Add latest changes from gitlab-org/gitlab@master

22 files changed, 132 insertions, 33 deletions

diff --git a/.gitlab/issue_templates/Security developer workflow.md b/.gitlab/issue_templates/Security developer workflow.md
index 294d699ea2f..9cbb74d10d8 100644
--- a/.gitlab/issue_templates/Security developer workflow.md
+++ b/.gitlab/issue_templates/Security developer workflow.md
@@ -24,6 +24,7 @@ MUST be linked for the release bot to know that the associated merge requests sh
 - [ ] Create a new branch prefixing it with `security-`.
 - [ ] Create a merge request targeting `master` on `gitlab.com/gitlab-org/security` and use the [Security Release merge request template].
 - [ ] If this includes a breaking change, make sure to include a mention of it for the relevant versions in [`doc/update/index.md`](https://gitlab.com/gitlab-org/security/gitlab/-/blob/master/doc/update/index.md#version-specific-upgrading-instructions)
+   * See if the [breaking changes workflow] applies
 
 After your merge request has been approved according to our [approval guidelines] and by a team member of the AppSec team, you're ready to prepare the backports
 
@@ -76,5 +77,6 @@ After your merge request has been approved according to our [approval guidelines
 [approval guidelines]: https://docs.gitlab.com/ee/development/code_review.html#approval-guidelines
 [issue as linked]: https://docs.gitlab.com/ee/user/project/issues/related_issues.html#add-a-linked-issue
 [issue really needs to follow the security release workflow]: https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md#making-sure-the-issue-needs-to-follow-the-security-release-workflow
+[breaking changes workflow]: https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/far_reaching_impact_fixes_or_breaking_change_fixes.md
 
 /label ~security
diff --git a/Gemfile b/Gemfile
index cc9dafc405b..6aeaa32425e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -249,7 +249,7 @@ gem 'rainbow', '~> 3.0'
 gem 'ruby-progressbar', '~> 1.10'
 
 # Linear-time regex library for untrusted regular expressions
-gem 're2', '~> 1.6.0'
+gem 're2', '~> 1.7.0'
 
 # Misc
 
diff --git a/Gemfile.checksum b/Gemfile.checksum
index c7f776d4c11..f9f092777a5 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -495,7 +495,7 @@
 {"name":"rbtree","version":"0.4.6","platform":"ruby","checksum":"14eea4469b24fd2472542e5f3eb105d6344c8ccf36f0b56d55fdcfeb4e0f10fc"},
 {"name":"rchardet","version":"1.8.0","platform":"ruby","checksum":"693acd5253d5ade81a51940697955f6dd4bb2f0d245bda76a8e23deec70a52c7"},
 {"name":"rdoc","version":"6.3.2","platform":"ruby","checksum":"def4a720235c27d56c176ae73555e647eb04ea58a8bbaa927f8f9f79de7805a6"},
-{"name":"re2","version":"1.6.0","platform":"ruby","checksum":"2e37f27971f6a76223eac688c04f3e48aea374f34b302ec22d75b4635cd64bc1"},
+{"name":"re2","version":"1.7.0","platform":"ruby","checksum":"0ccf19e3b289e67b56bd89a542488075de98d9b101b9946c4133d4b96af4d903"},
 {"name":"recaptcha","version":"5.12.3","platform":"ruby","checksum":"37d1894add9e70a54d0c6c7f0ecbeedffbfa7d075acfbd4c509818dfdebdb7ee"},
 {"name":"recursive-open-struct","version":"1.1.3","platform":"ruby","checksum":"a3538a72552fcebcd0ada657bdff313641a4a5fbc482c08cfb9a65acb1c9de5a"},
 {"name":"redcarpet","version":"3.6.0","platform":"ruby","checksum":"8ad1889c0355ff4c47174af14edd06d62f45a326da1da6e8a121d59bdcd2e9e9"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 6730e7c386a..7cb66152e99 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1285,7 +1285,7 @@ GEM
     rbtree (0.4.6)
     rchardet (1.8.0)
     rdoc (6.3.2)
-    re2 (1.6.0)
+    re2 (1.7.0)
     recaptcha (5.12.3)
       json
     recursive-open-struct (1.1.3)
@@ -1945,7 +1945,7 @@ DEPENDENCIES
   rainbow (~> 3.0)
   rbtrace (~> 0.4)
   rdoc (~> 6.3.2)
-  re2 (~> 1.6.0)
+  re2 (~> 1.7.0)
   recaptcha (~> 5.12)
   redis (~> 4.8.0)
   redis-actionpack (~> 5.3.0)
diff --git a/app/assets/javascripts/notes/components/noteable_note.vue b/app/assets/javascripts/notes/components/noteable_note.vue
index 50262e81f1c..d7cf5f74243 100644
--- a/app/assets/javascripts/notes/components/noteable_note.vue
+++ b/app/assets/javascripts/notes/components/noteable_note.vue
@@ -114,7 +114,6 @@ export default {
       isResolving: false,
       commentLineStart: {},
       resolveAsThread: true,
-      oldContent: this.note.note_html,
     };
   },
   computed: {
@@ -295,7 +294,7 @@ export default {
     updateSuccess() {
       this.isEditing = false;
       this.isRequesting = false;
-      this.oldContent = this.note.note_html;
+      this.oldContent = null;
       renderGFM(this.$refs.noteBody.$el);
       this.$emit('updateSuccess');
     },
@@ -343,6 +342,7 @@ export default {
       // https://gitlab.com/gitlab-org/gitlab/-/issues/298827
       if (!isEmpty(position)) data.note.note.position = JSON.stringify(position);
       this.isRequesting = true;
+      this.oldContent = this.note.note_html;
       // eslint-disable-next-line vue/no-mutating-props
       this.note.note_html = renderMarkdown(noteText);
 
diff --git a/app/models/note.rb b/app/models/note.rb
index 5274575b528..2df643c46aa 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -26,7 +26,7 @@ class Note < ApplicationRecord
   include IgnorableColumns
   include Spammable
 
-  ignore_column :id_convert_to_bigint, remove_with: '16.0', remove_after: '2023-05-22'
+  ignore_column :id_convert_to_bigint, remove_with: '16.3', remove_after: '2023-08-22'
 
   ISSUE_TASK_SYSTEM_NOTE_PATTERN = /\A.*marked\sthe\stask.+as\s(completed|incomplete).*\z/.freeze
 
diff --git a/config/feature_flags/development/compliance_adherence_report.yml b/config/feature_flags/development/compliance_adherence_report.yml
new file mode 100644
index 00000000000..b4a19625a5d
--- /dev/null
+++ b/config/feature_flags/development/compliance_adherence_report.yml
@@ -0,0 +1,8 @@
+---
+name: compliance_adherence_report
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124167
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/416988
+milestone: '16.2'
+type: development
+group: group::compliance
+default_enabled: false
diff --git a/config/feature_flags/development/filter_vulnerability_findings_dismissed_on_default.yml b/config/feature_flags/development/filter_vulnerability_findings_dismissed_on_default.yml
deleted file mode 100644
index 93d79757511..00000000000
--- a/config/feature_flags/development/filter_vulnerability_findings_dismissed_on_default.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: filter_vulnerability_findings_dismissed_on_default
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/113711
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/396747
-milestone: '15.11'
-type: development
-group: group::threat insights
-default_enabled: true
diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml
index 35cb020c2e3..3062b9587e1 100644
--- a/config/sidekiq_queues.yml
+++ b/config/sidekiq_queues.yml
@@ -137,6 +137,10 @@
   - 1
 - - compliance_management_merge_requests_compliance_violations
   - 1
+- - compliance_management_standards_gitlab_prevent_approval_by_author
+  - 1
+- - compliance_management_standards_gitlab_prevent_approval_by_author_group
+  - 1
 - - compliance_management_update_default_framework
   - 1
 - - container_repository
diff --git a/db/post_migrate/20230629011859_cleanup_bigint_conversion_for_notes_for_gitlab_com.rb b/db/post_migrate/20230629011859_cleanup_bigint_conversion_for_notes_for_gitlab_com.rb
new file mode 100644
index 00000000000..5b99f4e4778
--- /dev/null
+++ b/db/post_migrate/20230629011859_cleanup_bigint_conversion_for_notes_for_gitlab_com.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class CleanupBigintConversionForNotesForGitlabCom < Gitlab::Database::Migration[2.1]
+  include Gitlab::Database::MigrationHelpers::ConvertToBigint
+
+  enable_lock_retries!
+
+  TABLE = :notes
+  COLUMNS = [:id]
+
+  def up
+    return unless should_run?
+
+    cleanup_conversion_of_integer_to_bigint(TABLE, COLUMNS)
+  end
+
+  def down
+    return unless should_run?
+
+    restore_conversion_of_integer_to_bigint(TABLE, COLUMNS)
+  end
+
+  private
+
+  def should_run?
+    com_or_dev_or_test_but_not_jh?
+  end
+end
diff --git a/db/schema_migrations/20230629011859 b/db/schema_migrations/20230629011859
new file mode 100644
index 00000000000..310d898c2ed
--- /dev/null
+++ b/db/schema_migrations/20230629011859
@@ -0,0 +1 @@
+ad9a274264ce640df6c8d3c035b34de960766b7ff71095c6ad63e882cc4a3d5a
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 402ad83514a..7487fd4a21e 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -237,15 +237,6 @@ RETURN NULL;
 END
 $$;
 
-CREATE FUNCTION trigger_080e73845bfd() RETURNS trigger
-    LANGUAGE plpgsql
-    AS $$
-BEGIN
-  NEW."id_convert_to_bigint" := NEW."id";
-  RETURN NEW;
-END;
-$$;
-
 CREATE FUNCTION trigger_1a857e8db6cd() RETURNS trigger
     LANGUAGE plpgsql
     AS $$
@@ -18925,7 +18916,6 @@ CREATE SEQUENCE note_metadata_note_id_seq
 ALTER SEQUENCE note_metadata_note_id_seq OWNED BY note_metadata.note_id;
 
 CREATE TABLE notes (
-    id_convert_to_bigint integer DEFAULT 0 NOT NULL,
     note text,
     noteable_type character varying,
     author_id integer,
@@ -35242,8 +35232,6 @@ CREATE TRIGGER push_rules_loose_fk_trigger AFTER DELETE ON push_rules REFERENCIN
 
 CREATE TRIGGER tags_loose_fk_trigger AFTER DELETE ON tags REFERENCING OLD TABLE AS old_table FOR EACH STATEMENT EXECUTE FUNCTION insert_into_loose_foreign_keys_deleted_records();
 
-CREATE TRIGGER trigger_080e73845bfd BEFORE INSERT OR UPDATE ON notes FOR EACH ROW EXECUTE FUNCTION trigger_080e73845bfd();
-
 CREATE TRIGGER trigger_1a857e8db6cd BEFORE INSERT OR UPDATE ON vulnerability_occurrences FOR EACH ROW EXECUTE FUNCTION trigger_1a857e8db6cd();
 
 CREATE TRIGGER trigger_7f3d66a7d7f5 BEFORE INSERT OR UPDATE ON ci_pipeline_variables FOR EACH ROW EXECUTE FUNCTION trigger_7f3d66a7d7f5();
diff --git a/doc/user/project/repository/code_suggestions.md b/doc/user/project/repository/code_suggestions.md
index ab6c18d718b..3cbafbe50b0 100644
--- a/doc/user/project/repository/code_suggestions.md
+++ b/doc/user/project/repository/code_suggestions.md
@@ -161,7 +161,7 @@ More details in this [blog](https://about.gitlab.com/blog/2023/06/01/extending-c
 Prerequisites:
 
 - For self-managed GitLab, Code Suggestions must be enabled [for the instance](#enable-code-suggestions-on-self-managed-gitlab).
-- Code Suggestions must be enabled [for the top-level group](../../group/manage.md#enable-code-suggestions) and [for your user account](#enable-code-suggestions-for-an-individual-user).
+- For GitLab SaaS, Code Suggestions must be enabled [for the top-level group](../../group/manage.md#enable-code-suggestions) and [for your user account](#enable-code-suggestions-for-an-individual-user).
 - To use VS Code, ensure you have installed [the VS Code GitLab Workflow extension](https://marketplace.visualstudio.com/items?itemName=GitLab.gitlab-workflow).
 - To use Microsoft Visual Studio, ensure you have installed [the Visual Studio GitLab extension](https://marketplace.visualstudio.com/items?itemName=GitLab.GitLabExtensionForVisualStudio).
 
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 3ff9e22dd25..1bb92b7fa62 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -237,6 +237,10 @@ module Gitlab
         user.can?(:read_project, project)
       end
 
+      def bot_user_can_read_project?(user, project)
+        (user.project_bot? || user.security_policy_bot?) && can_read_project?(user, project)
+      end
+
       def valid_oauth_token?(token)
         token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
       end
@@ -318,7 +322,7 @@ module Gitlab
         return unless build.project.builds_enabled?
 
         if build.user
-          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && can_read_project?(build.user, build.project))
+          return unless build.user.can_log_in_with_non_expired_password? || bot_user_can_read_project?(build.user, build.project)
 
           # If user is assigned to build, use restricted credentials of user
           Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
diff --git a/lib/gitlab/email/receiver.rb b/lib/gitlab/email/receiver.rb
index 51d250ea98c..ee11105537b 100644
--- a/lib/gitlab/email/receiver.rb
+++ b/lib/gitlab/email/receiver.rb
@@ -8,7 +8,7 @@ module Gitlab
     class Receiver
       include Gitlab::Utils::StrongMemoize
 
-      RECEIVED_HEADER_REGEX = /for\s+\<(.+)\>/.freeze
+      RECEIVED_HEADER_REGEX = /for\s+\<([^<]+)\>/.freeze
 
       # Errors that are purely from users and not anything we can control
       USER_ERRORS = [
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index d4f3c649df6..7db58b61293 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -5428,6 +5428,9 @@ msgstr ""
 msgid "Anonymous"
 msgstr ""
 
+msgid "Anonymous user"
+msgstr ""
+
 msgid "Another issue tracker is already in use. Only one issue tracker service can be active at a time"
 msgstr ""
 
@@ -6561,6 +6564,9 @@ msgstr ""
 msgid "AuditStreams|Cancel editing"
 msgstr ""
 
+msgid "AuditStreams|Client Email"
+msgstr ""
+
 msgid "AuditStreams|Custom HTTP headers (optional)"
 msgstr ""
 
@@ -6585,15 +6591,30 @@ msgstr ""
 msgid "AuditStreams|Filter by audit event type"
 msgstr ""
 
+msgid "AuditStreams|Google Cloud Logging"
+msgstr ""
+
+msgid "AuditStreams|HTTP endpoint"
+msgstr ""
+
 msgid "AuditStreams|Header"
 msgstr ""
 
+msgid "AuditStreams|Log ID"
+msgstr ""
+
 msgid "AuditStreams|Maximum of %{number} HTTP headers has been reached."
 msgstr ""
 
 msgid "AuditStreams|No header created yet."
 msgstr ""
 
+msgid "AuditStreams|Private key"
+msgstr ""
+
+msgid "AuditStreams|Project ID"
+msgstr ""
+
 msgid "AuditStreams|Remove custom header"
 msgstr ""
 
@@ -6630,6 +6651,9 @@ msgstr ""
 msgid "AuditStreams|Verification token"
 msgstr ""
 
+msgid "AuditStreams|audit-events"
+msgstr ""
+
 msgid "AuditStreams|ex: 1000"
 msgstr ""
 
@@ -6639,6 +6663,12 @@ msgstr ""
 msgid "AuditStreams|filtered"
 msgstr ""
 
+msgid "AuditStreams|my-email@my-google-project.iam.gservice.account.com"
+msgstr ""
+
+msgid "AuditStreams|my-google-project"
+msgstr ""
+
 msgid "Aug"
 msgstr ""
 
diff --git a/qa/Gemfile b/qa/Gemfile
index b4ae5d43ac6..28e24f49fee 100644
--- a/qa/Gemfile
+++ b/qa/Gemfile
@@ -40,7 +40,7 @@ gem 'chemlab', '~> 0.10'
 gem 'chemlab-library-www-gitlab-com', '~> 0.1', '>= 0.1.1'
 
 # dependencies for jenkins client
-gem 'nokogiri', '~> 1.15', '>= 1.15.2'
+gem 'nokogiri', '~> 1.15', '>= 1.15.3'
 
 gem 'deprecation_toolkit', '~> 2.0.3', require: false
 
diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock
index 2f2b2b44947..ea8daa3a87c 100644
--- a/qa/Gemfile.lock
+++ b/qa/Gemfile.lock
@@ -210,7 +210,7 @@ GEM
     multi_json (1.15.0)
     multi_xml (0.6.0)
     netrc (0.11.0)
-    nokogiri (1.15.2)
+    nokogiri (1.15.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     octokit (6.1.1)
@@ -353,7 +353,7 @@ DEPENDENCIES
   gitlab_quality-test_tooling (~> 0.8.3)
   influxdb-client (~> 2.9)
   knapsack (~> 4.0)
-  nokogiri (~> 1.15, >= 1.15.2)
+  nokogiri (~> 1.15, >= 1.15.3)
   octokit (~> 6.1.1)
   parallel (~> 1.23)
   parallel_tests (~> 4.2, >= 4.2.1)
diff --git a/qa/qa/vendor/github/page/login.rb b/qa/qa/vendor/github/page/login.rb
index 17a7471e251..7328eb933b9 100644
--- a/qa/qa/vendor/github/page/login.rb
+++ b/qa/qa/vendor/github/page/login.rb
@@ -24,11 +24,17 @@ module QA
             end
 
             authorize_app
+
+            confirm_account_recovery_settings
           end
 
           def authorize_app
             click_on 'Authorize' if has_button?('Authorize')
           end
+
+          def confirm_account_recovery_settings
+            click_on 'Confirm' if has_button?('Confirm')
+          end
         end
       end
     end
diff --git a/spec/features/issues/note_polling_spec.rb b/spec/features/issues/note_polling_spec.rb
index dae71481352..0fa4aba9a11 100644
--- a/spec/features/issues/note_polling_spec.rb
+++ b/spec/features/issues/note_polling_spec.rb
@@ -59,7 +59,10 @@ RSpec.describe 'Issue notes polling', :js, feature_category: :team_planning do
 
         update_note(existing_note, updated_text)
 
+        expect(page).to have_selector(".alert")
+
         find("#note_#{existing_note.id} .note-edit-cancel").click
+        click_button('Cancel editing')
 
         expect(page).to have_selector("#note_#{existing_note.id}", text: updated_text)
       end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 603609e5e62..c4fa8513618 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -242,6 +242,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
           expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
         end
 
+        it 'recognises project level security_policy_bot access token' do
+          build.update!(user: create(:user, :security_policy_bot))
+          project.add_guest(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
+        it 'recognises group level security_policy_bot access token' do
+          build.update!(user: create(:user, :security_policy_bot))
+          group.add_guest(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
         it 'fails with blocked user token' do
           build.update!(user: create(:user, :blocked))
 
diff --git a/spec/lib/gitlab/email/receiver_spec.rb b/spec/lib/gitlab/email/receiver_spec.rb
index e58da2478bf..ee836fc2129 100644
--- a/spec/lib/gitlab/email/receiver_spec.rb
+++ b/spec/lib/gitlab/email/receiver_spec.rb
@@ -226,6 +226,25 @@ RSpec.describe Gitlab::Email::Receiver do
     end
   end
 
+  context "when the received field is malformed" do
+    let(:email_raw) do
+      attack = "for <<" * 100_000
+      [
+        "Delivered-To: incoming+gitlabhq/gitlabhq+auth_token@appmail.example.com",
+        "Received: from mail.example.com #{attack}; Thu, 13 Jun 2013 17:03:50 -0400",
+        "To: \"support@example.com\" <support@example.com>",
+        "",
+        "Email content"
+      ].join("\n")
+    end
+
+    it 'mail_metadata has no ReDos issue' do
+      Timeout.timeout(2) do
+        Gitlab::Email::Receiver.new(email_raw).mail_metadata
+      end
+    end
+  end
+
   it 'requires all handlers to have a unique metric_event' do
     events = Gitlab::Email::Handler.handlers.map do |handler|
       handler.new(Mail::Message.new, 'gitlabhq/gitlabhq+auth_token').metrics_event