Add latest changes from gitlab-org/gitlab@master

3 files changed, 51 insertions, 37 deletions

diff --git a/lib/gitlab/background_migration/backfill_note_discussion_id.rb b/lib/gitlab/background_migration/backfill_note_discussion_id.rb
new file mode 100644
index 00000000000..da2c31ebd11
--- /dev/null
+++ b/lib/gitlab/background_migration/backfill_note_discussion_id.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # Fixes notes with NULL discussion_ids due to a bug when importing from GitHub
+    # Bug was fixed in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/76517
+    class BackfillNoteDiscussionId
+      SUB_BATCH_SIZE = 300
+
+      # Migration only version of notes model
+      class Note < ApplicationRecord
+        include EachBatch
+
+        self.table_name = 'notes'
+
+        # Based on https://gitlab.com/gitlab-org/gitlab/blob/117c14d0c79403e169cf52922b48f69d1dcf6a85/app/models/discussion.rb#L62-74
+        def generate_discussion_id
+          Digest::SHA1.hexdigest(
+            [:discussion, noteable_type.try(:underscore), noteable_id || commit_id, SecureRandom.hex].join('-')
+          )
+        end
+      end
+
+      def perform(start_id, stop_id)
+        notes = Note.select(:id, :noteable_type, :noteable_id, :commit_id)
+                    .where(discussion_id: nil, id: start_id..stop_id)
+
+        notes.each_batch(of: SUB_BATCH_SIZE) do |relation|
+          update_discussion_ids(relation)
+        end
+      end
+
+      private
+
+      def update_discussion_ids(notes)
+        mapping = notes.each_with_object({}) do |note, hash|
+          hash[note] = { discussion_id: note.generate_discussion_id }
+        end
+
+        Gitlab::Database::BulkUpdate.execute(%i(discussion_id), mapping)
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
index 6aacd082fd7..3f18237a525 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml
@@ -8,7 +8,7 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   SECRET_DETECTION_IMAGE_SUFFIX: ""
 
-  SECRETS_ANALYZER_VERSION: "3"
+  SECRETS_ANALYZER_VERSION: "4"
   SECRET_DETECTION_EXCLUDED_PATHS: ""
 
 .secret-analyzer:
@@ -31,37 +31,4 @@ secret_detection:
       when: never
     - if: $CI_COMMIT_BRANCH
   script:
-    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
-    # Historic scan
-    - if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]; then echo "Running Secret Detection Historic Scan"; /analyzer run; exit; fi
-    # Default branch scan
-    - if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit; fi
-    # Push event
-    - |
-      if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000" ];
-      then
-        # first commit on a new branch
-        echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
-        git fetch --depth=2 origin $CI_COMMIT_REF_NAME
-      else
-        # determine commit range so that we can fetch the appropriate depth
-        # check the exit code to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA.
-        if ! git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt;
-        then
-          echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}"
-          echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
-        else
-          # append newline to to list since `git log` does not end with a
-          # newline, this is to keep the log messages consistent
-          echo >> ${CI_COMMIT_SHA}_commit_list.txt
-        fi
-
-        # we need to extend the git fetch depth to the number of commits + 1 for the following reasons:
-        # to include the parent commit of the base commit in this MR/Push event. This is needed because
-        # `git diff -p` needs something to compare changes in that commit against
-        git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME
-      fi
-      echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for a push event"
-      export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
     - /analyzer run
-    - rm "$CI_COMMIT_SHA"_commit_list.txt
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 22a4ba8ac7a..521dec110a8 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -61,7 +61,9 @@ module Gitlab
       end
 
       def initialize(csp_directives)
-        @csp_directives = HashWithIndifferentAccess.new(csp_directives)
+        @merged_csp_directives =
+          HashWithIndifferentAccess.new(csp_directives)
+                                   .reverse_merge(::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives)
       end
 
       def load(policy)
@@ -77,8 +79,9 @@ module Gitlab
       private
 
       def arguments_for(directive)
-        arguments = @csp_directives[directive.to_s]
-
+        # In order to disable a directive, the user can explicitly
+        # set a falsy value like nil, false or empty string
+        arguments = @merged_csp_directives[directive]
         return unless arguments.present? && arguments.is_a?(String)
 
         arguments.strip.split(' ').map(&:strip)