Add latest changes from gitlab-org/gitlab@master

16 files changed, 146 insertions, 19 deletions

diff --git a/app/models/concerns/issue_available_features.rb b/app/models/concerns/issue_available_features.rb
index 425754e0853..2969f1e1928 100644
--- a/app/models/concerns/issue_available_features.rb
+++ b/app/models/concerns/issue_available_features.rb
@@ -11,7 +11,7 @@ module IssueAvailableFeatures
     def available_features_for_issue_types
       {
         assignee: %w[issue incident],
-        confidentiality: %w[issue incident],
+        confidentiality: %w[issue incident objective key_result],
         time_tracking: %w[issue incident],
         move_and_clone: %w[issue incident]
       }.with_indifferent_access
diff --git a/app/models/work_item.rb b/app/models/work_item.rb
index e8a85053cc3..62b837eeeb6 100644
--- a/app/models/work_item.rb
+++ b/app/models/work_item.rb
@@ -5,7 +5,7 @@ class WorkItem < Issue
 
   COMMON_QUICK_ACTIONS_COMMANDS = [
     :title, :reopen, :close, :cc, :tableflip, :shrug, :type, :promote_to, :checkin_reminder,
-    :subscribe, :unsubscribe
+    :subscribe, :unsubscribe, :confidential, :award
   ].freeze
 
   self.table_name = 'issues'
diff --git a/app/services/system_notes/issuables_service.rb b/app/services/system_notes/issuables_service.rb
index 9d6b43634ec..04ae734a8fe 100644
--- a/app/services/system_notes/issuables_service.rb
+++ b/app/services/system_notes/issuables_service.rb
@@ -350,12 +350,12 @@ module SystemNotes
     # Returns the created Note object
     def change_issue_confidentiality
       if noteable.confidential
-        body = 'made the issue confidential'
+        body = "made the #{noteable_name} confidential"
         action = 'confidential'
 
         track_issue_event(:track_issue_made_confidential_action)
       else
-        body = 'made the issue visible to everyone'
+        body = "made the #{noteable_name} visible to everyone"
         action = 'visible'
 
         track_issue_event(:track_issue_made_visible_action)
diff --git a/config/feature_flags/development/keep_merge_commits_for_approvals.yml b/config/feature_flags/development/keep_merge_commits_for_approvals.yml
deleted file mode 100644
index a4791219dff..00000000000
--- a/config/feature_flags/development/keep_merge_commits_for_approvals.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: keep_merge_commits_for_approvals
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127744
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/419921
-milestone: '16.3'
-type: development
-group: group::code review
-default_enabled: false
diff --git a/doc/user/application_security/dast/checks/113.1.md b/doc/user/application_security/dast/checks/113.1.md
new file mode 100644
index 00000000000..44c3be330f2
--- /dev/null
+++ b/doc/user/application_security/dast/checks/113.1.md
@@ -0,0 +1,27 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# Improper Neutralization of CRLF Sequences in HTTP Headers
+
+## Description
+
+By inserting Carriage Return / Line Feed (CRLF) characters, malicious users could potentially inject arbitrary data into HTTP responses. By modifying HTTP responses, attackers could conduct cross-site scripting or cache poisoning attacks against other users of the system.
+
+## Remediation
+
+User input should never be used in constructing HTTP header responses without some form
+of validation against newlines. This includes URLs supplied by the user for HTTP redirects.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 113.1 | false | 113 | Active | high |
+
+## Links
+
+- [OWASP](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
+- [CWE](https://cwe.mitre.org/data/definitions/113.html)
diff --git a/doc/user/application_security/dast/checks/16.7.md b/doc/user/application_security/dast/checks/16.7.md
index edaace407ae..d407234d2c2 100644
--- a/doc/user/application_security/dast/checks/16.7.md
+++ b/doc/user/application_security/dast/checks/16.7.md
@@ -22,8 +22,8 @@ Only three directives are applicable for the `Strict-Transport-Security` header.
 1. `includeSubDomains`: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host's domain.
 1. `preload`: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser's preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser's HSTS preload list. See [hstspreload.org](https://hstspreload.org/) for more information.
 
-Invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the
-values are different) is considered invalid.
+Note that invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the values are
+different) is considered invalid.
 
 Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org [Deployment Recommendations](https://hstspreload.org/#deployment-recommendations).
 
diff --git a/doc/user/application_security/dast/checks/16.9.md b/doc/user/application_security/dast/checks/16.9.md
index c63a620794e..b0ba502b578 100644
--- a/doc/user/application_security/dast/checks/16.9.md
+++ b/doc/user/application_security/dast/checks/16.9.md
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 ## Description
 
 A `Content-Security-Policy-Report-Only` (CSPRO) was identified on the target site. CSP-Report-Only headers
-aid in determining how to implement a `Content-Security-Policy` that does not disrupt use of the target
+aid in determining how to implement a `Content-Security-Policy` that does not disrupt normal use of the target
 site.
 
 ## Remediation
diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md
index 1b3ce45dc43..035f4a4b486 100644
--- a/doc/user/application_security/dast/checks/index.md
+++ b/doc/user/application_security/dast/checks/index.md
@@ -4,7 +4,7 @@ group: Dynamic Analysis
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# DAST browser-based crawler vulnerability checks **(ULTIMATE ALL)**
+# DAST browser-based crawler vulnerability checks **(ULTIMATE)**
 
 The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test.
 
@@ -167,4 +167,5 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne
 
 | ID | Check | Severity | Type |
 |:---|:------|:---------|:-----|
+| [113.1](113.1.md) | Improper Neutralization of CRLF Sequences in HTTP Headers | High | Active |
 | [22.1](22.1.md) | Improper limitation of a pathname to a restricted directory (Path traversal) | High | Active |
diff --git a/doc/user/project/merge_requests/approvals/settings.md b/doc/user/project/merge_requests/approvals/settings.md
index b520ee41493..ae16eb2a790 100644
--- a/doc/user/project/merge_requests/approvals/settings.md
+++ b/doc/user/project/merge_requests/approvals/settings.md
@@ -65,6 +65,7 @@ this setting, unless you configure one of these options:
 
 > - Moved to GitLab Premium in 13.9.
 > - [Feature flag `keep_merge_commits_for_approvals`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127744) added in GitLab 16.3 to also include merge commits in this check.
+> - [Feature flag `keep_merge_commits_for_approvals`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131778) removed in GitLab 16.5. This check now includes merge commits.
 
 By default, users who commit to a merge request can still approve it. At both
 the project level or [instance level](../../../admin_area/merge_requests_approvals.md),
diff --git a/doc/user/project/quick_actions.md b/doc/user/project/quick_actions.md
index 38c179871af..097c726d163 100644
--- a/doc/user/project/quick_actions.md
+++ b/doc/user/project/quick_actions.md
@@ -146,11 +146,13 @@ To auto-format this table, use the VS Code Markdown Table formatter: `https://do
 |:--------------------------------------------------------------|:-----------------------|:-----------------------|:-----------------------|:-------|
 | `/assign @user1 @user2`                                       | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Assign one or more users. |
 | `/assign me`                                                  | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Assign yourself. |
+| `/award :emoji:`                                                                                 | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Toggle an emoji reaction. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412275) in GitLab 16.5 |
 | `/cc @user`                                                   | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mention a user. In GitLab 15.0 and later, this command performs no action. You can instead type `CC @user` or only `@user`. [In GitLab 14.9 and earlier](https://gitlab.com/gitlab-org/gitlab/-/issues/31200), mentioning a user at the start of a line creates a specific type of to-do item notification. |
 | `/checkin_reminder`                                           | **{dotted-circle}** No| **{check-circle}** Yes | **{dotted-circle}** No | Set checkin reminder cadence. Options are `weekly`, `twice-monthly`, `monthly`, `never`. This action is behind a feature flag. |
 | `/clear_health_status`                                        | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Clear [health status](issues/managing_issues.md#health-status). |
 | `/clear_weight`                                               | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | Clear weight. |
 | `/close`                                                      | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Close. |
+| `/confidential`                                               | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mark work item as confidential.  [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412276) in GitLab 16.4. |
 | `/done`                                                       | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Mark to-do item as done. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/412277) in GitLab 16.2. |
 | `/due <date>`                                                 | **{check-circle}** Yes | **{dotted-circle}** No | **{check-circle}** Yes | Set due date. Examples of valid `<date>` include `in 2 days`, `this Friday` and `December 31st`. |
 | `/health_status <value>`                                      | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Set [health status](issues/managing_issues.md#health-status). Valid options for `<value>` are `on_track`, `needs_attention`, or `at_risk`. |
diff --git a/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
index d57e0431d8e..07bc3fbe795 100644
--- a/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
@@ -1,5 +1,5 @@
 variables:
-  AUTO_BUILD_IMAGE_VERSION: 'v1.40.0'
+  AUTO_BUILD_IMAGE_VERSION: 'v1.41.0'
 
 build:
   stage: build
diff --git a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml
index d57e0431d8e..07bc3fbe795 100644
--- a/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Build.latest.gitlab-ci.yml
@@ -1,5 +1,5 @@
 variables:
-  AUTO_BUILD_IMAGE_VERSION: 'v1.40.0'
+  AUTO_BUILD_IMAGE_VERSION: 'v1.41.0'
 
 build:
   stage: build
diff --git a/spec/models/work_item_spec.rb b/spec/models/work_item_spec.rb
index 8be05d35375..4b675faf99e 100644
--- a/spec/models/work_item_spec.rb
+++ b/spec/models/work_item_spec.rb
@@ -166,7 +166,7 @@ RSpec.describe WorkItem, feature_category: :portfolio_management do
 
     it 'returns quick action commands supported for all work items' do
       is_expected.to include(:title, :reopen, :close, :cc, :tableflip, :shrug, :type, :promote_to, :checkin_reminder,
-        :subscribe, :unsubscribe)
+        :subscribe, :unsubscribe, :confidential, :award)
     end
 
     context 'when work item supports the assignee widget' do
diff --git a/spec/services/notes/quick_actions_service_spec.rb b/spec/services/notes/quick_actions_service_spec.rb
index 0065fd639b8..b6e29299fdd 100644
--- a/spec/services/notes/quick_actions_service_spec.rb
+++ b/spec/services/notes/quick_actions_service_spec.rb
@@ -188,6 +188,45 @@ RSpec.describe Notes::QuickActionsService, feature_category: :team_planning do
       end
     end
 
+    describe '/confidential' do
+      let_it_be_with_reload(:noteable) { create(:work_item, :issue, project: project) }
+      let_it_be(:note_text) { '/confidential' }
+      let_it_be(:note) { create(:note, noteable: noteable, project: project, note: note_text) }
+
+      context 'when work item does not have children' do
+        it 'leaves the note empty' do
+          expect(execute(note)).to be_empty
+        end
+
+        it 'marks work item as confidential' do
+          expect { execute(note) }.to change { noteable.reload.confidential }.from(false).to(true)
+        end
+      end
+
+      context 'when work item has children' do
+        before do
+          create(:parent_link, work_item: task, work_item_parent: noteable)
+        end
+
+        context 'when children are not confidential' do
+          let(:task) { create(:work_item, :task, project: project) }
+
+          it 'does not mark parent work item as confidential' do
+            expect { execute(note) }.to not_change { noteable.reload.confidential }.from(false)
+            expect(noteable.errors[:base]).to include('A confidential work item cannot have a parent that already has non-confidential children.')
+          end
+        end
+
+        context 'when children are confidential' do
+          let(:task) { create(:work_item, :confidential, :task, project: project) }
+
+          it 'marks parent work item as confidential' do
+            expect { execute(note) }.to change { noteable.reload.confidential }.from(false).to(true)
+          end
+        end
+      end
+    end
+
     describe 'note with command & text' do
       describe '/close, /label, /assign & /milestone' do
         let(:note_text) do
diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb
index bac0be00617..5e7fb8397e3 100644
--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -1872,11 +1872,21 @@ RSpec.describe QuickActions::InterpretService, feature_category: :team_planning
         let(:issuable) { merge_request }
       end
 
+      it_behaves_like 'award command' do
+        let(:content) { '/award :100:' }
+        let(:issuable) { work_item }
+      end
+
       context 'ignores command with no argument' do
         it_behaves_like 'failed command' do
           let(:content) { '/award' }
           let(:issuable) { issue }
         end
+
+        it_behaves_like 'failed command' do
+          let(:content) { '/award' }
+          let(:issuable) { work_item }
+        end
       end
 
       context 'ignores non-existing / invalid  emojis' do
@@ -1889,6 +1899,11 @@ RSpec.describe QuickActions::InterpretService, feature_category: :team_planning
           let(:content) { '/award :lorem_ipsum:' }
           let(:issuable) { issue }
         end
+
+        it_behaves_like 'failed command' do
+          let(:content) { '/award :lorem_ipsum:' }
+          let(:issuable) { work_item }
+        end
       end
 
       context 'if issuable is a Commit' do
diff --git a/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb b/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb
new file mode 100644
index 00000000000..cc3ee52e73b
--- /dev/null
+++ b/spec/views/devise/shared/_signup_omniauth_provider_list_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'devise/shared/_signup_omniauth_provider_list', feature_category: :system_access do
+  let_it_be(:provider_label) { :github }.freeze
+  let_it_be(:tracking_label) { 'free_registration' }.freeze
+  let_it_be(:tracking_action) { "#{provider_label}_sso" }.freeze
+
+  subject { rendered }
+
+  before do
+    allow(view).to receive(:providers).and_return([provider_label])
+    allow(view).to receive(:tracking_label).and_return(tracking_label)
+    allow(view).to receive(:glm_tracking_params).and_return({})
+  end
+
+  shared_examples 'sso buttons have snowplow tracking' do
+    it 'contains tracking attributes' do
+      css = "[data-track-action='#{tracking_action}']"
+      css += "[data-track-label='#{tracking_label}']"
+
+      expect(rendered).to have_css(css)
+    end
+  end
+
+  context 'when feature flag is true' do
+    before do
+      stub_feature_flags(restyle_login_page: true)
+
+      render
+    end
+
+    it { is_expected.to have_content(_("Register with:")) }
+
+    it_behaves_like 'sso buttons have snowplow tracking'
+  end
+
+  context 'when feature flag is false' do
+    before do
+      stub_feature_flags(restyle_login_page: false)
+
+      render
+    end
+
+    it { is_expected.to have_content(_("Create an account using:")) }
+
+    it_behaves_like 'sso buttons have snowplow tracking'
+  end
+end