Add latest changes from gitlab-org/gitlab@master

4 files changed, 43 insertions, 6 deletions

diff --git a/doc/ci/pipelines/merge_trains.md b/doc/ci/pipelines/merge_trains.md
index a54087262e7..6734c94f65e 100644
--- a/doc/ci/pipelines/merge_trains.md
+++ b/doc/ci/pipelines/merge_trains.md
@@ -162,13 +162,15 @@ When you remove a merge request from a merge train:
 ## Skip the merge train and merge immediately
 
 If you have a high-priority merge request, like a critical patch that must
-be merged urgently, select **Merge Immediately**.
+be merged urgently, you can select **Merge Immediately**.
 
 When you merge a merge request immediately:
 
-- The current merge train is recreated.
-- All pipelines restart.
-- Redundant pipelines [are cancelled](#automatic-pipeline-cancellation).
+- The commits from the merge request are merged, ignoring the status of the merge train.
+- The merge train pipelines for all other merge requests on the train [are cancelled](#automatic-pipeline-cancellation).
+- A new merge train starts and all the merge requests from the original merge train are added to this new merge train,
+  with a new merge train pipeline for each. These new merge train pipelines now contain
+  the commits added by the merge request that was merged immediately.
 
 WARNING:
 Merging immediately can use a lot of CI/CD resources. Use this option
diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md
index 7cdb2305d09..e1df32b4224 100644
--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -158,6 +158,7 @@ These variables are available when:
 | `CI_MERGE_REQUEST_APPROVED`                 | 14.1   | all    | Approval status of the merge request. `true` when [merge request approvals](../../user/project/merge_requests/approvals/index.md) is available and the merge request has been approved. |
 | `CI_MERGE_REQUEST_ASSIGNEES`                | 11.9   | all    | Comma-separated list of usernames of assignees for the merge request. |
 | `CI_MERGE_REQUEST_ID`                       | 11.6   | all    | The instance-level ID of the merge request. This is a unique ID across all projects on the GitLab instance. |
+| `CI_MERGE_REQUEST_DESCRIPTION`              | 16.7   | all    | The description of the merge request. |
 | `CI_MERGE_REQUEST_IID`                      | 11.6   | all    | The project-level IID (internal ID) of the merge request. This ID is unique for the current project, and is the number used in the merge request URL, page title, and other visible locations. |
 | `CI_MERGE_REQUEST_LABELS`                   | 11.9   | all    | Comma-separated label names of the merge request. |
 | `CI_MERGE_REQUEST_MILESTONE`                | 11.9   | all    | The milestone title of the merge request. |
diff --git a/doc/development/data_science/index.md b/doc/development/data_science/index.md
index 132b6cc3d11..632acb8602f 100644
--- a/doc/development/data_science/index.md
+++ b/doc/development/data_science/index.md
@@ -4,4 +4,6 @@ group: ModelOps
 info: Any user with at least the Maintainer role can merge updates to this content. For details, see https://docs.gitlab.com/ee/development/development_processes.html#development-guidelines-review.
 ---
 
+# Data Science
+
 - [Model Registry](model_registry/index.md)
diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md
index 946826e72da..17cda7ca1d3 100644
--- a/doc/development/secure_coding_guidelines.md
+++ b/doc/development/secure_coding_guidelines.md
@@ -1495,11 +1495,43 @@ Logging helps track events for debugging. Logging also allows the application to
 - An audit trail for log edits must be available.
 - To avoid data loss, logs must be saved on different storage.
 
-### Who to contact if you have questions
+## URL Spoofing
+
+We want to protect our users from bad actors who might try to use GitLab
+features to redirect other users to malicious sites.
+
+Many features in GitLab allow users to post links to external websites. It is
+important that the destination of any user-specified link is made very clear
+to the user.
+
+### `external_redirect_path`
+
+When presenting links provided by users, if the actual URL is hidden, use the `external_redirect_path`
+helper method to redirect the user to a warning page first. For example:
+
+```ruby
+# Bad :(
+# This URL comes from User-Land and may not be safe...
+# We need the user to *see* where they are going.
+link_to foo_social_url(@user), title: "Foo Social" do
+  sprite_icon('question-o')
+end
+
+# Good :)
+# The external_redirect "leaving GitLab" page will show the URL to the user
+# before they leave.
+link_to external_redirect_path(url: foo_social_url(@user)), title: "Foo" do
+  sprite_icon('question-o')
+end
+```
+
+Also see this [real-life usage](https://gitlab.com/gitlab-org/gitlab/-/blob/bdba5446903ff634fb12ba695b2de99b6d6881b5/app/helpers/application_helper.rb#L378) as an example.
+
+## Who to contact if you have questions
 
 For general guidance, contact the [Application Security](https://about.gitlab.com/handbook/security/security-engineering/application-security/) team.
 
-### Related topics
+## Related topics
 
 - [Log system in GitLab](../administration/logs/index.md)
 - [Audit event development guidelines](../development/audit_event_guide/index.md))