Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

9 files changed, 47 insertions, 20 deletions

diff --git a/lib/gitlab/ci/build/duration_parser.rb b/lib/gitlab/ci/build/duration_parser.rb
index 97049a4f876..9385dccd5f3 100644
--- a/lib/gitlab/ci/build/duration_parser.rb
+++ b/lib/gitlab/ci/build/duration_parser.rb
@@ -41,7 +41,7 @@ module Gitlab
         def parse
           return if never?
 
-          ChronicDuration.parse(value, use_complete_matcher: true)
+          ChronicDuration.parse(value)
         end
 
         def validation_cache
diff --git a/lib/gitlab/ci/components/instance_path.rb b/lib/gitlab/ci/components/instance_path.rb
index 17c784c4d54..648a4e06475 100644
--- a/lib/gitlab/ci/components/instance_path.rb
+++ b/lib/gitlab/ci/components/instance_path.rb
@@ -5,6 +5,7 @@ module Gitlab
     module Components
       class InstancePath
         include Gitlab::Utils::StrongMemoize
+        include ::Gitlab::LoopHelpers
 
         LATEST_VERSION_KEYWORD = '~latest'
         TEMPLATES_DIR = 'templates'
@@ -60,9 +61,15 @@ module Gitlab
         # Given a path like "my-org/sub-group/the-project/path/to/component"
         # find the project "my-org/sub-group/the-project" by looking at all possible paths.
         def find_project_by_component_path(path)
+          return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever.
+
           possible_paths = [path]
+          index = nil
+
+          loop_until(limit: 20) do
+            index = path.rindex('/') # find index of last `/` in a path
+            break unless index
 
-          while index = path.rindex('/') # find index of last `/` in a path
             possible_paths << (path = path[0..index - 1])
           end
 
diff --git a/lib/gitlab/ci/config/entry/job.rb b/lib/gitlab/ci/config/entry/job.rb
index c40d665f320..bf8a99ef45e 100644
--- a/lib/gitlab/ci/config/entry/job.rb
+++ b/lib/gitlab/ci/config/entry/job.rb
@@ -177,7 +177,7 @@ module Gitlab
           def parsed_timeout
             return unless has_timeout?
 
-            ChronicDuration.parse(timeout.to_s, use_complete_matcher: true)
+            ChronicDuration.parse(timeout.to_s)
           end
 
           def ignored?
diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 4ba7b4cc6e1..3d63ec6dfb7 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -71,7 +71,8 @@ module Gitlab
           fields.merge!(
             environment: environment.name,
             environment_protected: environment_protected?.to_s,
-            deployment_tier: build.environment_tier
+            deployment_tier: build.environment_tier,
+            environment_action: build.environment_action
           )
         end
 
diff --git a/lib/gitlab/config/entry/legacy_validation_helpers.rb b/lib/gitlab/config/entry/legacy_validation_helpers.rb
index ec67d65c526..1f70afbfb75 100644
--- a/lib/gitlab/config/entry/legacy_validation_helpers.rb
+++ b/lib/gitlab/config/entry/legacy_validation_helpers.rb
@@ -12,7 +12,7 @@ module Gitlab
           if parser && parser.respond_to?(:validate_duration)
             parser.validate_duration(value)
           else
-            ChronicDuration.parse(value, use_complete_matcher: true)
+            ChronicDuration.parse(value)
           end
         rescue ChronicDuration::DurationParseError
           false
@@ -24,12 +24,7 @@ module Gitlab
           if parser && parser.respond_to?(:validate_duration_limit)
             parser.validate_duration_limit(value, limit)
           else
-            ChronicDuration.parse(
-              value, use_complete_matcher: true
-            ).second.from_now <
-              ChronicDuration.parse(
-                limit, use_complete_matcher: true
-              ).second.from_now
+            ChronicDuration.parse(value).second.from_now < ChronicDuration.parse(limit).second.from_now
           end
         rescue ChronicDuration::DurationParseError
           false
diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb
index dfe0815f0a0..ea91b01afdb 100644
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -141,7 +141,7 @@ module Gitlab
 
           raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath)
 
-          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath)
+          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath)
         end
 
         true
diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb
index 1e4169f3fd7..1fd7c6cfe8d 100644
--- a/lib/gitlab/search/abuse_detection.rb
+++ b/lib/gitlab/search/abuse_detection.rb
@@ -6,6 +6,7 @@ module Gitlab
       include ActiveModel::Validations
       include AbuseValidators
 
+      MAX_PIPE_SYNTAX_FILTERS = 5
       ABUSIVE_TERM_SIZE = 100
       ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z}
 
@@ -57,10 +58,18 @@ module Gitlab
 
       validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true
 
-      attr_reader(*READABLE_PARAMS)
+      validate :no_abusive_pipes, if: :detect_abusive_pipes
 
-      def initialize(params)
-        READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) }
+      attr_reader(*READABLE_PARAMS)
+      attr_reader :raw_params, :detect_abusive_pipes
+
+      def initialize(params, detect_abusive_pipes: true)
+        @raw_params = {}
+        READABLE_PARAMS.each do |p|
+          instance_variable_set("@#{p}", params[p])
+          @raw_params[p] = params[p]
+        end
+        @detect_abusive_pipes = detect_abusive_pipes
       end
 
       private
@@ -76,6 +85,23 @@ module Gitlab
       def stop_word_search?
         STOP_WORDS.include? query_string
       end
+
+      def no_abusive_pipes
+        pipes = query_string.to_s.split('|')
+        errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS
+
+        pipes.each do |q|
+          self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p|
+            p.validate
+
+            p.errors.messages_for(:query_string).each do |msg|
+              next if errors.added?(:query_string, msg)
+
+              errors.add(:query_string, msg)
+            end
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb
index 6eb24a92be6..a7896b7d80d 100644
--- a/lib/gitlab/search/params.rb
+++ b/lib/gitlab/search/params.rb
@@ -81,7 +81,7 @@ module Gitlab
       end
 
       def search_terms
-        @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH }
+        @search_terms ||= query_string.split
       end
 
       def not_too_many_terms
diff --git a/lib/gitlab/time_tracking_formatter.rb b/lib/gitlab/time_tracking_formatter.rb
index 26efb3b918d..647d7860ba3 100644
--- a/lib/gitlab/time_tracking_formatter.rb
+++ b/lib/gitlab/time_tracking_formatter.rb
@@ -17,10 +17,8 @@ module Gitlab
         begin
           ChronicDuration.parse(
             string,
-            CUSTOM_DAY_AND_MONTH_LENGTH.merge(
-              default_unit: 'hours', keep_zero: keep_zero,
-              use_complete_matcher: true
-            ))
+            CUSTOM_DAY_AND_MONTH_LENGTH.merge(default_unit: 'hours', keep_zero: keep_zero)
+          )
         rescue StandardError
           nil
         end