Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee

4 files changed, 30 insertions, 3 deletions

diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 70535496b12..6f8d34ea387 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -203,6 +203,10 @@ module API
           render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400)
         end
 
+        unless can?(current_user, :read_code, target_project)
+          forbidden!("You don't have access to this fork's parent project")
+        end
+
         cache_key = compare_cache_key(current_user, user_project, target_project, declared_params)
 
         cache_action(cache_key, expires_in: 1.minute) do
diff --git a/lib/extracts_ref.rb b/lib/extracts_ref.rb
index dba1aad639c..49c9772f760 100644
--- a/lib/extracts_ref.rb
+++ b/lib/extracts_ref.rb
@@ -5,7 +5,8 @@
 # Can be extended for different types of repository object, e.g. Project or Snippet
 module ExtractsRef
   InvalidPathError = Class.new(StandardError)
-
+  BRANCH_REF_TYPE = 'heads'
+  TAG_REF_TYPE = 'tags'
   # Given a string containing both a Git tree-ish, such as a branch or tag, and
   # a filesystem path joined by forward slashes, attempts to separate the two.
   #
@@ -91,7 +92,7 @@ module ExtractsRef
   def ref_type
     return unless params[:ref_type].present?
 
-    params[:ref_type] == 'tags' ? 'tags' : 'heads'
+    params[:ref_type] == TAG_REF_TYPE ? TAG_REF_TYPE : BRANCH_REF_TYPE
   end
 
   private
@@ -154,4 +155,13 @@ module ExtractsRef
   def repository_container
     raise NotImplementedError
   end
+
+  def ambiguous_ref?(project, ref)
+    return true if project.repository.ambiguous_ref?(ref)
+
+    return false unless ref&.starts_with?('refs/')
+
+    unprefixed_ref = ref.sub(%r{^refs/(heads|tags)/}, '')
+    project.repository.commit(unprefixed_ref).present?
+  end
 end
diff --git a/lib/gitlab/unicode.rb b/lib/gitlab/unicode.rb
index b49c5647dab..f291ea1b4ee 100644
--- a/lib/gitlab/unicode.rb
+++ b/lib/gitlab/unicode.rb
@@ -9,6 +9,12 @@ module Gitlab
     # https://idiosyncratic-ruby.com/41-proper-unicoding.html
     BIDI_REGEXP = /\p{Bidi Control}/.freeze
 
+    # Regular expression for identifying space characters
+    #
+    # In web browsers space characters can be confused with simple
+    # spaces which may be misleading
+    SPACE_REGEXP = /\p{Space_Separator}/.freeze
+
     class << self
       # Warning message used to highlight bidi characters in the GUI
       def bidi_warning
diff --git a/lib/rouge/formatters/html_gitlab.rb b/lib/rouge/formatters/html_gitlab.rb
index 436739bed12..a7e95a96b8b 100644
--- a/lib/rouge/formatters/html_gitlab.rb
+++ b/lib/rouge/formatters/html_gitlab.rb
@@ -25,7 +25,10 @@ module Rouge
           yield %(<span id="LC#{@line_number}" class="line" lang="#{@tag}">)
 
           line.each do |token, value|
-            yield highlight_unicode_control_characters(span(token, value.chomp! || value))
+            value = value.chomp! || value
+            value = replace_space_characters(value)
+
+            yield highlight_unicode_control_characters(span(token, value))
           end
 
           yield ellipsis if @ellipsis_indexes.include?(@line_number - 1) && @ellipsis_svg.present?
@@ -42,6 +45,10 @@ module Rouge
         %(<span class="gl-px-2 gl-rounded-base gl-mx-2 gl-bg-gray-100 gl-cursor-help has-tooltip" title="Content has been trimmed">#{@ellipsis_svg}</span>)
       end
 
+      def replace_space_characters(text)
+        text.gsub(Gitlab::Unicode::SPACE_REGEXP, ' ')
+      end
+
       def highlight_unicode_control_characters(text)
         text.gsub(Gitlab::Unicode::BIDI_REGEXP) do |char|
           %(<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{Gitlab::Unicode.bidi_warning}">#{char}</span>)