From 1f6654659564013b8aa4f3572158cb63d3a519c1 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Nov 2022 04:47:13 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

---
 app/models/ci/build_runner_session.rb | 20 +++++++++++---------
 app/models/project.rb                 |  2 +-
 app/models/user.rb                    |  2 +-
 3 files changed, 13 insertions(+), 11 deletions(-)

(limited to 'app/models')

diff --git a/app/models/ci/build_runner_session.rb b/app/models/ci/build_runner_session.rb
index c6dbb5d0a43..0f37ce70964 100644
--- a/app/models/ci/build_runner_session.rb
+++ b/app/models/ci/build_runner_session.rb
@@ -13,14 +13,15 @@ module Ci
     belongs_to :build, class_name: 'Ci::Build', inverse_of: :runner_session
 
     validates :build, presence: true
-    validates :url, addressable_url: { schemes: %w(https) }
+    validates :url, public_url: { schemes: %w(https) }
 
     def terminal_specification
-      wss_url = Gitlab::UrlHelpers.as_wss(self.url)
+      wss_url = Gitlab::UrlHelpers.as_wss(Addressable::URI.escape(self.url))
       return {} unless wss_url.present?
 
-      wss_url = "#{wss_url}/exec"
-      channel_specification(wss_url, TERMINAL_SUBPROTOCOL)
+      parsed_wss_url = URI.parse(wss_url)
+      parsed_wss_url.path += '/exec'
+      channel_specification(parsed_wss_url, TERMINAL_SUBPROTOCOL)
     end
 
     def service_specification(service: nil, path: nil, port: nil, subprotocols: nil)
@@ -28,20 +29,21 @@ module Ci
 
       port = port.presence || DEFAULT_PORT_NAME
       service = service.presence || DEFAULT_SERVICE_NAME
-      url = "#{self.url}/proxy/#{service}/#{port}/#{path}"
+      parsed_url = URI.parse(Addressable::URI.escape(self.url))
+      parsed_url.path += "/proxy/#{service}/#{port}/#{path}"
       subprotocols = subprotocols.presence || ::Ci::BuildRunnerSession::TERMINAL_SUBPROTOCOL
 
-      channel_specification(url, subprotocols)
+      channel_specification(parsed_url, subprotocols)
     end
 
     private
 
-    def channel_specification(url, subprotocol)
-      return {} if subprotocol.blank? || url.blank?
+    def channel_specification(parsed_url, subprotocol)
+      return {} if subprotocol.blank? || parsed_url.blank?
 
       {
         subprotocols: Array(subprotocol),
-        url: url,
+        url: Addressable::URI.unescape(parsed_url.to_s),
         headers: { Authorization: [authorization.presence] }.compact,
         ca_pem: certificate.presence
       }
diff --git a/app/models/project.rb b/app/models/project.rb
index a07d4147228..0c4f76fb2b9 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2152,8 +2152,8 @@ class Project < ApplicationRecord
   end
 
   def after_import
-    repository.remove_prohibited_branches
     repository.expire_content_cache
+    repository.remove_prohibited_branches
     wiki.repository.expire_content_cache
 
     DetectRepositoryLanguagesWorker.perform_async(id)
diff --git a/app/models/user.rb b/app/models/user.rb
index 24f947183a2..b4b8a7ef7ad 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1556,7 +1556,7 @@ class User < ApplicationRecord
       name: name,
       username: username,
       avatar_url: avatar_url(only_path: false),
-      email: public_email.presence || _('[REDACTED]')
+      email: webhook_email
     }
   end
 
-- 
cgit v1.2.3