Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee

4 files changed, 33 insertions, 5 deletions

diff --git a/lib/gitlab/import_export/command_line_util.rb b/lib/gitlab/import_export/command_line_util.rb
index dfe0815f0a0..ea91b01afdb 100644
--- a/lib/gitlab/import_export/command_line_util.rb
+++ b/lib/gitlab/import_export/command_line_util.rb
@@ -141,7 +141,7 @@ module Gitlab
 
           raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath)
 
-          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath)
+          FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath)
         end
 
         true
diff --git a/lib/gitlab/import_export/project/relation_factory.rb b/lib/gitlab/import_export/project/relation_factory.rb
index 943c997a056..8e34a6d73ba 100644
--- a/lib/gitlab/import_export/project/relation_factory.rb
+++ b/lib/gitlab/import_export/project/relation_factory.rb
@@ -81,6 +81,8 @@ module Gitlab
 
         private
 
+        attr_reader :relation_hash, :user
+
         def invalid_relation?
           # Do not create relation if it is a legacy trigger
           legacy_trigger?
diff --git a/lib/gitlab/search/abuse_detection.rb b/lib/gitlab/search/abuse_detection.rb
index 1e4169f3fd7..1fd7c6cfe8d 100644
--- a/lib/gitlab/search/abuse_detection.rb
+++ b/lib/gitlab/search/abuse_detection.rb
@@ -6,6 +6,7 @@ module Gitlab
       include ActiveModel::Validations
       include AbuseValidators
 
+      MAX_PIPE_SYNTAX_FILTERS = 5
       ABUSIVE_TERM_SIZE = 100
       ALLOWED_CHARS_REGEX = %r{\A[[:alnum:]_\-\/\.!]+\z}
 
@@ -57,10 +58,18 @@ module Gitlab
 
       validates :query_string, :repository_ref, :project_ref, no_abusive_coercion_from_string: true
 
-      attr_reader(*READABLE_PARAMS)
+      validate :no_abusive_pipes, if: :detect_abusive_pipes
 
-      def initialize(params)
-        READABLE_PARAMS.each { |p| instance_variable_set("@#{p}", params[p]) }
+      attr_reader(*READABLE_PARAMS)
+      attr_reader :raw_params, :detect_abusive_pipes
+
+      def initialize(params, detect_abusive_pipes: true)
+        @raw_params = {}
+        READABLE_PARAMS.each do |p|
+          instance_variable_set("@#{p}", params[p])
+          @raw_params[p] = params[p]
+        end
+        @detect_abusive_pipes = detect_abusive_pipes
       end
 
       private
@@ -76,6 +85,23 @@ module Gitlab
       def stop_word_search?
         STOP_WORDS.include? query_string
       end
+
+      def no_abusive_pipes
+        pipes = query_string.to_s.split('|')
+        errors.add(:query_string, 'too many pipe syntax filters') if pipes.length > MAX_PIPE_SYNTAX_FILTERS
+
+        pipes.each do |q|
+          self.class.new(raw_params.merge(query_string: q), detect_abusive_pipes: false).tap do |p|
+            p.validate
+
+            p.errors.messages_for(:query_string).each do |msg|
+              next if errors.added?(:query_string, msg)
+
+              errors.add(:query_string, msg)
+            end
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/search/params.rb b/lib/gitlab/search/params.rb
index 6eb24a92be6..a7896b7d80d 100644
--- a/lib/gitlab/search/params.rb
+++ b/lib/gitlab/search/params.rb
@@ -81,7 +81,7 @@ module Gitlab
       end
 
       def search_terms
-        @search_terms ||= query_string.split.select { |word| word.length >= MIN_TERM_LENGTH }
+        @search_terms ||= query_string.split
       end
 
       def not_too_many_terms