Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

3 files changed, 6 insertions, 6 deletions

diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 069d117db17..c0222539c98 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -219,7 +219,7 @@ module API
         if params[:start_project]
           start_project = find_project!(params[:start_project])
 
-          unless user_project.forked_from?(start_project)
+          unless can?(current_user, :read_code, start_project) && user_project.forked_from?(start_project)
             forbidden!("Project is not included in the fork network for #{start_project.full_name}")
           end
         end
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 6d13512aad6..ac28effea43 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -701,7 +701,7 @@ module API
         requires :forked_from_id, type: String, desc: 'The ID of the project it was forked from', documentation: { example: 'gitlab' }
       end
       post ":id/fork/:forked_from_id", feature_category: :source_code_management do
-        authorize! :admin_project, user_project
+        authorize! :link_forked_project, user_project
 
         fork_from_project = find_project!(params[:forked_from_id])
 
diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb
index 00ffdd3d809..512c55381ec 100644
--- a/lib/banzai/filter/asset_proxy_filter.rb
+++ b/lib/banzai/filter/asset_proxy_filter.rb
@@ -22,13 +22,13 @@ module Banzai
 
           begin
             uri = URI.parse(original_src)
+
+            next if uri.host.nil? && !original_src.start_with?('///')
+            next if asset_host_allowed?(uri.host)
           rescue StandardError
-            next
+            # Ignored
           end
 
-          next if uri.host.nil? && !original_src.start_with?('///')
-          next if asset_host_allowed?(uri.host)
-
           element['src'] = asset_proxy_url(original_src)
           element['data-canonical-src'] = original_src
         end