From 5b91f2a1e51c291fb84ea60766791684fa982f22 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Sep 2023 22:26:40 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee

---
 .../javascripts/behaviors/markdown/render_math.js   | 21 +++++++++++----------
 app/assets/stylesheets/framework/markdown_area.scss | 10 ++++++++++
 .../projects/error_tracking/projects_controller.rb  |  2 +-
 app/helpers/merge_requests_helper.rb                |  2 ++
 app/models/project.rb                               |  1 +
 app/models/project_team.rb                          |  6 +++++-
 app/policies/project_policy.rb                      |  2 ++
 .../error_tracking/list_projects_service.rb         |  2 ++
 8 files changed, 34 insertions(+), 12 deletions(-)

(limited to 'app')

diff --git a/app/assets/javascripts/behaviors/markdown/render_math.js b/app/assets/javascripts/behaviors/markdown/render_math.js
index b2348cf0bad..7525fc76d16 100644
--- a/app/assets/javascripts/behaviors/markdown/render_math.js
+++ b/app/assets/javascripts/behaviors/markdown/render_math.js
@@ -66,16 +66,12 @@ class SafeMathRenderer {
     el.removeAttribute('style');
     if (!forceRender && (this.totalMS >= MAX_RENDER_TIME_MS || text.length > MAX_MATH_CHARS)) {
       // Show unrendered math code
-      const wrapperElement = document.createElement('div');
       const codeElement = document.createElement('pre');
 
       codeElement.className = 'code';
       codeElement.textContent = el.textContent;
       codeElement.dataset.mathStyle = el.dataset.mathStyle;
 
-      const { parentNode } = el;
-      parentNode.replaceChild(wrapperElement, el);
-
       let message;
       if (text.length > MAX_MATH_CHARS) {
         message = sprintf(
@@ -103,11 +99,11 @@ class SafeMathRenderer {
           </div>
           `;
 
-      if (!wrapperElement.classList.contains('lazy-alert-shown')) {
+      if (!el.classList.contains('lazy-alert-shown')) {
         // eslint-disable-next-line no-unsanitized/property
-        wrapperElement.innerHTML = html;
-        wrapperElement.append(codeElement);
-        wrapperElement.classList.add('lazy-alert-shown');
+        el.innerHTML = html;
+        el.append(codeElement);
+        el.classList.add('lazy-alert-shown');
       }
 
       // Render the next math
@@ -125,6 +121,12 @@ class SafeMathRenderer {
       }
 
       try {
+        if (displayContainer.dataset.mathStyle === 'inline') {
+          displayContainer.classList.add('math-content-inline');
+        } else {
+          displayContainer.classList.add('math-content-display');
+        }
+
         // eslint-disable-next-line no-unsanitized/property
         displayContainer.innerHTML = this.katex.renderToString(text, {
           displayMode: el.dataset.mathStyle === 'display',
@@ -169,8 +171,7 @@ class SafeMathRenderer {
   render() {
     // Replace math blocks with a placeholder so they aren't rendered twice
     this.elements.forEach((el) => {
-      const placeholder = document.createElement('span');
-      placeholder.style.display = 'none';
+      const placeholder = document.createElement('div');
       placeholder.dataset.mathStyle = el.dataset.mathStyle;
       placeholder.textContent = el.textContent;
       el.parentNode.replaceChild(placeholder, el);
diff --git a/app/assets/stylesheets/framework/markdown_area.scss b/app/assets/stylesheets/framework/markdown_area.scss
index b87fd3e67d4..62782de5402 100644
--- a/app/assets/stylesheets/framework/markdown_area.scss
+++ b/app/assets/stylesheets/framework/markdown_area.scss
@@ -137,6 +137,16 @@
   border-radius: $border-radius-default $border-radius-default 0 0;
 }
 
+.math-content-inline {
+  overflow: auto;
+  display: inline-flex;
+}
+
+.math-content-display {
+  overflow: auto;
+  display: block;
+}
+
 @include media-breakpoint-down(xs) {
   .referenced-users {
     margin-right: 0;
diff --git a/app/controllers/projects/error_tracking/projects_controller.rb b/app/controllers/projects/error_tracking/projects_controller.rb
index 531bd327e43..372fbfdc183 100644
--- a/app/controllers/projects/error_tracking/projects_controller.rb
+++ b/app/controllers/projects/error_tracking/projects_controller.rb
@@ -5,7 +5,7 @@ module Projects
     class ProjectsController < Projects::ApplicationController
       respond_to :json
 
-      before_action :authorize_read_sentry_issue!
+      before_action :authorize_admin_sentry!
 
       feature_category :error_tracking
       urgency :low
diff --git a/app/helpers/merge_requests_helper.rb b/app/helpers/merge_requests_helper.rb
index a90a16e120c..06eb3fcc233 100644
--- a/app/helpers/merge_requests_helper.rb
+++ b/app/helpers/merge_requests_helper.rb
@@ -133,6 +133,8 @@ module MergeRequestsHelper
       _('Not available for private projects')
     elsif ProtectedBranch.protected?(merge_request.source_project, merge_request.source_branch)
       _('Not available for protected branches')
+    elsif !merge_request.author.can?(:push_code, merge_request.source_project)
+      _('Merge request author cannot push to target project')
     end
   end
 
diff --git a/app/models/project.rb b/app/models/project.rb
index 68196f0a757..5989584ce43 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -3456,6 +3456,7 @@ class Project < ApplicationRecord
       # Issue for N+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/49322
       Gitlab::GitalyClient.allow_n_plus_1_calls do
         merge_requests_allowing_collaboration(branch_name).any? do |merge_request|
+          merge_request.author.can?(:push_code, self) &&
           merge_request.can_be_merged_by?(user, skip_collaboration_check: true)
         end
       end
diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 34754f4fc95..38521ae6090 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -121,7 +121,7 @@ class ProjectTeam
   def import(source_project, current_user)
     target_project = project
 
-    source_members = source_project.project_members.to_a
+    source_members = source_members_for_import(source_project)
     target_user_ids = target_project.project_members.pluck_user_ids
 
     importer_access_level = max_member_access(current_user.id)
@@ -242,6 +242,10 @@ class ProjectTeam
   def member_user_ids
     Member.on_project_and_ancestors(project).select(:user_id)
   end
+
+  def source_members_for_import(source_project)
+    source_project.project_members.to_a
+  end
 end
 
 ProjectTeam.prepend_mod_with('ProjectTeam')
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 38e6360f81d..a57b6f8daf7 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -289,6 +289,7 @@ class ProjectPolicy < BasePolicy
     enable :change_visibility_level
     enable :remove_project
     enable :archive_project
+    enable :link_forked_project
     enable :remove_fork_project
     enable :destroy_merge_request
     enable :destroy_issue
@@ -545,6 +546,7 @@ class ProjectPolicy < BasePolicy
     enable :destroy_release
     enable :destroy_artifacts
     enable :admin_operations
+    enable :admin_sentry
     enable :read_deploy_token
     enable :create_deploy_token
     enable :destroy_deploy_token
diff --git a/app/services/error_tracking/list_projects_service.rb b/app/services/error_tracking/list_projects_service.rb
index 1539e24df9d..67d690d64e7 100644
--- a/app/services/error_tracking/list_projects_service.rb
+++ b/app/services/error_tracking/list_projects_service.rb
@@ -5,6 +5,8 @@ module ErrorTracking
     private
 
     def perform
+      return error('Access denied', :unauthorized) unless can?(current_user, :admin_sentry, project)
+
       unless project_error_tracking_setting.valid?
         return error(project_error_tracking_setting.errors.full_messages.join(', '), :bad_request)
       end
-- 
cgit v1.2.3