Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee

4 files changed, 14 insertions, 29 deletions

diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 7ec9f72e0b2..de199195c2e 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -668,6 +668,7 @@ module API
       desc 'Mark this project as forked from another' do
         success code: 201, model: Entities::Project
         failure [
+          { code: 401, message: 'Unauthorized' },
           { code: 403, message: 'Unauthenticated' },
           { code: 404, message: 'Not found' }
         ]
@@ -685,7 +686,11 @@ module API
 
         authorize! :fork_project, fork_from_project
 
-        result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
+        service = ::Projects::ForkService.new(fork_from_project, current_user)
+
+        unauthorized!('Target Namespace') unless service.valid_fork_target?(user_project.namespace)
+
+        result = service.execute(user_project)
 
         if result
           present_project user_project.reset, with: Entities::Project, current_user: current_user
diff --git a/lib/api/validations/validators/bulk_imports.rb b/lib/api/validations/validators/bulk_imports.rb
index f8ad5ed6d14..67dc084cc12 100644
--- a/lib/api/validations/validators/bulk_imports.rb
+++ b/lib/api/validations/validators/bulk_imports.rb
@@ -32,8 +32,7 @@ module API
         class DestinationNamespacePath < Grape::Validations::Validators::Base
           def validate_param!(attr_name, params)
             return if params[attr_name].blank?
-
-            return if params[attr_name] =~ Gitlab::Regex.bulk_import_destination_namespace_path_regex
+            return if NamespacePathValidator.valid_path?(params[attr_name])
 
             raise Grape::Exceptions::Validation.new(
               params: [@scope.full_name(attr_name)],
@@ -44,7 +43,10 @@ module API
 
         class SourceFullPath < Grape::Validations::Validators::Base
           def validate_param!(attr_name, params)
-            return if params[attr_name] =~ Gitlab::Regex.bulk_import_source_full_path_regex
+            full_path = params[attr_name]
+
+            return if params['source_type'] == 'group_entity' && NamespacePathValidator.valid_path?(full_path)
+            return if params['source_type'] == 'project_entity' && ProjectPathValidator.valid_path?(full_path)
 
             raise Grape::Exceptions::Validation.new(
               params: [@scope.full_name(attr_name)],
diff --git a/lib/gitlab/pagination/gitaly_keyset_pager.rb b/lib/gitlab/pagination/gitaly_keyset_pager.rb
index 6235874132f..82d6fc64d89 100644
--- a/lib/gitlab/pagination/gitaly_keyset_pager.rb
+++ b/lib/gitlab/pagination/gitaly_keyset_pager.rb
@@ -15,7 +15,7 @@ module Gitlab
       # It is expected that the given finder will respond to `execute` method with `gitaly_pagination:` option
       # and supports pagination via gitaly.
       def paginate(finder)
-        return finder.execute(gitaly_pagination: false) if no_pagination?
+        return finder.execute(gitaly_pagination: false) if no_pagination?(finder)
 
         return paginate_via_gitaly(finder) if keyset_pagination_enabled?(finder)
         return paginate_first_page_via_gitaly(finder) if paginate_first_page?(finder)
@@ -28,8 +28,8 @@ module Gitlab
 
       private
 
-      def no_pagination?
-        params[:pagination] == 'none'
+      def no_pagination?(finder)
+        params[:pagination] == 'none' && finder.is_a?(::Repositories::TreeFinder)
       end
 
       def keyset_pagination_enabled?(finder)
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 26ca9d2547c..a75ad77f94f 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -259,28 +259,6 @@ module Gitlab
     end
 
     module BulkImports
-      def bulk_import_destination_namespace_path_regex
-        # This regexp validates the string conforms to rules for a destination_namespace path:
-        # i.e does not start with a non-alphanumeric character,
-        # contains only alphanumeric characters, forward slashes, periods, and underscores,
-        # does not end with a period or forward slash, and has a relative path structure
-        # with no http protocol chars or leading or trailing forward slashes
-        # eg 'source/full/path' or 'destination_namespace' not 'https://example.com/destination/namespace/path'
-        # the regex also allows for an empty string ('') to be accepted as this is allowed in
-        # a bulk_import POST request
-        @bulk_import_destination_namespace_path_regex ||= %r/((\A\z)|(\A[0-9a-z]*(-_.)?[0-9a-z])(\/?[0-9a-z]*[-_.]?[0-9a-z])+\z)/i
-      end
-
-      def bulk_import_source_full_path_regex
-        # This regexp validates the string conforms to rules for a source_full_path path:
-        # i.e does not start with a non-alphanumeric character except for periods or underscores,
-        # contains only alphanumeric characters, forward slashes, periods, and underscores,
-        # does not end with a period or forward slash, and has a relative path structure
-        # with no http protocol chars or leading or trailing forward slashes
-        # eg 'source/full/path' or 'destination_namespace' not 'https://example.com/source/full/path'
-        @bulk_import_source_full_path_regex ||= %r/\A([.]?)[^\W](\/?([-_.+]*)*[0-9a-z][-_]*)+\z/i
-      end
-
       def bulk_import_source_full_path_regex_message
         bulk_import_destination_namespace_path_regex_message
       end