Add latest changes from gitlab-org/gitlab@16-0-stable-eev16.0.0-rc42

3 files changed, 29 insertions, 24 deletions

diff --git a/lib/gitlab/middleware/compressed_json.rb b/lib/gitlab/middleware/compressed_json.rb
index 80916eab5ac..cc485d8a5db 100644
--- a/lib/gitlab/middleware/compressed_json.rb
+++ b/lib/gitlab/middleware/compressed_json.rb
@@ -4,15 +4,23 @@ module Gitlab
   module Middleware
     class CompressedJson
       COLLECTOR_PATH = '/api/v4/error_tracking/collector'
-      PACKAGES_PATH = %r{
-        \A/api/v4/ (?# prefix)
-        (?:projects/
-          (?<project_id>
-            .+ (?# at least one character)
-          )/
-        )? (?# projects segment)
-       packages/npm/-/npm/v1/security/
-       (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
+      INSTANCE_PACKAGES_PATH = %r{
+        \A/api/v4/packages/npm/-/npm/v1/security/
+        (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
+      }xi.freeze
+      GROUP_PACKAGES_PATH = %r{
+        \A/api/v4/groups/
+        (?<id>
+        [a-zA-Z0-9%-._]{1,255}
+        )/-/packages/npm/-/npm/v1/security/
+        (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
+      }xi.freeze
+      PROJECT_PACKAGES_PATH = %r{
+        \A/api/v4/projects/
+        (?<id>
+        [a-zA-Z0-9%-._]{1,255}
+        )/packages/npm/-/npm/v1/security/
+        (?:(?:advisories/bulk)|(?:audits/quick))\z (?# end)
       }xi.freeze
       MAXIMUM_BODY_SIZE = 200.kilobytes.to_i
       UNSAFE_CHARACTERS = %r{[!"#&'()*+,./:;<>=?@\[\]^`{}|~$]}xi.freeze
@@ -76,16 +84,19 @@ module Gitlab
       end
 
       def match_packages_path?(env)
-        match_data = env['PATH_INFO'].delete_prefix(relative_url).match(PACKAGES_PATH)
+        path = env['PATH_INFO'].delete_prefix(relative_url)
+        match_data = path.match(INSTANCE_PACKAGES_PATH) ||
+          path.match(PROJECT_PACKAGES_PATH) ||
+          path.match(GROUP_PACKAGES_PATH)
         return false unless match_data
 
-        return true unless match_data[:project_id] # instance level endpoint was matched
+        return true if match_data.names.empty? # instance level endpoint was matched
 
-        url_encoded?(match_data[:project_id])
+        url_encoded?(match_data[:id])
       end
 
-      def url_encoded?(project_id)
-        project_id !~ UNSAFE_CHARACTERS
+      def url_encoded?(id)
+        id !~ UNSAFE_CHARACTERS
       end
     end
   end
diff --git a/lib/gitlab/middleware/go.rb b/lib/gitlab/middleware/go.rb
index 13f7ab36823..4da5fef9fd7 100644
--- a/lib/gitlab/middleware/go.rb
+++ b/lib/gitlab/middleware/go.rb
@@ -18,7 +18,7 @@ module Gitlab
         request = ActionDispatch::Request.new(env)
 
         render_go_doc(request) || @app.call(env)
-      rescue Gitlab::Auth::IpBlacklisted
+      rescue Gitlab::Auth::IpBlocked
         Gitlab::AuthLogger.error(
           message: 'Rack_Attack',
           status: 403,
diff --git a/lib/gitlab/middleware/request_context.rb b/lib/gitlab/middleware/request_context.rb
index 07f6f87a68c..f609002007c 100644
--- a/lib/gitlab/middleware/request_context.rb
+++ b/lib/gitlab/middleware/request_context.rb
@@ -8,15 +8,9 @@ module Gitlab
       end
 
       def call(env)
-        # We should be using ActionDispatch::Request instead of
-        # Rack::Request to be consistent with Rails, but due to a Rails
-        # bug described in
-        # https://gitlab.com/gitlab-org/gitlab-foss/issues/58573#note_149799010
-        # hosts behind a load balancer will only see 127.0.0.1 for the
-        # load balancer's IP.
-        req = Rack::Request.new(env)
-
-        ::Gitlab::InstrumentationHelper.init_instrumentation_data(request_ip: req.ip)
+        request = ActionDispatch::Request.new(env)
+        Gitlab::RequestContext.start_request_context(request: request)
+        Gitlab::RequestContext.start_thread_context
 
         @app.call(env)
       end