Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

3 files changed, 55 insertions, 2 deletions

diff --git a/lib/api/todos.rb b/lib/api/todos.rb
index a001313a11f..e0e5ca615ac 100644
--- a/lib/api/todos.rb
+++ b/lib/api/todos.rb
@@ -92,6 +92,7 @@ module API
       end
       get do
         todos = paginate(find_todos.with_entity_associations)
+        todos = ::Todos::AllowedTargetFilterService.new(todos, current_user).execute
         options = { with: Entities::Todo, current_user: current_user }
         batch_load_issuable_metadata(todos, options)
 
diff --git a/lib/gitlab/ci/pipeline/chain/command.rb b/lib/gitlab/ci/pipeline/chain/command.rb
index c3c1728602c..7564d0c3ed5 100644
--- a/lib/gitlab/ci/pipeline/chain/command.rb
+++ b/lib/gitlab/ci/pipeline/chain/command.rb
@@ -26,13 +26,13 @@ module Gitlab
 
           def branch_exists?
             strong_memoize(:is_branch) do
-              project.repository.branch_exists?(ref)
+              branch_ref? && project.repository.branch_exists?(ref)
             end
           end
 
           def tag_exists?
             strong_memoize(:is_tag) do
-              project.repository.tag_exists?(ref)
+              tag_ref? && project.repository.tag_exists?(ref)
             end
           end
 
@@ -105,6 +105,32 @@ module Gitlab
           def dangling_build?
             %i[ondemand_dast_scan webide].include?(source)
           end
+
+          private
+
+          # Verifies that origin_ref is a fully qualified tag reference (refs/tags/<tag-name>)
+          #
+          # Fallbacks to `true` for backward compatibility reasons
+          # if origin_ref is a short ref
+          def tag_ref?
+            return true if full_git_ref_name_unavailable?
+
+            Gitlab::Git.tag_ref?(origin_ref).present?
+          end
+
+          # Verifies that origin_ref is a fully qualified branch reference (refs/heads/<branch-name>)
+          #
+          # Fallbacks to `true` for backward compatibility reasons
+          # if origin_ref is a short ref
+          def branch_ref?
+            return true if full_git_ref_name_unavailable?
+
+            Gitlab::Git.branch_ref?(origin_ref).present?
+          end
+
+          def full_git_ref_name_unavailable?
+            ref == origin_ref
+          end
         end
       end
     end
diff --git a/lib/gitlab/graphql/todos_project_permission_preloader/field_extension.rb b/lib/gitlab/graphql/todos_project_permission_preloader/field_extension.rb
new file mode 100644
index 00000000000..77f3b1ac71a
--- /dev/null
+++ b/lib/gitlab/graphql/todos_project_permission_preloader/field_extension.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Graphql
+    module TodosProjectPermissionPreloader
+      class FieldExtension < ::GraphQL::Schema::FieldExtension
+        def after_resolve(value:, memo:, **rest)
+          todos = value.to_a
+
+          Preloaders::UserMaxAccessLevelInProjectsPreloader.new(
+            todos.map(&:project).compact,
+            current_user(rest)
+          ).execute
+
+          value
+        end
+
+        private
+
+        def current_user(options)
+          options.dig(:context, :current_user)
+        end
+      end
+    end
+  end
+end