From 1fb0bae24e6686b3571fc1c44cbf239d8563e0d7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Aug 2023 19:42:57 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-3-stable-ee

---
 app/controllers/projects/refs_controller.rb    | 4 ++++
 app/graphql/resolvers/group_issues_resolver.rb | 5 +++++
 app/graphql/resolvers/issues_resolver.rb       | 1 +
 3 files changed, 10 insertions(+)

(limited to 'app')

diff --git a/app/controllers/projects/refs_controller.rb b/app/controllers/projects/refs_controller.rb
index 4c2bd2a9d42..278d306301a 100644
--- a/app/controllers/projects/refs_controller.rb
+++ b/app/controllers/projects/refs_controller.rb
@@ -15,6 +15,8 @@ class Projects::RefsController < Projects::ApplicationController
   urgency :low, [:switch, :logs_tree]
 
   def switch
+    Gitlab::PathTraversal.check_path_traversal!(@id)
+
     respond_to do |format|
       format.html do
         new_path =
@@ -40,6 +42,8 @@ class Projects::RefsController < Projects::ApplicationController
         redirect_to new_path
       end
     end
+  rescue Gitlab::PathTraversal::PathTraversalAttackError
+    head :bad_request
   end
 
   def logs_tree
diff --git a/app/graphql/resolvers/group_issues_resolver.rb b/app/graphql/resolvers/group_issues_resolver.rb
index 43f01395896..7bbc662c6c8 100644
--- a/app/graphql/resolvers/group_issues_resolver.rb
+++ b/app/graphql/resolvers/group_issues_resolver.rb
@@ -9,6 +9,11 @@ module Resolvers
 
     include GroupIssuableResolver
 
+    before_connection_authorization do |nodes, _|
+      projects = nodes.map(&:project)
+      ActiveRecord::Associations::Preloader.new(records: projects, associations: :namespace).call
+    end
+
     def ready?(**args)
       if args.dig(:not, :release_tag).present?
         raise ::Gitlab::Graphql::Errors::ArgumentError, 'releaseTag filter is not allowed when parent is a group.'
diff --git a/app/graphql/resolvers/issues_resolver.rb b/app/graphql/resolvers/issues_resolver.rb
index 17e3e159a5b..589366ba26d 100644
--- a/app/graphql/resolvers/issues_resolver.rb
+++ b/app/graphql/resolvers/issues_resolver.rb
@@ -23,6 +23,7 @@ module Resolvers
       projects = nodes.map(&:project)
       ::Preloaders::UserMaxAccessLevelInProjectsPreloader.new(projects, current_user).execute
       ::Preloaders::GroupPolicyPreloader.new(projects.filter_map(&:group), current_user).execute
+      ActiveRecord::Associations::Preloader.new(records: projects, associations: :namespace).call
     end
 
     def ready?(**args)
-- 
cgit v1.2.3