Add latest changes from gitlab-org/gitlab@13-12-stable-ee

3 files changed, 16 insertions, 12 deletions

diff --git a/lib/api/entities/release.rb b/lib/api/entities/release.rb
index 94124352298..056b54674f1 100644
--- a/lib/api/entities/release.rb
+++ b/lib/api/entities/release.rb
@@ -8,7 +8,7 @@ module API
       expose :name
       expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? }
       expose :description
-      expose :description_html, unless: ->(_, _) { remove_description_html? } do |entity|
+      expose :description_html, if: -> (_, options) { options[:include_html_description] } do |entity|
         MarkupHelper.markdown_field(entity, :description, current_user: options[:current_user])
       end
       expose :created_at
@@ -45,11 +45,6 @@ module API
       def can_read_milestone?
         Ability.allowed?(options[:current_user], :read_milestone, object.project)
       end
-
-      def remove_description_html?
-        ::Feature.enabled?(:remove_description_html_in_release_api, object.project, default_enabled: :yaml) &&
-          ::Feature.disabled?(:remove_description_html_in_release_api_override, object.project)
-      end
     end
   end
 end
diff --git a/lib/api/releases.rb b/lib/api/releases.rb
index c65a23e334f..7cd8b442706 100644
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -29,6 +29,8 @@ module API
                             desc: 'Return releases ordered by `released_at` or `created_at`.'
         optional :sort, type: String, values: %w[asc desc], default: 'desc',
                         desc: 'Return releases sorted in `asc` or `desc` order.'
+        optional :include_html_description, type: Boolean,
+                               desc: 'If `true`, a response includes HTML rendered markdown of the release description.'
       end
       get ':id/releases' do
         releases = ::ReleasesFinder.new(user_project, current_user, declared_params.slice(:order_by, :sort)).execute
@@ -43,7 +45,8 @@ module API
                         # context is unnecessary here.
                         cache_context: -> (_) { "user:{#{current_user&.id}}" },
                         expires_in: 5.minutes,
-                        current_user: current_user
+                        current_user: current_user,
+                        include_html_description: params[:include_html_description]
       end
 
       desc 'Get a single project release' do
@@ -53,11 +56,13 @@ module API
       end
       params do
         requires :tag_name, type: String, desc: 'The name of the tag', as: :tag
+        optional :include_html_description, type: Boolean,
+                               desc: 'If `true`, a response includes HTML rendered markdown of the release description.'
       end
       get ':id/releases/:tag_name', requirements: RELEASE_ENDPOINT_REQUIREMENTS do
         authorize_download_code!
 
-        present release, with: Entities::Release, current_user: current_user
+        present release, with: Entities::Release, current_user: current_user, include_html_description: params[:include_html_description]
       end
 
       desc 'Create a new release' do
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 6f6147f0f32..e42b174e085 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -9,21 +9,20 @@ module Gitlab
 
       def self.default_settings_hash
         settings_hash = {
-          'enabled' => true,
+          'enabled' => Rails.env.development? || Rails.env.test?,
           'report_only' => false,
           'directives' => {
             'default_src' => "'self'",
             'base_uri' => "'self'",
-            'child_src' => "'none'",
             'connect_src' => "'self'",
             'font_src' => "'self'",
             'form_action' => "'self' https: http:",
             'frame_ancestors' => "'self'",
-            'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
+            'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
             'img_src' => "'self' data: blob: http: https:",
             'manifest_src' => "'self'",
             'media_src' => "'self'",
-            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com",
+            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
             'style_src' => "'self' 'unsafe-inline'",
             'worker_src' => "'self'",
             'object_src' => "'none'",
@@ -31,6 +30,11 @@ module Gitlab
           }
         }
 
+        # frame-src was deprecated in CSP level 2 in favor of child-src
+        # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
+        # However Safari seems to read child-src first so we'll just keep both equal
+        settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src']
+
         allow_webpack_dev_server(settings_hash) if Rails.env.development?
         allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?