Add latest changes from gitlab-org/gitlab@master

3 files changed, 45 insertions, 3 deletions

diff --git a/lib/api/users.rb b/lib/api/users.rb
index d540978931e..6d4f12d80f8 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -105,9 +105,6 @@ module API
           params.except!(:created_after, :created_before, :order_by, :sort, :two_factor, :without_projects)
         end
 
-        users = UsersFinder.new(current_user, params).execute
-        users = reorder_users(users)
-
         authorized = can?(current_user, :read_users_list)
 
         # When `current_user` is not present, require that the `username`
@@ -119,6 +116,9 @@ module API
 
         forbidden!("Not authorized to access /api/v4/users") unless authorized
 
+        users = UsersFinder.new(current_user, params).execute
+        users = reorder_users(users)
+
         entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic
         users = users.preload(:identities, :u2f_registrations) if entity == Entities::UserWithAdmin
         users = users.preload(:identities, :webauthn_registrations) if entity == Entities::UserWithAdmin
diff --git a/lib/banzai/filter/math_filter.rb b/lib/banzai/filter/math_filter.rb
index 6859d67c9d8..0ac506776be 100644
--- a/lib/banzai/filter/math_filter.rb
+++ b/lib/banzai/filter/math_filter.rb
@@ -25,7 +25,14 @@ module Banzai
 
       DOLLAR_SIGN = '$'
 
+      # Limit to how many nodes can be marked as math elements.
+      # Prevents timeouts for large notes.
+      # For more information check: https://gitlab.com/gitlab-org/gitlab/-/issues/341832
+      RENDER_NODES_LIMIT = 50
+
       def call
+        nodes_count = 0
+
         doc.xpath(XPATH_CODE).each do |code|
           closing = code.next
           opening = code.previous
@@ -41,6 +48,9 @@ module Banzai
             code[STYLE_ATTRIBUTE] = 'inline'
             closing.content = closing.content[1..]
             opening.content = opening.content[0..-2]
+
+            nodes_count += 1
+            break if nodes_count >= RENDER_NODES_LIMIT
           end
         end
 
diff --git a/lib/gitlab/email/hook/validate_addresses_interceptor.rb b/lib/gitlab/email/hook/validate_addresses_interceptor.rb
new file mode 100644
index 00000000000..e63f047e63d
--- /dev/null
+++ b/lib/gitlab/email/hook/validate_addresses_interceptor.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Email
+    module Hook
+      # Check for unsafe characters in the envelope-from and -to addresses.
+      # These are passed directly as arguments to sendmail and are liable to shell injection attacks:
+      # https://github.com/mikel/mail/blob/2.7.1/lib/mail/network/delivery_methods/sendmail.rb#L53-L58
+      class ValidateAddressesInterceptor
+        UNSAFE_CHARACTERS = /(\\|[^[:print:]])/.freeze
+
+        def self.delivering_email(message)
+          addresses = Array(message.smtp_envelope_from) + Array(message.smtp_envelope_to)
+
+          addresses.each do |address|
+            next unless address.match?(UNSAFE_CHARACTERS)
+
+            Gitlab::AuthLogger.info(
+              message: 'Skipping email with unsafe characters in address',
+              address: address,
+              subject: message.subject
+            )
+
+            message.perform_deliveries = false
+
+            break
+          end
+        end
+      end
+    end
+  end
+end