Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

6 files changed, 35 insertions, 5 deletions

diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
index 91a35c2f2a9..fdceecdf386 100644
--- a/doc/security/asset_proxy.md
+++ b/doc/security/asset_proxy.md
@@ -25,7 +25,7 @@ A Camo server is used to act as the proxy.
 To install a Camo server as an asset proxy:
 
 1. Deploy a `go-camo` server. Helpful instructions can be found in
-   [building catus/go-camo](https://github.com/cactus/go-camo#building).
+   [building cactus/go-camo](https://github.com/cactus/go-camo#building).
 
 1. Make sure your instance of GitLab is running, and that you have created a private API token.
    Using the API, configure the asset proxy settings on your GitLab instance. For example:
diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md
index 704af49b2d2..f2597ef1578 100644
--- a/doc/security/passwords_for_integrated_authentication_methods.md
+++ b/doc/security/passwords_for_integrated_authentication_methods.md
@@ -11,4 +11,4 @@ However, to maintain data consistency, GitLab requires passwords for all user ac
 
 For such accounts, we use the [`friendly_token`](https://github.com/heartcombo/devise/blob/f26e05c20079c9acded3c0ee16da0df435a28997/lib/devise.rb#L492) method provided by the Devise gem to generate a random, unique and secure password and sets it as the account password during sign up.
 
-The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Devise configuation. The default value is 128 characters.
+The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Device configuration. The default value is 128 characters.
diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md
index dd67db23d6b..16821e1f192 100644
--- a/doc/security/project_import_decompressed_archive_size_limits.md
+++ b/doc/security/project_import_decompressed_archive_size_limits.md
@@ -17,7 +17,7 @@ If you have a project with decompressed size exceeding this limit,
 it is possible to disable the validation by turning off the
 `validate_import_decompressed_archive_size` feature flag.
 
-Start a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session).
+Start a [Rails console](../administration/operations/rails_console.md#starting-a-rails-console-session).
 
 ```ruby
 # Disable
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
index d3de2222c39..b386917f399 100644
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -4,8 +4,6 @@ type: reference, howto
 
 # Rack Attack initializer
 
-## Overview
-
 [Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem
 that is meant to protect GitLab with the ability to customize throttling and
 to block user IP addresses.
diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md
index af2c14be2cd..9e754cf1917 100644
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -28,6 +28,25 @@ similarly mitigated by a rate limit.
 - [Protected paths](../user/admin_area/settings/protected_paths.md).
 - [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md).
 
+## Non-configurable limits
+
+### Repository archives
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9.
+
+There is a rate limit for [downloading repository archives](../api/repositories.md#get-file-archive),
+which applies to the project and to the user initiating the download either through the UI or the API.
+
+The **rate limit** is 5 requests per minute per user.
+
+### Webhook Testing
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/commit/35bc85c3ca093fee58d60dacdc9ed1fd9a15adec) in GitLab 13.4.
+
+There is a rate limit for [testing webhooks](../user/project/integrations/webhooks.md#testing-webhooks), which prevents abuse of the webhook functionality.
+
+The **rate limit** is 5 requests per minute per user.
+
 ## Rack Attack initializer
 
 This method of rate limiting is cumbersome, but has some advantages. It allows
diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md
index 9d49e1d3af2..995dea7809e 100644
--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
@@ -65,9 +65,22 @@ The following are important notes about 2FA:
   2FA enabled, 2FA is **not** required for those individually added members.
 - If there are multiple 2FA requirements (for example, group + all users, or multiple
   groups) the shortest grace period will be used.
+- It is possible to disallow subgroups from setting up their own 2FA requirements.
+  Navigate to the top-level group's **Settings > General > Permissions, LFS, 2FA > Two-factor authentication** and uncheck the **Allow subgroups to set up their own two-factor authentication rule** field. This action will cause all subgroups with 2FA requirements to stop requiring that from their members.
 
 ## Disabling 2FA for everyone
 
+CAUTION: **Caution:**
+Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users)
+or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group)
+settings. In addition to the steps in this section, you will need to disable any enforced 2FA
+settings so users aren't asked to set up 2FA again, the next time the user signs in to GitLab.
+Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users)
+or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group)
+settings if they have been configured. In addition to the steps in this section,
+you will need to disable any enforced 2FA settings so users aren't asked to setup
+2FA again when the next login to GitLab.
+
 There may be some special situations where you want to disable 2FA for everyone
 even when forced 2FA is disabled. There is a Rake task for that: