Add latest changes from gitlab-org/gitlab@14-7-stable-eev14.7.0-rc42

11 files changed, 60 insertions, 36 deletions

diff --git a/config/initializers/0_inject_enterprise_edition_module.rb b/config/initializers/0_inject_enterprise_edition_module.rb
index 41d1043af38..1951940a2a1 100644
--- a/config/initializers/0_inject_enterprise_edition_module.rb
+++ b/config/initializers/0_inject_enterprise_edition_module.rb
@@ -46,7 +46,7 @@ module InjectEnterpriseEditionModule
   end
 
   def each_extension_for(constant_name, namespace)
-    Gitlab.extensions.each do |extension_name|
+    GitlabEdition.extensions.each do |extension_name|
       extension_namespace =
         const_get_maybe_false(namespace, extension_name.upcase)
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 2587347719a..8244f570a18 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -247,6 +247,14 @@ Settings.gitlab_ci['builds_path']           = Settings.absolute(Settings.gitlab_
 Settings.gitlab_ci['url']                 ||= Settings.__send__(:build_gitlab_ci_url)
 
 #
+# CI Secure Files
+#
+Settings['ci_secure_files'] ||= Settingslogic.new({})
+Settings.ci_secure_files['enabled']      = true if Settings.ci_secure_files['enabled'].nil?
+Settings.ci_secure_files['storage_path'] = Settings.absolute(Settings.ci_secure_files['storage_path'] || File.join(Settings.shared['path'], "ci_secure_files"))
+Settings.ci_secure_files['object_store'] = ObjectStoreSettings.legacy_parse(Settings.ci_secure_files['object_store'])
+
+#
 # Reply by email
 #
 Settings['incoming_email'] ||= Settingslogic.new({})
@@ -537,6 +545,10 @@ Settings.cron_jobs['image_ttl_group_policy_worker']['job_class'] = 'DependencyPr
 Settings.cron_jobs['cleanup_dependency_proxy_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['cleanup_dependency_proxy_worker']['cron'] ||= '20 3,15 * * *'
 Settings.cron_jobs['cleanup_dependency_proxy_worker']['job_class'] = 'DependencyProxy::CleanupDependencyProxyWorker'
+Settings.cron_jobs['cleanup_package_registry_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['cleanup_package_registry_worker']['cron'] ||= '20 0,12 * * *'
+Settings.cron_jobs['cleanup_package_registry_worker']['job_class'] = 'Packages::CleanupPackageRegistryWorker'
+
 Settings.cron_jobs['x509_issuer_crl_check_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['x509_issuer_crl_check_worker']['cron'] ||= '30 1 * * *'
 Settings.cron_jobs['x509_issuer_crl_check_worker']['job_class'] = 'X509IssuerCrlCheckWorker'
@@ -723,7 +735,7 @@ Gitlab.ee do
   Settings.cron_jobs['app_sec_dast_profile_schedule_worker']['cron'] ||= '7-59/15 * * * *'
   Settings.cron_jobs['app_sec_dast_profile_schedule_worker']['job_class'] = 'AppSec::Dast::ProfileScheduleWorker'
   Settings.cron_jobs['loose_foreign_keys_cleanup_worker'] ||= Settingslogic.new({})
-  Settings.cron_jobs['loose_foreign_keys_cleanup_worker']['cron'] ||= '*/5 * * * *'
+  Settings.cron_jobs['loose_foreign_keys_cleanup_worker']['cron'] ||= '*/1 * * * *'
   Settings.cron_jobs['loose_foreign_keys_cleanup_worker']['job_class'] = 'LooseForeignKeys::CleanupWorker'
 end
 
diff --git a/config/initializers/7_prometheus_metrics.rb b/config/initializers/7_prometheus_metrics.rb
index 8ef11b83131..15757c05bd0 100644
--- a/config/initializers/7_prometheus_metrics.rb
+++ b/config/initializers/7_prometheus_metrics.rb
@@ -70,17 +70,17 @@ if !Rails.env.test? && Gitlab::Metrics.prometheus_metrics_enabled?
 
   Gitlab::Cluster::LifecycleEvents.on_worker_start do
     defined?(::Prometheus::Client.reinitialize_on_pid_change) && ::Prometheus::Client.reinitialize_on_pid_change
-
-    Gitlab::Metrics::Samplers::RubySampler.initialize_instance.start
-    Gitlab::Metrics::Samplers::DatabaseSampler.initialize_instance.start
-    Gitlab::Metrics::Samplers::ThreadsSampler.initialize_instance.start
+    logger = Gitlab::AppLogger
+    Gitlab::Metrics::Samplers::RubySampler.initialize_instance(logger: logger).start
+    Gitlab::Metrics::Samplers::DatabaseSampler.initialize_instance(logger: logger).start
+    Gitlab::Metrics::Samplers::ThreadsSampler.initialize_instance(logger: logger).start
 
     if Gitlab::Runtime.web_server?
-      Gitlab::Metrics::Samplers::ActionCableSampler.instance.start
+      Gitlab::Metrics::Samplers::ActionCableSampler.instance(logger: logger).start
     end
 
     if Gitlab.ee? && Gitlab::Runtime.sidekiq?
-      Gitlab::Metrics::Samplers::GlobalSearchSampler.instance.start
+      Gitlab::Metrics::Samplers::GlobalSearchSampler.instance(logger: logger).start
     end
 
     Gitlab::Ci::Parsers.instrument!
diff --git a/config/initializers/active_record_lifecycle.rb b/config/initializers/active_record_lifecycle.rb
index 8d4b6d61abe..92cc1d81617 100644
--- a/config/initializers/active_record_lifecycle.rb
+++ b/config/initializers/active_record_lifecycle.rb
@@ -5,7 +5,7 @@
 if defined?(ActiveRecord::Base) && !Gitlab::Runtime.sidekiq?
   Gitlab::Cluster::LifecycleEvents.on_worker_start do
     ActiveSupport.on_load(:active_record) do
-      ActiveRecord::Base.establish_connection
+      ActiveRecord::Base.establish_connection # rubocop: disable Database/EstablishConnection
 
       Gitlab::AppLogger.debug("ActiveRecord connection established")
     end
diff --git a/config/initializers/active_record_transaction_observer.rb b/config/initializers/active_record_transaction_observer.rb
index a1d4b13344e..b90b3a39ac1 100644
--- a/config/initializers/active_record_transaction_observer.rb
+++ b/config/initializers/active_record_transaction_observer.rb
@@ -1,18 +1,9 @@
 # frozen_string_literal: true
 
-def feature_flags_available?
-  # When the DBMS is not available, an exception (e.g. PG::ConnectionBad) is raised
-  active_db_connection = ActiveRecord::Base.connection.active? rescue false
-
-  active_db_connection && Feature::FlipperFeature.table_exists?
-rescue ActiveRecord::NoDatabaseError
-  false
-end
-
 return unless Gitlab.com? || Gitlab.dev_or_test_env?
 
 Gitlab::Application.configure do
-  if feature_flags_available? && ::Feature.enabled?(:active_record_transactions_tracking, type: :ops, default_enabled: :yaml)
+  if Feature.feature_flags_available? && ::Feature.enabled?(:active_record_transactions_tracking, type: :ops, default_enabled: :yaml)
     Gitlab::Database::Transaction::Observer.register!
   end
 end
diff --git a/config/initializers/database_config.rb b/config/initializers/database_config.rb
index a3172fae027..050ab1d9b3e 100644
--- a/config/initializers/database_config.rb
+++ b/config/initializers/database_config.rb
@@ -13,6 +13,6 @@ Gitlab.ee do
     # The Geo::TrackingBase model does not yet use connects_to. So,
     # this will not properly support geo: from config/databse.yml
     # file yet. This is ACK of the current state and will be fixed.
-    Geo::TrackingBase.establish_connection(Gitlab::Database.geo_db_config_with_default_pool_size)
+    Geo::TrackingBase.establish_connection(Gitlab::Database.geo_db_config_with_default_pool_size) # rubocop: disable Database/EstablishConnection
   end
 end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index bb2e01a30f1..a7754667320 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -19,15 +19,7 @@ cookie_key = if Rails.env.development?
                "_gitlab_session"
              end
 
-store = if Gitlab::Utils.to_boolean(ENV['GITLAB_USE_REDIS_SESSIONS_STORE'], default: true)
-          Gitlab::Redis::Sessions.store(
-            namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE
-          )
-        else
-          Gitlab::Redis::SharedState.store(
-            namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE
-          )
-        end
+store = Gitlab::Redis::Sessions.store(namespace: Gitlab::Redis::Sessions::SESSION_NAMESPACE)
 
 Gitlab::Application.config.session_store(
   :redis_store, # Using the cookie_store would enable session replay attacks.
diff --git a/config/initializers/sherlock.rb b/config/initializers/sherlock.rb
deleted file mode 100644
index ba33ffa13c5..00000000000
--- a/config/initializers/sherlock.rb
+++ /dev/null
@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-if Gitlab::Sherlock.enabled?
-  Rails.application.configure do |config|
-    config.middleware.use(Gitlab::Sherlock::Middleware)
-  end
-end
diff --git a/config/initializers/webhook_recursion_detection.rb b/config/initializers/webhook_recursion_detection.rb
new file mode 100644
index 00000000000..b345c005bac
--- /dev/null
+++ b/config/initializers/webhook_recursion_detection.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Rails.application.configure do |config|
+  config.middleware.insert_after RequestStore::Middleware, Gitlab::Middleware::WebhookRecursionDetection
+end
diff --git a/config/initializers/wikicloth_disable_lua_patch.rb b/config/initializers/wikicloth_disable_lua_patch.rb
new file mode 100644
index 00000000000..67d41b4327d
--- /dev/null
+++ b/config/initializers/wikicloth_disable_lua_patch.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'wikicloth'
+require 'wikicloth/extensions/lua'
+
+# Adds patch to disable lua support to eliminate vulnerability to injection attack.
+#
+# The maintainers are not releasing new versions, so we need to patch it here.
+#
+# If they ever do release a version which contains a fix for this, then we can remove this file.
+#
+# See: https://gitlab.com/gitlab-org/gitlab/-/issues/345892#note_751107320
+
+# Guard to ensure we remember to delete this patch if they ever release a new version of wikicloth
+# which disables Lua by default or otherwise eliminates all vulnerabilities mentioned in
+# https://gitlab.com/gitlab-org/gitlab/-/issues/345892, including the possibility of an HTML/JS
+# injection attack as mentioned in https://gitlab.com/gitlab-org/gitlab/-/issues/345892#note_751981608
+unless Gem::Version.new(WikiCloth::VERSION) == Gem::Version.new('0.8.1')
+  raise 'New version of WikiCloth detected, please either update the version for this check, ' \
+    'or remove this patch if no longer needed'
+end
+
+module WikiCloth
+  class LuaExtension < Extension
+    protected
+
+    def init_lua
+      @options[:disable_lua] = true
+    end
+  end
+end
diff --git a/config/initializers/wikicloth_patch.rb b/config/initializers/wikicloth_redos_patch.rb
index 13180180c32..13180180c32 100644
--- a/config/initializers/wikicloth_patch.rb
+++ b/config/initializers/wikicloth_redos_patch.rb