Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee

2 files changed, 7 insertions, 3 deletions

diff --git a/app/models/pages_domain.rb b/app/models/pages_domain.rb
index b86bc761cc1..08326cf39e6 100644
--- a/app/models/pages_domain.rb
+++ b/app/models/pages_domain.rb
@@ -33,10 +33,11 @@ class PagesDomain < ApplicationRecord
   validates :verification_code, presence: true, allow_blank: false
 
   validate :validate_pages_domain
+  validate :max_certificate_key_length, if: ->(domain) { domain.key.present? }
   validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
-  validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? }
+  # validate_intermediates must run after key validations to skip expensive SSL validation when there is a key error
+  validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? && errors[:key].blank? }
   validate :validate_custom_domain_count_per_project, on: :create
-  validate :max_certificate_key_length, if: ->(domain) { domain.key.present? }
 
   attribute :auto_ssl_enabled, default: -> { ::Gitlab::LetsEncrypt.enabled? }
   attribute :wildcard, default: false
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 6114785a851..1fd77f2a235 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -57,7 +57,10 @@ class IssuePolicy < IssuablePolicy
     prevent :read_issue
   end
 
-  rule { ~can?(:read_issue) }.prevent :create_note
+  rule { ~can?(:read_issue) }.policy do
+    prevent :create_note
+    prevent :award_emoji
+  end
 
   rule { locked }.policy do
     prevent :reopen_issue