Add latest changes from gitlab-org/gitlab@master

4 files changed, 23 insertions, 5 deletions

diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb
index b53f855c3a2..6f475fa8d74 100644
--- a/lib/api/internal/base.rb
+++ b/lib/api/internal/base.rb
@@ -39,6 +39,7 @@ module API
           container.lfs_http_url_to_repo
         end
 
+        # rubocop: disable Metrics/AbcSize
         def check_allowed(params)
           # This is a separate method so that EE can alter its behaviour more
           # easily.
@@ -47,6 +48,14 @@ module API
             check_rate_limit!(:gitlab_shell_operation, scope: [params[:action], params[:project], actor.key_or_user])
           end
 
+          if Feature.enabled?(:rate_limit_gitlab_shell_by_ip, actor.user)
+            rate_limiter = Gitlab::Auth::IpRateLimiter.new(request.ip)
+
+            unless rate_limiter.trusted_ip?
+              check_rate_limit!(:gitlab_shell_operation, scope: [params[:action], params[:project], rate_limiter.ip])
+            end
+          end
+
           # Stores some Git-specific env thread-safely
           env = parse_env
           Gitlab::Git::HookEnv.set(gl_repository, env) if container
@@ -101,6 +110,7 @@ module API
             response_with_status(code: 500, success: false, message: UNKNOWN_CHECK_RESULT_ERROR)
           end
         end
+        # rubocop: enable Metrics/AbcSize
 
         def send_git_audit_streaming_event(msg)
           # Defined in EE
diff --git a/lib/gitlab/auth/ip_rate_limiter.rb b/lib/gitlab/auth/ip_rate_limiter.rb
index f301a2ec2e8..0d50420b9f5 100644
--- a/lib/gitlab/auth/ip_rate_limiter.rb
+++ b/lib/gitlab/auth/ip_rate_limiter.rb
@@ -33,6 +33,10 @@ module Gitlab
         Rack::Attack::Allow2Ban.banned?(ip)
       end
 
+      def trusted_ip?
+        trusted_ips.any? { |netmask| netmask.include?(ip) }
+      end
+
       private
 
       def skip_rate_limit?
@@ -47,10 +51,6 @@ module Gitlab
         Gitlab.config.rack_attack.git_basic_auth
       end
 
-      def trusted_ip?
-        trusted_ips.any? { |netmask| netmask.include?(ip) }
-      end
-
       def trusted_ips
         strong_memoize(:trusted_ips) do
           config.ip_whitelist.map do |proxy|
diff --git a/lib/gitlab/import_export/base/relation_factory.rb b/lib/gitlab/import_export/base/relation_factory.rb
index ee24d51a0cd..1cbfcbdb595 100644
--- a/lib/gitlab/import_export/base/relation_factory.rb
+++ b/lib/gitlab/import_export/base/relation_factory.rb
@@ -129,7 +129,7 @@ module Gitlab
         # When an assignee (or any other listed association) did not exist in the members mapper, the importer is
         # assigned. We only need to assign each user once.
         def remove_duplicate_assignees
-          associations = %w[issue_assignees merge_request_assignees merge_request_reviewers]
+          associations = %w[issue_assignees merge_request_assignees merge_request_reviewers approvals]
 
           associations.each do |association|
             next unless @relation_hash.key?(association)
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index 8168e8dc227..c5b8f3fd35b 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -53,6 +53,7 @@ tree:
     - project_members:
       - :user
     - merge_requests:
+      - :approvals
       - :metrics
       - :award_emoji
       - :merge_request_assignees
@@ -122,6 +123,10 @@ included_attributes:
     - :username
   author:
     - :name
+  approvals:
+    - :user_id
+    - :created_at
+    - :updated_at
   ci_cd_settings:
     - :group_runners_enabled
     - :runner_token_expiration_interval
@@ -776,6 +781,9 @@ excluded_attributes:
     - :repository_size_limit
     - :external_webhook_token
     - :incident_management_issuable_escalation_statuses
+  approvals:
+    - :id
+    - :merge_request_id
   namespaces:
     - :runners_token
     - :runners_token_encrypted