Add latest changes from gitlab-org/security/gitlab@16-2-stable-ee

4 files changed, 19 insertions, 5 deletions

diff --git a/lib/api/ml/mlflow/api_helpers.rb b/lib/api/ml/mlflow/api_helpers.rb
index 7f4a895235c..cfe4cc6b5ae 100644
--- a/lib/api/ml/mlflow/api_helpers.rb
+++ b/lib/api/ml/mlflow/api_helpers.rb
@@ -4,6 +4,14 @@ module API
   module Ml
     module Mlflow
       module ApiHelpers
+        def check_api_read!
+          not_found! unless can?(current_user, :read_model_experiments, user_project)
+        end
+
+        def check_api_write!
+          unauthorized! unless can?(current_user, :write_model_experiments, user_project)
+        end
+
         def resource_not_found!
           render_structured_api_error!({ error_code: 'RESOURCE_DOES_NOT_EXIST' }, 404)
         end
diff --git a/lib/api/ml/mlflow/entrypoint.rb b/lib/api/ml/mlflow/entrypoint.rb
index 048234eccd1..d8474946a75 100644
--- a/lib/api/ml/mlflow/entrypoint.rb
+++ b/lib/api/ml/mlflow/entrypoint.rb
@@ -26,7 +26,8 @@ module API
 
           authenticate!
 
-          not_found! unless can?(current_user, :read_model_experiments, user_project)
+          check_api_read!
+          check_api_write! unless request.get? || request.head?
         end
 
         rescue_from ActiveRecord::ActiveRecordError do |e|
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 468f284f136..7198917a097 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -689,6 +689,7 @@ module API
       desc 'Mark this project as forked from another' do
         success code: 201, model: Entities::Project
         failure [
+          { code: 401, message: 'Unauthorized' },
           { code: 403, message: 'Unauthenticated' },
           { code: 404, message: 'Not found' }
         ]
@@ -706,7 +707,11 @@ module API
 
         authorize! :fork_project, fork_from_project
 
-        result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project)
+        service = ::Projects::ForkService.new(fork_from_project, current_user)
+
+        unauthorized!('Target Namespace') unless service.valid_fork_target?(user_project.namespace)
+
+        result = service.execute(user_project)
 
         if result
           present_project user_project.reset, with: Entities::Project, current_user: current_user
diff --git a/lib/gitlab/pagination/gitaly_keyset_pager.rb b/lib/gitlab/pagination/gitaly_keyset_pager.rb
index 6235874132f..82d6fc64d89 100644
--- a/lib/gitlab/pagination/gitaly_keyset_pager.rb
+++ b/lib/gitlab/pagination/gitaly_keyset_pager.rb
@@ -15,7 +15,7 @@ module Gitlab
       # It is expected that the given finder will respond to `execute` method with `gitaly_pagination:` option
       # and supports pagination via gitaly.
       def paginate(finder)
-        return finder.execute(gitaly_pagination: false) if no_pagination?
+        return finder.execute(gitaly_pagination: false) if no_pagination?(finder)
 
         return paginate_via_gitaly(finder) if keyset_pagination_enabled?(finder)
         return paginate_first_page_via_gitaly(finder) if paginate_first_page?(finder)
@@ -28,8 +28,8 @@ module Gitlab
 
       private
 
-      def no_pagination?
-        params[:pagination] == 'none'
+      def no_pagination?(finder)
+        params[:pagination] == 'none' && finder.is_a?(::Repositories::TreeFinder)
       end
 
       def keyset_pagination_enabled?(finder)