generateRefDestinationPath(projectRootPath, ref, selectedRef) {
-  const url = new URL(window.location.href);
-  const currentPath = url.pathname;
-  let refType = null;
+  const currentPath = window.location.pathname;
+  const encodedHash = '%23';
   let namespace = '/-/tree';
   let target;
-  let actualRef = selectedRef;
-
-  const matches = selectedRef.match(/^refs\/(heads|tags)\/(.+)/);
-  if (matches) {
-    [, refType, actualRef] = matches;
-  }
-  if (refType) {
-    url.searchParams.set('ref_type', refType);
-  } else {
-    url.searchParams.delete('ref_type');
-  }
-
   const NAMESPACE_TARGET_REGEX = getNamespaceTargetRegex(ref);
   const match = NAMESPACE_TARGET_REGEX.exec(currentPath);
   if (match) {
     [, namespace, , target] = match;
   }
-  url.pathname = joinPaths(projectRootPath, namespace, actualRef, target);
 
-  return url.toString();
+  const destinationPath = joinPaths(
+    projectRootPath,
+    namespace,
+    encodeURI(selectedRef).replace(/#/g, encodedHash),
+    target,
+  );
+
+  return `${destinationPath}${window.location.hash}`;
 }
diff --git a/app/controllers/concerns/confirm_email_warning.rb b/app/controllers/concerns/confirm_email_warning.rb
index 2711c823275..ec5140bf223 100644
--- a/app/controllers/concerns/confirm_email_warning.rb
+++ b/app/controllers/concerns/confirm_email_warning.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 module ConfirmEmailWarning
-  include Gitlab::Utils::StrongMemoize
   extend ActiveSupport::Concern
 
   included do
@@ -18,9 +17,11 @@ module ConfirmEmailWarning
     return unless current_user
     return if current_user.confirmed?
 
+    email = current_user.unconfirmed_email || current_user.email
+
     flash.now[:warning] = format(
       confirm_warning_message,
-      email: email_to_display,
+      email: email,
       resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
       update_link: view_context.link_to(_('Update it'), profile_path)
     ).html_safe
@@ -28,16 +29,7 @@ module ConfirmEmailWarning
 
   private
 
-  def email
-    current_user.unconfirmed_email || current_user.email
-  end
-  strong_memoize_attr :email
-
   def confirm_warning_message
     _("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.")
   end
-
-  def email_to_display
-    html_escape(email)
-  end
 end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index b71af82535a..59cea00e26b 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -31,7 +31,6 @@ class Projects::BlobController < Projects::ApplicationController
   before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
 
   before_action :commit, except: [:new, :create]
-  before_action :check_for_ambiguous_ref, only: [:show]
   before_action :blob, except: [:new, :create]
   before_action :require_branch_head, only: [:edit, :update]
   before_action :editor_variables, except: [:show, :preview, :diff]
@@ -146,15 +145,6 @@ class Projects::BlobController < Projects::ApplicationController
     end
   end
 
-  def check_for_ambiguous_ref
-    @ref_type = ref_type
-
-    if @ref_type == ExtractsRef::BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
-      branch = @project.repository.find_branch(@ref)
-      redirect_to project_blob_path(@project, File.join(branch.target, @path))
-    end
-  end
-
   def commit
     @commit ||= @repository.commit(@ref)
 
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index f55fc2242a4..4c2bd2a9d42 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -22,7 +22,7 @@ class Projects::RefsController < Projects::ApplicationController
           when "tree"
             project_tree_path(@project, @id)
           when "blob"
-            project_blob_path(@project, @id, ref_type: ref_type)
+            project_blob_path(@project, @id)
           when "graph"
             project_network_path(@project, @id, ref_type: ref_type)
           when "graphs"
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 1f7912e15df..737a6290431 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -28,15 +28,6 @@ class Projects::TreeController < Projects::ApplicationController
   def show
     return render_404 unless @commit
 
-    @ref_type = ref_type
-    if @ref_type == BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
-      branch = @project.repository.find_branch(@ref)
-      if branch
-        redirect_to project_tree_path(@project, branch.target)
-        return
-      end
-    end
-
     if tree.entries.empty?
       if @repository.blob_at(@commit.id, @path)
         redirect_to project_blob_path(@project, File.join(@ref, @path))
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index d71b782c62b..71ad747b6b1 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -171,19 +171,11 @@ class ProjectsController < Projects::ApplicationController
       flash.now[:alert] = _("Project '%{project_name}' queued for deletion.") % { project_name: @project.name }
     end
 
-    if ambiguous_ref?(@project, @ref)
-      branch = @project.repository.find_branch(@ref)
-
-      # The files view would render a ref other than the default branch
-      # This redirect can be removed once the view is fixed
-      redirect_to(project_tree_path(@project, branch.target), alert: _("The default branch of this project clashes with another ref"))
-      return
-    end
-
     respond_to do |format|
       format.html do
         @notification_setting = current_user.notification_settings_for(@project) if current_user
         @project = @project.present(current_user: current_user)
+
         render_landing_page
       end
 
diff --git a/app/views/projects/tree/_tree_header.html.haml b/app/views/projects/tree/_tree_header.html.haml
index d494d9cc36d..6cd3c584f2a 100644
--- a/app/views/projects/tree/_tree_header.html.haml
+++ b/app/views/projects/tree/_tree_header.html.haml
@@ -2,7 +2,7 @@
 
 .tree-ref-container.gl-display-flex.gl-flex-wrap.gl-gap-2.mb-2.mb-md-0
   .tree-ref-holder.gl-max-w-26
-    #js-tree-ref-switcher{ data: { project_id: @project.id, ref_type: @ref_type.to_s, project_root_path: project_path(@project) } }
+    #js-tree-ref-switcher{ data: { project_id: @project.id, project_root_path: project_path(@project) } }
 
   #js-repo-breadcrumb{ data: breadcrumb_data_attributes }
 
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 50d4aac70cc..334c04f2b59 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'uri'
-
 module Banzai
   module Filter
     class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -17,8 +15,7 @@ module Banzai
         doc.document.create_element(
           'div',
           class: 'js-render-observability',
-          'data-frame-url': url,
-          'data-observability-url': Gitlab::Observability.observability_url
+          'data-frame-url': url
         )
       end
 
@@ -31,15 +28,8 @@ module Banzai
       # obtained from the target link
       def element_to_embed(node)
         url = node['href']
-        uri = URI.parse(url)
-        observability_uri = URI.parse(Gitlab::Observability.observability_url)
-
-        if uri.scheme == observability_uri.scheme &&
-            uri.port == observability_uri.port &&
-            uri.host.casecmp?(observability_uri.host) &&
-            uri.path.downcase.exclude?("auth/start")
-          create_element(url)
-        end
+
+        create_element(url)
       end
 
       private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index 49c9772f760..dba1aad639c 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,8 +5,7 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-  BRANCH_REF_TYPE = 'heads'
-  TAG_REF_TYPE = 'tags'
+
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -92,7 +91,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
+    params[:ref_type] == 'tags' ? 'tags' : 'heads'
   end
 
   private
@@ -155,13 +154,4 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
-
-  def ambiguous_ref?(project, ref)
-    return true if project.repository.ambiguous_ref?(ref)
-
-    return false unless ref&.starts_with?('refs/')
-
-    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
-    project.repository.commit(unprefixed_ref).present?
-  end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 695b567039e..88a17b7d697 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42698,9 +42698,6 @@ msgstr ""
 msgid "The default branch for this project has been changed. Please update your bookmarks."
 msgstr ""
 
-msgid "The default branch of this project clashes with another ref"
-msgstr ""
-
 msgid "The dependency list details information about the components used within your project."
 msgstr ""
 
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index b8a4b94aa66..334c156e1ae 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
+RSpec.describe ConfirmEmailWarning do
   before do
     stub_feature_flags(soft_email_confirmation: true)
   end
@@ -82,38 +82,6 @@ RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
             it { is_expected.to set_confirm_warning_for(user.email) }
           end
         end
-
-        context 'when user is being impersonated' do
-          let(:impersonator) { create(:admin) }
-
-          before do
-            allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
-
-            get :index
-          end
-
-          it { is_expected.to set_confirm_warning_for(user.email) }
-
-          context 'when impersonated user email has html in their email' do
-            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
-
-            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
-          end
-        end
-
-        context 'when user is not being impersonated' do
-          before do
-            get :index
-          end
-
-          it { is_expected.to set_confirm_warning_for(user.email) }
-
-          context 'when user email has html in their email' do
-            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
-
-            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
-          end
-        end
       end
     end
   end
diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb
index ec92d92e2a9..887a5ba598f 100644
--- a/spec/controllers/projects/blob_controller_spec.rb
+++ b/spec/controllers/projects/blob_controller_spec.rb
@@ -2,16 +2,15 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::BlobController, feature_category: :source_code_management do
+RSpec.describe Projects::BlobController do
   include ProjectForksHelper
 
   let(:project) { create(:project, :public, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
 
   describe "GET show" do
-    let(:params) { { namespace_id: project.namespace, project_id: project, id: id } }
-    let(:request) do
-      get(:show, params: params)
+    def request
+      get(:show, params: { namespace_id: project.namespace, project_id: project, id: id })
     end
 
     render_views
@@ -19,32 +18,8 @@ RSpec.describe Projects::BlobController, feature_category: :source_code_manageme
     context 'with file path' do
       before do
         expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
-        project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
-        project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
-        request
-      end
-
-      context 'when the ref is ambiguous' do
-        let(:ref) { 'ambiguous_ref' }
-        let(:path) { 'README.md' }
-        let(:id) { "#{ref}/#{path}" }
-        let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
 
-        context 'and explicitly requesting a branch' do
-          let(:ref_type) { 'heads' }
-
-          it 'redirects to blob#show with sha for the branch' do
-            expect(response).to redirect_to(project_blob_path(project, "#{RepoHelpers.another_sample_commit.id}/#{path}"))
-          end
-        end
-
-        context 'and explicitly requesting a tag' do
-          let(:ref_type) { 'tags' }
-
-          it 'responds with success' do
-            expect(response).to be_ok
-          end
-        end
+        request
       end
 
       context "valid branch, valid file" do
diff --git a/spec/controllers/projects/refs_controller_spec.rb b/spec/controllers/projects/refs_controller_spec.rb
index 7a511ab676e..a0d119baf16 100644
--- a/spec/controllers/projects/refs_controller_spec.rb
+++ b/spec/controllers/projects/refs_controller_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Projects::RefsController, feature_category: :source_code_manageme
       'tree'           | nil     | lazy { project_tree_path(project, id) }
       'tree'           | 'heads' | lazy { project_tree_path(project, id) }
       'blob'           | nil     | lazy { project_blob_path(project, id) }
-      'blob'           | 'heads' | lazy { project_blob_path(project, id, ref_type: 'heads') }
+      'blob'           | 'heads' | lazy { project_blob_path(project, id) }
       'graph'          | nil     | lazy { project_network_path(project, id) }
       'graph'          | 'heads' | lazy { project_network_path(project, id, ref_type: 'heads') }
       'graphs'         | nil     | lazy { project_graph_path(project, id) }
diff --git a/spec/controllers/projects/tree_controller_spec.rb b/spec/controllers/projects/tree_controller_spec.rb
index 37149e1d3ca..9bc3065b6da 100644
--- a/spec/controllers/projects/tree_controller_spec.rb
+++ b/spec/controllers/projects/tree_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::TreeController, feature_category: :source_code_management do
+RSpec.describe Projects::TreeController do
   let(:project) { create(:project, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
   let(:user) { create(:user) }
@@ -15,41 +15,18 @@ RSpec.describe Projects::TreeController, feature_category: :source_code_manageme
   end
 
   describe "GET show" do
-    let(:params) do
-      {
-        namespace_id: project.namespace.to_param, project_id: project, id: id
-      }
-    end
-
     # Make sure any errors accessing the tree in our views bubble up to this spec
     render_views
 
     before do
       expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
-      project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
-      project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
-      get :show, params: params
-    end
-
-    context 'when the ref is ambiguous' do
-      let(:id) { 'ambiguous_ref' }
-      let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
-
-      context 'and explicitly requesting a branch' do
-        let(:ref_type) { 'heads' }
-
-        it 'redirects to blob#show with sha for the branch' do
-          expect(response).to redirect_to(project_tree_path(project, RepoHelpers.another_sample_commit.id))
-        end
-      end
-
-      context 'and explicitly requesting a tag' do
-        let(:ref_type) { 'tags' }
 
-        it 'responds with success' do
-          expect(response).to be_ok
-        end
-      end
+      get(:show,
+          params: {
+            namespace_id: project.namespace.to_param,
+            project_id: project,
+            id: id
+          })
     end
 
     context "valid branch, no path" do
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index c5ec6651ab3..51f8a3b1197 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -163,69 +163,6 @@ RSpec.describe ProjectsController, feature_category: :projects do
             expect(assigns(:notification_setting).level).to eq("watch")
           end
         end
-
-        context 'when there is a tag with the same name as the default branch' do
-          let_it_be(:tagged_project) { create(:project, :public, :custom_repo, files: ['somefile']) }
-          let(:tree_with_default_branch) do
-            branch = tagged_project.repository.find_branch(tagged_project.default_branch)
-            project_tree_path(tagged_project, branch.target)
-          end
-
-          before do
-            tagged_project.repository.create_file(
-              tagged_project.creator,
-              'file_for_tag',
-              'content for file',
-              message: "Automatically created file",
-              branch_name: 'branch-to-tag'
-            )
-
-            tagged_project.repository.add_tag(
-              tagged_project.creator,
-              tagged_project.default_branch, # tag name
-              'branch-to-tag' # target
-            )
-          end
-
-          it 'redirects to tree view for the default branch' do
-            get :show, params: { namespace_id: tagged_project.namespace, id: tagged_project }
-            expect(response).to redirect_to(tree_with_default_branch)
-          end
-        end
-
-        context 'when the default branch name can resolve to another ref' do
-          let!(:project_with_default_branch) do
-            create(:project, :public, :custom_repo, files: ['somefile']).tap do |p|
-              p.repository.create_branch("refs/heads/refs/heads/#{other_ref}", 'master')
-              p.change_head("refs/heads/#{other_ref}")
-            end.reload
-          end
-
-          let(:other_ref) { 'branch-name' }
-
-          context 'but there is no other ref' do
-            it 'responds with ok' do
-              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
-              expect(response).to be_ok
-            end
-          end
-
-          context 'and that other ref exists' do
-            let(:tree_with_default_branch) do
-              branch = project_with_default_branch.repository.find_branch(project_with_default_branch.default_branch)
-              project_tree_path(project_with_default_branch, branch.target)
-            end
-
-            before do
-              project_with_default_branch.repository.create_branch(other_ref, 'master')
-            end
-
-            it 'redirects to tree view for the default branch' do
-              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
-              expect(response).to redirect_to(tree_with_default_branch)
-            end
-          end
-        end
       end
 
       describe "when project repository is disabled" do
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb
index 66129617220..1552d4e6187 100644
--- a/spec/features/admin/users/user_spec.rb
+++ b/spec/features/admin/users/user_spec.rb
@@ -271,36 +271,6 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
           icon = first('[data-testid="incognito-icon"]')
           expect(icon).not_to be nil
         end
-
-        context 'when viewing the confirm email warning', :js do
-          let_it_be(:another_user) { create(:user, :unconfirmed) }
-
-          let(:warning_alert) { page.find(:css, '[data-testid="alert-warning"]') }
-          let(:expected_styling) { { 'pointer-events' => 'none', 'cursor' => 'default' } }
-
-          context 'with an email that does not contain HTML' do
-            before do
-              subject
-            end
-
-            it 'displays the warning alert including the email' do
-              expect(warning_alert.text).to include("Please check your email (#{another_user.email}) to verify")
-            end
-          end
-
-          context 'with an email that contains HTML' do
-            let(:malicious_email) { "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>" }
-            let(:another_user) { create(:user, confirmed_at: nil, unconfirmed_email: malicious_email) }
-
-            before do
-              subject
-            end
-
-            it 'displays the impersonation alert, excludes email, and disables links' do
-              expect(warning_alert.text).to include("check your email (#{another_user.unconfirmed_email}) to verify")
-            end
-          end
-        end
       end
 
       context 'ending impersonation' do
diff --git a/spec/frontend/behaviors/markdown/render_observability_spec.js b/spec/frontend/behaviors/markdown/render_observability_spec.js
index 03a0cb2fcc2..c87d11742dc 100644
--- a/spec/frontend/behaviors/markdown/render_observability_spec.js
+++ b/spec/frontend/behaviors/markdown/render_observability_spec.js
@@ -16,7 +16,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders an observability iframe', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"  data-observability-url="https://observe.gitlab.com/" ></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
 
     expect(findObservabilityIframes()).toHaveLength(0);
 
@@ -26,7 +26,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders iframe with dark param when GL has dark theme', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
     jest.spyOn(ColorUtils, 'darkModeEnabled').mockImplementation(() => true);
 
     expect(findObservabilityIframes('dark')).toHaveLength(0);
@@ -35,12 +35,4 @@ describe('Observability iframe renderer', () => {
 
     expect(findObservabilityIframes('dark')).toHaveLength(1);
   });
-
-  it('does not render if url is different from observability url', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://example.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
-
-    renderEmbeddedObservability();
-
-    expect(findObservabilityIframes()).toHaveLength(0);
-  });
 });
diff --git a/spec/frontend/repository/utils/ref_switcher_utils_spec.js b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
index 220dbf17398..7f708f13eaa 100644
--- a/spec/frontend/repository/utils/ref_switcher_utils_spec.js
+++ b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
@@ -1,6 +1,5 @@
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
 import setWindowLocation from 'helpers/set_window_location_helper';
-import { TEST_HOST } from 'spec/test_constants';
 import { refWithSpecialCharMock, encodedRefWithSpecialCharMock } from '../mock_data';
 
 const projectRootPath = 'root/Project1';
@@ -17,38 +16,16 @@ describe('generateRefDestinationPath', () => {
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/test.js`}           | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js`}      | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js#L123`}
-  `('generates the correct destination path for $currentPath', ({ currentPath, result }) => {
+  `('generates the correct destination path for  $currentPath', ({ currentPath, result }) => {
     setWindowLocation(currentPath);
-    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(
-      `${TEST_HOST}/${result}`,
-    );
-  });
-
-  describe('when using symbolic ref names', () => {
-    it.each`
-      currentPath                                                         | nextRef                                             | result
-      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'someHash'}                                       | ${`${projectRootPath}/-/blob/someHash/dir1/dir2/test.js#L123`}
-      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
-      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
-      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
-      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
-      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/refs/heads/branchNameContainsPrefix'} | ${`${projectRootPath}/-/tree/refs/heads/branchNameContainsPrefix/dir1/dir2/test.js?ref_type=heads#L123`}
-    `(
-      'generates the correct destination path for $currentPath with ref type when it can be extracted',
-      ({ currentPath, result, nextRef }) => {
-        setWindowLocation(currentPath);
-        expect(generateRefDestinationPath(projectRootPath, currentRef, nextRef)).toBe(
-          `${TEST_HOST}/${result}`,
-        );
-      },
-    );
+    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(result);
   });
 
   it('encodes the selected ref', () => {
     const result = `${projectRootPath}/-/tree/${encodedRefWithSpecialCharMock}`;
 
     expect(generateRefDestinationPath(projectRootPath, currentRef, refWithSpecialCharMock)).toBe(
-      `${TEST_HOST}/${result}`,
+      result,
     );
   });
 });
diff --git a/spec/lib/banzai/filter/inline_observability_filter_spec.rb b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
index 69a9dc96c2c..fb1ba46e76c 100644
--- a/spec/lib/banzai/filter/inline_observability_filter_spec.rb
+++ b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
@@ -34,58 +34,6 @@ RSpec.describe Banzai::Filter::InlineObservabilityFilter do
       end
     end
 
-    context 'when the document contains an embeddable observability link with redirect' do
-      let(:url) { 'https://observe.gitlab.com@example.com/12345' }
-
-      it 'leaves the original link unchanged' do
-        expect(doc.at_css('a').to_s).to eq(input)
-      end
-
-      it 'does not append an observability charts placeholder' do
-        node = doc.at_css('.js-render-observability')
-
-        expect(node).not_to be_present
-      end
-    end
-
-    context 'when the document contains an embeddable observability link with different port' do
-      let(:url) { 'https://observe.gitlab.com:3000/12345' }
-      let(:observe_url) { 'https://observe.gitlab.com:3001' }
-
-      before do
-        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
-      end
-
-      it 'leaves the original link unchanged' do
-        expect(doc.at_css('a').to_s).to eq(input)
-      end
-
-      it 'does not append an observability charts placeholder' do
-        node = doc.at_css('.js-render-observability')
-
-        expect(node).not_to be_present
-      end
-    end
-
-    context 'when the document contains an embeddable observability link with auth/start' do
-      let(:url) { 'https://observe.gitlab.com/auth/start' }
-      let(:observe_url) { 'https://observe.gitlab.com' }
-
-      before do
-        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
-      end
-
-      it 'leaves the original link unchanged' do
-        expect(doc.at_css('a').to_s).to eq(input)
-      end
-
-      it 'does not append an observability charts placeholder' do
-        node = doc.at_css('.js-render-observability')
-
-        expect(node).not_to be_present
-      end
-    end
-
     context 'when feature flag is disabled' do
       let(:url) { 'https://observe.gitlab.com/12345' }
 
-- 
cgit v1.2.1


From 5e57ed483af358e2404891d87d1f68a8cf60ef89 Mon Sep 17 00:00:00 2001
From: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Date: Thu, 30 Mar 2023 13:36:14 +0000
Subject: Update VERSION files

[ci skip]
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index e99b2f49e96..29d84970580 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-15.9.3
\ No newline at end of file
+15.9.4
\ No newline at end of file
-- 
cgit v1.2.1


From d6192c2ab77ab814b9bd66103663047556fd67e4 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 30 Mar 2023 13:38:24 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

---
 CHANGELOG.md                                       | 21 ++++++++
 GITALY_SERVER_VERSION                              |  2 +-
 GITLAB_PAGES_VERSION                               |  2 +-
 .../behaviors/markdown/render_observability.js     | 45 ++++++++++------
 app/assets/javascripts/pages/projects/project.js   |  3 +-
 app/assets/javascripts/repository/index.js         |  7 +--
 .../repository/utils/ref_switcher_utils.js         | 27 ++++++----
 app/controllers/concerns/confirm_email_warning.rb  | 14 +++--
 app/controllers/projects/blob_controller.rb        | 10 ++++
 app/controllers/projects/refs_controller.rb        |  2 +-
 app/controllers/projects/tree_controller.rb        |  9 ++++
 app/controllers/projects_controller.rb             | 10 +++-
 app/policies/project_policy.rb                     |  1 -
 app/views/projects/tree/_tree_header.html.haml     |  2 +-
 lib/banzai/filter/inline_observability_filter.rb   | 16 ++++--
 lib/extracts_ref.rb                                | 14 ++++-
 locale/gitlab.pot                                  |  3 ++
 .../concerns/confirm_email_warning_spec.rb         | 34 +++++++++++-
 spec/controllers/projects/blob_controller_spec.rb  | 33 ++++++++++--
 .../projects/clusters_controller_spec.rb           | 23 +++++++-
 .../environments/prometheus_api_controller_spec.rb | 23 +++++++-
 spec/controllers/projects/refs_controller_spec.rb  |  2 +-
 spec/controllers/projects/tree_controller_spec.rb  | 37 ++++++++++---
 spec/controllers/projects_controller_spec.rb       | 63 ++++++++++++++++++++++
 spec/features/admin/users/user_spec.rb             | 30 +++++++++++
 .../markdown/render_observability_spec.js          | 12 ++++-
 .../repository/utils/ref_switcher_utils_spec.js    | 29 ++++++++--
 .../filter/inline_observability_filter_spec.rb     | 52 ++++++++++++++++++
 spec/policies/project_policy_spec.rb               | 46 ++++++++++++++--
 29 files changed, 505 insertions(+), 67 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 416c13b5db7..e680728a01e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,27 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 15.9.4 (2023-03-30)
+
+### Security (16 changes)
+
+- [Add checks to remove open redirects from Observability URL](gitlab-org/security/gitlab@98b1bd243f454bd28c262131be616ee2060c3a78) ([merge request](gitlab-org/security/gitlab!3104))
+- [Redirect to tree from project root on ref collision](gitlab-org/security/gitlab@0f0c0f21dffe300a56abf1e07a2fefb17160faeb) ([merge request](gitlab-org/security/gitlab!3133))
+- [Fixes soft email confirmation alert vulnerability](gitlab-org/security/gitlab@12498f791f9c5fe833f5202b06cc818d4dcf965b) ([merge request](gitlab-org/security/gitlab!3124))
+- [Restrict Prometheus API access on public projects](gitlab-org/security/gitlab@440a7989ff46ca333f86a38aefa47f74301e66fc) ([merge request](gitlab-org/security/gitlab!3163))
+- [Verify that users have access to the parent of the fork](gitlab-org/security/gitlab@9dd0dff69d3941e827c461c67b9af10da07d69f8) ([merge request](gitlab-org/security/gitlab!3084))
+- [Protect webhook secrets by resetting url_variables](gitlab-org/security/gitlab@cd20b44dd5b075827203330802e331b896448265) ([merge request](gitlab-org/security/gitlab!3140))
+- [Replace Unicode space chars with spaces](gitlab-org/security/gitlab@76975082c41870265e1285fa8f4e053eb6ff11ae) ([merge request](gitlab-org/security/gitlab!3136))
+- [Check access to parent when creating and updating epics](gitlab-org/security/gitlab@7fcc4a0d010d3a428e803f95ef47904c4c7178a8) ([merge request](gitlab-org/security/gitlab!3149))
+- [Improve Gitlab::UrlSanitizer regex to match more URIs](gitlab-org/security/gitlab@4e7313536e4cdb3ecef37100b5a73720eabfbc79) ([merge request](gitlab-org/security/gitlab!3108))
+- [Check access to target project before looking for branch](gitlab-org/security/gitlab@f55edf39e52af9eecb19caf8ed5d4cb8524ef64d) ([merge request](gitlab-org/security/gitlab!3040))
+- [Fix the potential leak of internal notes](gitlab-org/security/gitlab@be73600e8c43c22cda1ace5910eb2052b2741972) ([merge request](gitlab-org/security/gitlab!3120))
+- [Use UntrustedRegexp to limit scan of HTML comments](gitlab-org/security/gitlab@d5e65583debcae71787e171643275bc9b9d4393e) ([merge request](gitlab-org/security/gitlab!3142))
+- [Filter namespace environments by feature visibility](gitlab-org/security/gitlab@54045b508a9ba9ae18f5992b77970240774b28a7) ([merge request](gitlab-org/security/gitlab!3111))
+- [Check access to reorder issues in epic tree](gitlab-org/security/gitlab@bc033cd3a98c9a1468545811a8180604f7f8aee3) ([merge request](gitlab-org/security/gitlab!3101))
+- [Fix security report authorization](gitlab-org/security/gitlab@a01cf9d8383ffc4c0e29514f71d49bf345e1f7c2) ([merge request](gitlab-org/security/gitlab!3106))
+- [Prevent XSS attack in "Maximum page reached" page](gitlab-org/security/gitlab@3cefb16a5e369ee99f4c3ccbaa02cead6faf1a99) ([merge request](gitlab-org/security/gitlab!3130))
+
 ## 15.9.3 (2023-03-09)
 
 ### Fixed (4 changes)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index e99b2f49e96..29d84970580 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-15.9.3
\ No newline at end of file
+15.9.4
\ No newline at end of file
diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION
index e99b2f49e96..29d84970580 100644
--- a/GITLAB_PAGES_VERSION
+++ b/GITLAB_PAGES_VERSION
@@ -1 +1 @@
-15.9.3
\ No newline at end of file
+15.9.4
\ No newline at end of file
diff --git a/app/assets/javascripts/behaviors/markdown/render_observability.js b/app/assets/javascripts/behaviors/markdown/render_observability.js
index 704d85cf22e..d5d46c10efd 100644
--- a/app/assets/javascripts/behaviors/markdown/render_observability.js
+++ b/app/assets/javascripts/behaviors/markdown/render_observability.js
@@ -7,23 +7,36 @@ export function getFrameSrc(url) {
 }
 
 const mountVueComponent = (element) => {
-  const url = [element.dataset.frameUrl];
+  const { frameUrl, observabilityUrl } = element.dataset;
 
-  return new Vue({
-    el: element,
-    render(h) {
-      return h('iframe', {
-        style: {
-          height: '366px',
-          width: '768px',
-        },
-        attrs: {
-          src: getFrameSrc(url),
-          frameBorder: '0',
-        },
-      });
-    },
-  });
+  try {
+    if (
+      !observabilityUrl ||
+      !frameUrl ||
+      new URL(frameUrl)?.host !== new URL(observabilityUrl).host
+    )
+      return;
+
+    // eslint-disable-next-line no-new
+    new Vue({
+      el: element,
+      render(h) {
+        return h('iframe', {
+          style: {
+            height: '366px',
+            width: '768px',
+          },
+          attrs: {
+            src: getFrameSrc(frameUrl),
+            frameBorder: '0',
+          },
+        });
+      },
+    });
+  } catch (e) {
+    // eslint-disable-next-line no-console
+    console.error(e);
+  }
 };
 
 export default function renderObservability(elements) {
diff --git a/app/assets/javascripts/pages/projects/project.js b/app/assets/javascripts/pages/projects/project.js
index 5773737c41b..a4b3b83a855 100644
--- a/app/assets/javascripts/pages/projects/project.js
+++ b/app/assets/javascripts/pages/projects/project.js
@@ -110,9 +110,10 @@ export default class Project {
             const urlParams = { [fieldName]: ref };
             if (params.group === BRANCH_GROUP_NAME) {
               urlParams.ref_type = BRANCH_REF_TYPE;
-            } else {
+            } else if (params.group === TAG_GROUP_NAME) {
               urlParams.ref_type = TAG_REF_TYPE;
             }
+
             link.href = mergeUrlParams(urlParams, linkTarget);
           }
 
diff --git a/app/assets/javascripts/repository/index.js b/app/assets/javascripts/repository/index.js
index 494e270a66c..95e0c94527b 100644
--- a/app/assets/javascripts/repository/index.js
+++ b/app/assets/javascripts/repository/index.js
@@ -2,7 +2,7 @@ import { GlButton } from '@gitlab/ui';
 import Vue from 'vue';
 import Vuex from 'vuex';
 import { parseBoolean } from '~/lib/utils/common_utils';
-import { escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
+import { joinPaths, escapeFileUrl, visitUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import initWebIdeLink from '~/pages/projects/shared/web_ide_link';
 import PerformancePlugin from '~/performance/vue_performance_plugin';
@@ -121,7 +121,7 @@ export default function setupVueRepositoryList() {
 
     if (!refSwitcherEl) return false;
 
-    const { projectId, projectRootPath } = refSwitcherEl.dataset;
+    const { projectId, projectRootPath, refType } = refSwitcherEl.dataset;
 
     return new Vue({
       el: refSwitcherEl,
@@ -129,7 +129,8 @@ export default function setupVueRepositoryList() {
         return createElement(RefSelector, {
           props: {
             projectId,
-            value: ref,
+            value: refType ? joinPaths('refs', refType, ref) : ref,
+            useSymbolicRefNames: true,
           },
           on: {
             input(selectedRef) {
diff --git a/app/assets/javascripts/repository/utils/ref_switcher_utils.js b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
index c62f7f709c4..bcad4a2c822 100644
--- a/app/assets/javascripts/repository/utils/ref_switcher_utils.js
+++ b/app/assets/javascripts/repository/utils/ref_switcher_utils.js
@@ -16,22 +16,29 @@ const getNamespaceTargetRegex = (ref) => new RegExp(`(/-/(blob|tree))/${ref}/(.*
  * @param {string} selectedRef - The selected ref from the ref dropdown.
  */
 export function generateRefDestinationPath(projectRootPath, ref, selectedRef) {
-  const currentPath = window.location.pathname;
-  const encodedHash = '%23';
+  const url = new URL(window.location.href);
+  const currentPath = url.pathname;
+  let refType = null;
   let namespace = '/-/tree';
   let target;
+  let actualRef = selectedRef;
+
+  const matches = selectedRef.match(/^refs\/(heads|tags)\/(.+)/);
+  if (matches) {
+    [, refType, actualRef] = matches;
+  }
+  if (refType) {
+    url.searchParams.set('ref_type', refType);
+  } else {
+    url.searchParams.delete('ref_type');
+  }
+
   const NAMESPACE_TARGET_REGEX = getNamespaceTargetRegex(ref);
   const match = NAMESPACE_TARGET_REGEX.exec(currentPath);
   if (match) {
     [, namespace, , target] = match;
   }
+  url.pathname = joinPaths(projectRootPath, namespace, actualRef, target);
 
-  const destinationPath = joinPaths(
-    projectRootPath,
-    namespace,
-    encodeURI(selectedRef).replace(/#/g, encodedHash),
-    target,
-  );
-
-  return `${destinationPath}${window.location.hash}`;
+  return url.toString();
 }
diff --git a/app/controllers/concerns/confirm_email_warning.rb b/app/controllers/concerns/confirm_email_warning.rb
index ec5140bf223..2711c823275 100644
--- a/app/controllers/concerns/confirm_email_warning.rb
+++ b/app/controllers/concerns/confirm_email_warning.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module ConfirmEmailWarning
+  include Gitlab::Utils::StrongMemoize
   extend ActiveSupport::Concern
 
   included do
@@ -17,11 +18,9 @@ module ConfirmEmailWarning
     return unless current_user
     return if current_user.confirmed?
 
-    email = current_user.unconfirmed_email || current_user.email
-
     flash.now[:warning] = format(
       confirm_warning_message,
-      email: email,
+      email: email_to_display,
       resend_link: view_context.link_to(_('Resend it'), user_confirmation_path(user: { email: email }), method: :post),
       update_link: view_context.link_to(_('Update it'), profile_path)
     ).html_safe
@@ -29,7 +28,16 @@ module ConfirmEmailWarning
 
   private
 
+  def email
+    current_user.unconfirmed_email || current_user.email
+  end
+  strong_memoize_attr :email
+
   def confirm_warning_message
     _("Please check your email (%{email}) to verify that you own this address and unlock the power of CI/CD. Didn't receive it? %{resend_link}. Wrong email address? %{update_link}.")
   end
+
+  def email_to_display
+    html_escape(email)
+  end
 end
diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 59cea00e26b..b71af82535a 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -31,6 +31,7 @@ class Projects::BlobController < Projects::ApplicationController
   before_action :authorize_edit_tree!, only: [:new, :create, :update, :destroy]
 
   before_action :commit, except: [:new, :create]
+  before_action :check_for_ambiguous_ref, only: [:show]
   before_action :blob, except: [:new, :create]
   before_action :require_branch_head, only: [:edit, :update]
   before_action :editor_variables, except: [:show, :preview, :diff]
@@ -145,6 +146,15 @@ class Projects::BlobController < Projects::ApplicationController
     end
   end
 
+  def check_for_ambiguous_ref
+    @ref_type = ref_type
+
+    if @ref_type == ExtractsRef::BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      redirect_to project_blob_path(@project, File.join(branch.target, @path))
+    end
+  end
+
   def commit
     @commit ||= @repository.commit(@ref)
 
diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 4c2bd2a9d42..f55fc2242a4 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -22,7 +22,7 @@ class Projects::RefsController < Projects::ApplicationController
           when "tree"
             project_tree_path(@project, @id)
           when "blob"
-            project_blob_path(@project, @id)
+            project_blob_path(@project, @id, ref_type: ref_type)
           when "graph"
             project_network_path(@project, @id, ref_type: ref_type)
           when "graphs"
diff --git a/app/controllers/projects/tree_controller.rb b/app/controllers/projects/tree_controller.rb
index 737a6290431..1f7912e15df 100644
--- a/app/controllers/projects/tree_controller.rb
+++ b/app/controllers/projects/tree_controller.rb
@@ -28,6 +28,15 @@ class Projects::TreeController < Projects::ApplicationController
   def show
     return render_404 unless @commit
 
+    @ref_type = ref_type
+    if @ref_type == BRANCH_REF_TYPE && ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+      if branch
+        redirect_to project_tree_path(@project, branch.target)
+        return
+      end
+    end
+
     if tree.entries.empty?
       if @repository.blob_at(@commit.id, @path)
         redirect_to project_blob_path(@project, File.join(@ref, @path))
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 71ad747b6b1..d71b782c62b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -171,11 +171,19 @@ class ProjectsController < Projects::ApplicationController
       flash.now[:alert] = _("Project '%{project_name}' queued for deletion.") % { project_name: @project.name }
     end
 
+    if ambiguous_ref?(@project, @ref)
+      branch = @project.repository.find_branch(@ref)
+
+      # The files view would render a ref other than the default branch
+      # This redirect can be removed once the view is fixed
+      redirect_to(project_tree_path(@project, branch.target), alert: _("The default branch of this project clashes with another ref"))
+      return
+    end
+
     respond_to do |format|
       format.html do
         @notification_setting = current_user.notification_settings_for(@project) if current_user
         @project = @project.present(current_user: current_user)
-
         render_landing_page
       end
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 875520d24be..3d22002e828 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -412,7 +412,6 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:metrics_dashboard) }.policy do
-    enable :read_prometheus
     enable :read_deployment
   end
 
diff --git a/app/views/projects/tree/_tree_header.html.haml b/app/views/projects/tree/_tree_header.html.haml
index 6cd3c584f2a..d494d9cc36d 100644
--- a/app/views/projects/tree/_tree_header.html.haml
+++ b/app/views/projects/tree/_tree_header.html.haml
@@ -2,7 +2,7 @@
 
 .tree-ref-container.gl-display-flex.gl-flex-wrap.gl-gap-2.mb-2.mb-md-0
   .tree-ref-holder.gl-max-w-26
-    #js-tree-ref-switcher{ data: { project_id: @project.id, project_root_path: project_path(@project) } }
+    #js-tree-ref-switcher{ data: { project_id: @project.id, ref_type: @ref_type.to_s, project_root_path: project_path(@project) } }
 
   #js-repo-breadcrumb{ data: breadcrumb_data_attributes }
 
diff --git a/lib/banzai/filter/inline_observability_filter.rb b/lib/banzai/filter/inline_observability_filter.rb
index 334c04f2b59..50d4aac70cc 100644
--- a/lib/banzai/filter/inline_observability_filter.rb
+++ b/lib/banzai/filter/inline_observability_filter.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'uri'
+
 module Banzai
   module Filter
     class InlineObservabilityFilter < ::Banzai::Filter::InlineEmbedsFilter
@@ -15,7 +17,8 @@ module Banzai
         doc.document.create_element(
           'div',
           class: 'js-render-observability',
-          'data-frame-url': url
+          'data-frame-url': url,
+          'data-observability-url': Gitlab::Observability.observability_url
         )
       end
 
@@ -28,8 +31,15 @@ module Banzai
       # obtained from the target link
       def element_to_embed(node)
         url = node['href']
-
-        create_element(url)
+        uri = URI.parse(url)
+        observability_uri = URI.parse(Gitlab::Observability.observability_url)
+
+        if uri.scheme == observability_uri.scheme &&
+            uri.port == observability_uri.port &&
+            uri.host.casecmp?(observability_uri.host) &&
+            uri.path.downcase.exclude?("auth/start")
+          create_element(url)
+        end
       end
 
       private
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-
+  BRANCH_REF_TYPE = 'heads'
+  TAG_REF_TYPE = 'tags'
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -91,7 +92,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == 'tags' ? 'tags' : 'heads'
+    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
   end
 
   private
@@ -154,4 +155,13 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
+
+  def ambiguous_ref?(project, ref)
+    return true if project.repository.ambiguous_ref?(ref)
+
+    return false unless ref&.starts_with?('refs/')
+
+    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+    project.repository.commit(unprefixed_ref).present?
+  end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 88a17b7d697..695b567039e 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42698,6 +42698,9 @@ msgstr ""
 msgid "The default branch for this project has been changed. Please update your bookmarks."
 msgstr ""
 
+msgid "The default branch of this project clashes with another ref"
+msgstr ""
+
 msgid "The dependency list details information about the components used within your project."
 msgstr ""
 
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index 334c156e1ae..b8a4b94aa66 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ConfirmEmailWarning do
+RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
   before do
     stub_feature_flags(soft_email_confirmation: true)
   end
@@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do
             it { is_expected.to set_confirm_warning_for(user.email) }
           end
         end
+
+        context 'when user is being impersonated' do
+          let(:impersonator) { create(:admin) }
+
+          before do
+            allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
+
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when impersonated user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
+
+        context 'when user is not being impersonated' do
+          before do
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
       end
     end
   end
diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb
index 887a5ba598f..ec92d92e2a9 100644
--- a/spec/controllers/projects/blob_controller_spec.rb
+++ b/spec/controllers/projects/blob_controller_spec.rb
@@ -2,15 +2,16 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::BlobController do
+RSpec.describe Projects::BlobController, feature_category: :source_code_management do
   include ProjectForksHelper
 
   let(:project) { create(:project, :public, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
 
   describe "GET show" do
-    def request
-      get(:show, params: { namespace_id: project.namespace, project_id: project, id: id })
+    let(:params) { { namespace_id: project.namespace, project_id: project, id: id } }
+    let(:request) do
+      get(:show, params: params)
     end
 
     render_views
@@ -18,10 +19,34 @@ RSpec.describe Projects::BlobController do
     context 'with file path' do
       before do
         expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
-
+        project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+        project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
         request
       end
 
+      context 'when the ref is ambiguous' do
+        let(:ref) { 'ambiguous_ref' }
+        let(:path) { 'README.md' }
+        let(:id) { "#{ref}/#{path}" }
+        let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+        context 'and explicitly requesting a branch' do
+          let(:ref_type) { 'heads' }
+
+          it 'redirects to blob#show with sha for the branch' do
+            expect(response).to redirect_to(project_blob_path(project, "#{RepoHelpers.another_sample_commit.id}/#{path}"))
+          end
+        end
+
+        context 'and explicitly requesting a tag' do
+          let(:ref_type) { 'tags' }
+
+          it 'responds with success' do
+            expect(response).to be_ok
+          end
+        end
+      end
+
       context "valid branch, valid file" do
         let(:id) { 'master/README.md' }
 
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index a4f7c92f5cd..c7d2b1fa3af 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
   include GoogleApi::CloudPlatformHelpers
   include KubernetesHelpers
 
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
 
   let(:user) { create(:user) }
 
@@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
index 68d50cf19f0..6b0c164e432 100644
--- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
+++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe Projects::Environments::PrometheusApiController do
   let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:proxyable) { create(:environment, project: project) }
 
   before do
@@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do
           expect(response).to redirect_to(new_user_session_path)
         end
       end
+
+      context 'with a public project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+        end
+
+        context 'with guest user' do
+          let(:prometheus_body) { nil }
+
+          before do
+            project.add_guest(user)
+          end
+
+          it 'returns 404' do
+            get :prometheus_proxy, params: prometheus_proxy_params
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
     end
   end
 end
diff --git a/spec/controllers/projects/refs_controller_spec.rb b/spec/controllers/projects/refs_controller_spec.rb
index a0d119baf16..7a511ab676e 100644
--- a/spec/controllers/projects/refs_controller_spec.rb
+++ b/spec/controllers/projects/refs_controller_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Projects::RefsController, feature_category: :source_code_manageme
       'tree'           | nil     | lazy { project_tree_path(project, id) }
       'tree'           | 'heads' | lazy { project_tree_path(project, id) }
       'blob'           | nil     | lazy { project_blob_path(project, id) }
-      'blob'           | 'heads' | lazy { project_blob_path(project, id) }
+      'blob'           | 'heads' | lazy { project_blob_path(project, id, ref_type: 'heads') }
       'graph'          | nil     | lazy { project_network_path(project, id) }
       'graph'          | 'heads' | lazy { project_network_path(project, id, ref_type: 'heads') }
       'graphs'         | nil     | lazy { project_graph_path(project, id) }
diff --git a/spec/controllers/projects/tree_controller_spec.rb b/spec/controllers/projects/tree_controller_spec.rb
index 9bc3065b6da..37149e1d3ca 100644
--- a/spec/controllers/projects/tree_controller_spec.rb
+++ b/spec/controllers/projects/tree_controller_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Projects::TreeController do
+RSpec.describe Projects::TreeController, feature_category: :source_code_management do
   let(:project) { create(:project, :repository, previous_default_branch: previous_default_branch) }
   let(:previous_default_branch) { nil }
   let(:user) { create(:user) }
@@ -15,18 +15,41 @@ RSpec.describe Projects::TreeController do
   end
 
   describe "GET show" do
+    let(:params) do
+      {
+        namespace_id: project.namespace.to_param, project_id: project, id: id
+      }
+    end
+
     # Make sure any errors accessing the tree in our views bubble up to this spec
     render_views
 
     before do
       expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original
+      project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id)
+      project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id)
+      get :show, params: params
+    end
 
-      get(:show,
-          params: {
-            namespace_id: project.namespace.to_param,
-            project_id: project,
-            id: id
-          })
+    context 'when the ref is ambiguous' do
+      let(:id) { 'ambiguous_ref' }
+      let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } }
+
+      context 'and explicitly requesting a branch' do
+        let(:ref_type) { 'heads' }
+
+        it 'redirects to blob#show with sha for the branch' do
+          expect(response).to redirect_to(project_tree_path(project, RepoHelpers.another_sample_commit.id))
+        end
+      end
+
+      context 'and explicitly requesting a tag' do
+        let(:ref_type) { 'tags' }
+
+        it 'responds with success' do
+          expect(response).to be_ok
+        end
+      end
     end
 
     context "valid branch, no path" do
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 51f8a3b1197..c5ec6651ab3 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -163,6 +163,69 @@ RSpec.describe ProjectsController, feature_category: :projects do
             expect(assigns(:notification_setting).level).to eq("watch")
           end
         end
+
+        context 'when there is a tag with the same name as the default branch' do
+          let_it_be(:tagged_project) { create(:project, :public, :custom_repo, files: ['somefile']) }
+          let(:tree_with_default_branch) do
+            branch = tagged_project.repository.find_branch(tagged_project.default_branch)
+            project_tree_path(tagged_project, branch.target)
+          end
+
+          before do
+            tagged_project.repository.create_file(
+              tagged_project.creator,
+              'file_for_tag',
+              'content for file',
+              message: "Automatically created file",
+              branch_name: 'branch-to-tag'
+            )
+
+            tagged_project.repository.add_tag(
+              tagged_project.creator,
+              tagged_project.default_branch, # tag name
+              'branch-to-tag' # target
+            )
+          end
+
+          it 'redirects to tree view for the default branch' do
+            get :show, params: { namespace_id: tagged_project.namespace, id: tagged_project }
+            expect(response).to redirect_to(tree_with_default_branch)
+          end
+        end
+
+        context 'when the default branch name can resolve to another ref' do
+          let!(:project_with_default_branch) do
+            create(:project, :public, :custom_repo, files: ['somefile']).tap do |p|
+              p.repository.create_branch("refs/heads/refs/heads/#{other_ref}", 'master')
+              p.change_head("refs/heads/#{other_ref}")
+            end.reload
+          end
+
+          let(:other_ref) { 'branch-name' }
+
+          context 'but there is no other ref' do
+            it 'responds with ok' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to be_ok
+            end
+          end
+
+          context 'and that other ref exists' do
+            let(:tree_with_default_branch) do
+              branch = project_with_default_branch.repository.find_branch(project_with_default_branch.default_branch)
+              project_tree_path(project_with_default_branch, branch.target)
+            end
+
+            before do
+              project_with_default_branch.repository.create_branch(other_ref, 'master')
+            end
+
+            it 'redirects to tree view for the default branch' do
+              get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch }
+              expect(response).to redirect_to(tree_with_default_branch)
+            end
+          end
+        end
       end
 
       describe "when project repository is disabled" do
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb
index 1552d4e6187..66129617220 100644
--- a/spec/features/admin/users/user_spec.rb
+++ b/spec/features/admin/users/user_spec.rb
@@ -271,6 +271,36 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
           icon = first('[data-testid="incognito-icon"]')
           expect(icon).not_to be nil
         end
+
+        context 'when viewing the confirm email warning', :js do
+          let_it_be(:another_user) { create(:user, :unconfirmed) }
+
+          let(:warning_alert) { page.find(:css, '[data-testid="alert-warning"]') }
+          let(:expected_styling) { { 'pointer-events' => 'none', 'cursor' => 'default' } }
+
+          context 'with an email that does not contain HTML' do
+            before do
+              subject
+            end
+
+            it 'displays the warning alert including the email' do
+              expect(warning_alert.text).to include("Please check your email (#{another_user.email}) to verify")
+            end
+          end
+
+          context 'with an email that contains HTML' do
+            let(:malicious_email) { "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>" }
+            let(:another_user) { create(:user, confirmed_at: nil, unconfirmed_email: malicious_email) }
+
+            before do
+              subject
+            end
+
+            it 'displays the impersonation alert, excludes email, and disables links' do
+              expect(warning_alert.text).to include("check your email (#{another_user.unconfirmed_email}) to verify")
+            end
+          end
+        end
       end
 
       context 'ending impersonation' do
diff --git a/spec/frontend/behaviors/markdown/render_observability_spec.js b/spec/frontend/behaviors/markdown/render_observability_spec.js
index c87d11742dc..03a0cb2fcc2 100644
--- a/spec/frontend/behaviors/markdown/render_observability_spec.js
+++ b/spec/frontend/behaviors/markdown/render_observability_spec.js
@@ -16,7 +16,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders an observability iframe', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"  data-observability-url="https://observe.gitlab.com/" ></div>`;
 
     expect(findObservabilityIframes()).toHaveLength(0);
 
@@ -26,7 +26,7 @@ describe('Observability iframe renderer', () => {
   });
 
   it('renders iframe with dark param when GL has dark theme', () => {
-    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`;
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
     jest.spyOn(ColorUtils, 'darkModeEnabled').mockImplementation(() => true);
 
     expect(findObservabilityIframes('dark')).toHaveLength(0);
@@ -35,4 +35,12 @@ describe('Observability iframe renderer', () => {
 
     expect(findObservabilityIframes('dark')).toHaveLength(1);
   });
+
+  it('does not render if url is different from observability url', () => {
+    document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://example.com/" data-observability-url="https://observe.gitlab.com/"></div>`;
+
+    renderEmbeddedObservability();
+
+    expect(findObservabilityIframes()).toHaveLength(0);
+  });
 });
diff --git a/spec/frontend/repository/utils/ref_switcher_utils_spec.js b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
index 7f708f13eaa..220dbf17398 100644
--- a/spec/frontend/repository/utils/ref_switcher_utils_spec.js
+++ b/spec/frontend/repository/utils/ref_switcher_utils_spec.js
@@ -1,5 +1,6 @@
 import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils';
 import setWindowLocation from 'helpers/set_window_location_helper';
+import { TEST_HOST } from 'spec/test_constants';
 import { refWithSpecialCharMock, encodedRefWithSpecialCharMock } from '../mock_data';
 
 const projectRootPath = 'root/Project1';
@@ -16,16 +17,38 @@ describe('generateRefDestinationPath', () => {
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/test.js`}           | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js`}      | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js`}
     ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js#L123`}
-  `('generates the correct destination path for  $currentPath', ({ currentPath, result }) => {
+  `('generates the correct destination path for $currentPath', ({ currentPath, result }) => {
     setWindowLocation(currentPath);
-    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(result);
+    expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(
+      `${TEST_HOST}/${result}`,
+    );
+  });
+
+  describe('when using symbolic ref names', () => {
+    it.each`
+      currentPath                                                         | nextRef                                             | result
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'someHash'}                                       | ${`${projectRootPath}/-/blob/someHash/dir1/dir2/test.js#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'}       | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'}        | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`}
+      ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/refs/heads/branchNameContainsPrefix'} | ${`${projectRootPath}/-/tree/refs/heads/branchNameContainsPrefix/dir1/dir2/test.js?ref_type=heads#L123`}
+    `(
+      'generates the correct destination path for $currentPath with ref type when it can be extracted',
+      ({ currentPath, result, nextRef }) => {
+        setWindowLocation(currentPath);
+        expect(generateRefDestinationPath(projectRootPath, currentRef, nextRef)).toBe(
+          `${TEST_HOST}/${result}`,
+        );
+      },
+    );
   });
 
   it('encodes the selected ref', () => {
     const result = `${projectRootPath}/-/tree/${encodedRefWithSpecialCharMock}`;
 
     expect(generateRefDestinationPath(projectRootPath, currentRef, refWithSpecialCharMock)).toBe(
-      result,
+      `${TEST_HOST}/${result}`,
     );
   });
 });
diff --git a/spec/lib/banzai/filter/inline_observability_filter_spec.rb b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
index fb1ba46e76c..69a9dc96c2c 100644
--- a/spec/lib/banzai/filter/inline_observability_filter_spec.rb
+++ b/spec/lib/banzai/filter/inline_observability_filter_spec.rb
@@ -34,6 +34,58 @@ RSpec.describe Banzai::Filter::InlineObservabilityFilter do
       end
     end
 
+    context 'when the document contains an embeddable observability link with redirect' do
+      let(:url) { 'https://observe.gitlab.com@example.com/12345' }
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with different port' do
+      let(:url) { 'https://observe.gitlab.com:3000/12345' }
+      let(:observe_url) { 'https://observe.gitlab.com:3001' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
+    context 'when the document contains an embeddable observability link with auth/start' do
+      let(:url) { 'https://observe.gitlab.com/auth/start' }
+      let(:observe_url) { 'https://observe.gitlab.com' }
+
+      before do
+        stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url)
+      end
+
+      it 'leaves the original link unchanged' do
+        expect(doc.at_css('a').to_s).to eq(input)
+      end
+
+      it 'does not append an observability charts placeholder' do
+        node = doc.at_css('.js-render-observability')
+
+        expect(node).not_to be_present
+      end
+    end
+
     context 'when feature flag is disabled' do
       let(:url) { 'https://observe.gitlab.com/12345' }
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index c29446c1f38..0c359b80fb5 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
     end
   end
 
+  describe 'read_prometheus', feature_category: :metrics do
+    using RSpec::Parameterized::TableSyntax
+
+    before do
+      project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED)
+    end
+
+    let(:policy) { :read_prometheus }
+
+    where(:project_visibility, :role, :allowed) do
+      :public   | :anonymous | false
+      :public   | :guest     | false
+      :public   | :reporter  | true
+      :internal | :anonymous | false
+      :internal | :guest     | false
+      :internal | :reporter  | true
+      :private  | :anonymous | false
+      :private  | :guest     | false
+      :private  | :reporter  | true
+    end
+
+    with_them do
+      let(:current_user) { public_send(role) }
+      let(:project) { public_send("#{project_visibility}_project") }
+
+      if params[:allowed]
+        it { is_expected.to be_allowed(policy) }
+      else
+        it { is_expected.not_to be_allowed(policy) }
+      end
+    end
+  end
+
   describe 'update_max_artifacts_size' do
     context 'when no user' do
       let(:current_user) { anonymous }
@@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) }
@@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_allowed(:metrics_dashboard) }
-          it { is_expected.to be_allowed(:read_prometheus) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
           it { is_expected.to be_allowed(:read_deployment) }
           it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) }
           it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) }
@@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
@@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
 
@@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio
           let(:current_user) { guest }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
 
         context 'with anonymous' do
           let(:current_user) { anonymous }
 
           it { is_expected.to be_disallowed(:metrics_dashboard) }
+          it { is_expected.to be_disallowed(:read_prometheus) }
         end
       end
     end
-- 
cgit v1.2.1