Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

9 files changed, 20 insertions, 47 deletions

diff --git a/lib/gitlab/ci/build/duration_parser.rb b/lib/gitlab/ci/build/duration_parser.rb
index 9385dccd5f3..97049a4f876 100644
--- a/lib/gitlab/ci/build/duration_parser.rb
+++ b/lib/gitlab/ci/build/duration_parser.rb
@@ -41,7 +41,7 @@ module Gitlab
         def parse
           return if never?
 
-          ChronicDuration.parse(value)
+          ChronicDuration.parse(value, use_complete_matcher: true)
         end
 
         def validation_cache
diff --git a/lib/gitlab/ci/components/instance_path.rb b/lib/gitlab/ci/components/instance_path.rb
index 648a4e06475..17c784c4d54 100644
--- a/lib/gitlab/ci/components/instance_path.rb
+++ b/lib/gitlab/ci/components/instance_path.rb
@@ -5,7 +5,6 @@ module Gitlab
     module Components
       class InstancePath
         include Gitlab::Utils::StrongMemoize
-        include ::Gitlab::LoopHelpers
 
         LATEST_VERSION_KEYWORD = '~latest'
         TEMPLATES_DIR = 'templates'
@@ -61,15 +60,9 @@ module Gitlab
         # Given a path like "my-org/sub-group/the-project/path/to/component"
         # find the project "my-org/sub-group/the-project" by looking at all possible paths.
         def find_project_by_component_path(path)
-          return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever.
-
           possible_paths = [path]
-          index = nil
-
-          loop_until(limit: 20) do
-            index = path.rindex('/') # find index of last `/` in a path
-            break unless index
 
+          while index = path.rindex('/') # find index of last `/` in a path
             possible_paths << (path = path[0..index - 1])
           end
 
diff --git a/lib/gitlab/ci/config/entry/job.rb b/lib/gitlab/ci/config/entry/job.rb
index bf8a99ef45e..c40d665f320 100644
--- a/lib/gitlab/ci/config/entry/job.rb
+++ b/lib/gitlab/ci/config/entry/job.rb
@@ -177,7 +177,7 @@ module Gitlab
           def parsed_timeout
             return unless has_timeout?
 
-            ChronicDuration.parse(timeout.to_s)
+            ChronicDuration.parse(timeout.to_s, use_complete_matcher: true)
           end
 
           def ignored?
diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 3d63ec6dfb7..4ba7b4cc6e1 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -71,8 +71,7 @@ module Gitlab
           fields.merge!(
             environment: environment.name,
             environment_protected: environment_protected?.to_s,
-            deployment_tier: build.environment_tier,
-            environment_action: build.environment_action
+            deployment_tier: build.environment_tier
           )
         end
 
diff --git a/lib/gitlab/config/entry/legacy_validation_helpers.rb b/lib/gitlab/config/entry/legacy_validation_helpers.rb
index 1f70afbfb75..ec67d65c526 100644
--- a/lib/gitlab/config/entry/legacy_validation_helpers.rb
+++ b/lib/gitlab/config/entry/legacy_validation_helpers.rb
@@ -12,7 +12,7 @@ module Gitlab
           if parser && parser.respond_to?(:validate_duration)
             parser.validate_duration(value)
           else
-            ChronicDuration.parse(value)
+            ChronicDuration.parse(value, use_complete_matcher: true)
           end
         rescue ChronicDuration::DurationParseError
           false
@@ -24,7 +24,12 @@ module Gitlab
           if parser && parser.respond_to?(:validate_duration_limit)
             parser.validate_duration_limit(value, limit)
           else
-            ChronicDuration.parse(value).second.from_now < ChronicDuration.parse(limit).second.from_now
+            ChronicDuration.parse(
+              value, use_complete_matcher: true
+            ).second.from_now <
+              ChronicDuration.parse(
+                limit, use_complete_matcher: true
+              ).second.from_now
           end
         rescue ChronicDuration::DurationParseError
           false
diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb
index ea91b01afdb..dfe0815f0a0 100644
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -141,7 +141,7 @@ module Gitlab
 
           raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath)
 
-          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath)
+          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath)
         end
 
         true
diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb
index 1fd7c6cfe8d..1e4169f3fd7 100644
--- a/lib/gitlab/search/abuse_detection.rb
+++ b/lib/gitlab/search/abuse_detection.rb
@@ -6,7 +6,6 @@ module Gitlab
       include ActiveModel::Validations
       include AbuseValidators
 
-      MAX_PIPE_SYNTAX_FILTERS = 5
       ABUSIVE_TERM_SIZE = 100
       ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z}
 
@@ -58,18 +57,10 @@ module Gitlab
 
       validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true
 
-      validate :no_abusive_pipes, if: :detect_abusive_pipes
-
       attr_reader(*READABLE_PARAMS)
-      attr_reader :raw_params, :detect_abusive_pipes
-
-      def initialize(params, detect_abusive_pipes: true)
-        @raw_params = {}
-        READABLE_PARAMS.each do |p|
-          instance_variable_set("@#{p}", params[p])
-          @raw_params[p] = params[p]
-        end
-        @detect_abusive_pipes = detect_abusive_pipes
+
+      def initialize(params)
+        READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) }
       end
 
       private
@@ -85,23 +76,6 @@ module Gitlab
       def stop_word_search?
         STOP_WORDS.include? query_string
       end
-
-      def no_abusive_pipes
-        pipes = query_string.to_s.split('|')
-        errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS
-
-        pipes.each do |q|
-          self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p|
-            p.validate
-
-            p.errors.messages_for(:query_string).each do |msg|
-              next if errors.added?(:query_string, msg)
-
-              errors.add(:query_string, msg)
-            end
-          end
-        end
-      end
     end
   end
 end
diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb
index a7896b7d80d..6eb24a92be6 100644
--- a/lib/gitlab/search/params.rb
+++ b/lib/gitlab/search/params.rb
@@ -81,7 +81,7 @@ module Gitlab
       end
 
       def search_terms
-        @search_terms ||= query_string.split
+        @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH }
       end
 
       def not_too_many_terms
diff --git a/lib/gitlab/time_tracking_formatter.rb b/lib/gitlab/time_tracking_formatter.rb
index 647d7860ba3..26efb3b918d 100644
--- a/lib/gitlab/time_tracking_formatter.rb
+++ b/lib/gitlab/time_tracking_formatter.rb
@@ -17,8 +17,10 @@ module Gitlab
         begin
           ChronicDuration.parse(
             string,
-            CUSTOM_DAY_AND_MONTH_LENGTH.merge(default_unit: 'hours', keep_zero: keep_zero)
-          )
+            CUSTOM_DAY_AND_MONTH_LENGTH.merge(
+              default_unit: 'hours', keep_zero: keep_zero,
+              use_complete_matcher: true
+            ))
         rescue StandardError
           nil
         end