From 11e9b7b58837da351f08c18e6f0f4faba4d7d301 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 29 Jun 2020 19:21:38 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee

---
 lib/api/import_github.rb                       |  4 ++++
 lib/api/time_tracking_endpoints.rb             | 12 ++++++------
 lib/banzai/filter/abstract_reference_filter.rb |  2 +-
 lib/banzai/filter/base_relative_link_filter.rb |  2 +-
 lib/gitlab/markdown_cache.rb                   |  2 +-
 5 files changed, 13 insertions(+), 9 deletions(-)

(limited to 'lib')

diff --git a/lib/api/import_github.rb b/lib/api/import_github.rb
index 21d4928193e..f31cc15dc62 100644
--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@@ -4,6 +4,10 @@ module API
   class ImportGithub < Grape::API
     rescue_from Octokit::Unauthorized, with: :provider_unauthorized
 
+    before do
+      forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('github')
+    end
+
     helpers do
       def client
         @client ||= Gitlab::LegacyGithubImport::Client.new(params[:personal_access_token], client_options)
diff --git a/lib/api/time_tracking_endpoints.rb b/lib/api/time_tracking_endpoints.rb
index 93fe06bec27..da234fb5277 100644
--- a/lib/api/time_tracking_endpoints.rb
+++ b/lib/api/time_tracking_endpoints.rb
@@ -14,8 +14,8 @@ module API
           "#{issuable_name}_iid".to_sym
         end
 
-        def update_issuable_key
-          "update_#{issuable_name}".to_sym
+        def admin_issuable_key
+          "admin_#{issuable_name}".to_sym
         end
 
         def read_issuable_key
@@ -60,7 +60,7 @@ module API
         requires :duration, type: String, desc: 'The duration to be parsed'
       end
       post ":id/#{issuable_collection_name}/:#{issuable_key}/time_estimate" do
-        authorize! update_issuable_key, load_issuable
+        authorize! admin_issuable_key, load_issuable
 
         status :ok
         update_issuable(time_estimate: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)))
@@ -71,7 +71,7 @@ module API
         requires issuable_key, type: Integer, desc: "The ID of a project #{issuable_name}"
       end
       post ":id/#{issuable_collection_name}/:#{issuable_key}/reset_time_estimate" do
-        authorize! update_issuable_key, load_issuable
+        authorize! admin_issuable_key, load_issuable
 
         status :ok
         update_issuable(time_estimate: 0)
@@ -83,7 +83,7 @@ module API
         requires :duration, type: String, desc: 'The duration to be parsed'
       end
       post ":id/#{issuable_collection_name}/:#{issuable_key}/add_spent_time" do
-        authorize! update_issuable_key, load_issuable
+        authorize! admin_issuable_key, load_issuable
 
         update_issuable(spend_time: {
           duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)),
@@ -96,7 +96,7 @@ module API
         requires issuable_key, type: Integer, desc: "The ID of a project #{issuable_name}"
       end
       post ":id/#{issuable_collection_name}/:#{issuable_key}/reset_spent_time" do
-        authorize! update_issuable_key, load_issuable
+        authorize! admin_issuable_key, load_issuable
 
         status :ok
         update_issuable(spend_time: { duration: :reset, user_id: current_user.id })
diff --git a/lib/banzai/filter/abstract_reference_filter.rb b/lib/banzai/filter/abstract_reference_filter.rb
index 5962403d488..f142333d797 100644
--- a/lib/banzai/filter/abstract_reference_filter.rb
+++ b/lib/banzai/filter/abstract_reference_filter.rb
@@ -253,7 +253,7 @@ module Banzai
         object_parent_type = parent.is_a?(Group) ? :group : :project
 
         {
-          original:             text,
+          original:             escape_html_entities(text),
           link:                 link_content,
           link_reference:       link_reference,
           object_parent_type => parent.id,
diff --git a/lib/banzai/filter/base_relative_link_filter.rb b/lib/banzai/filter/base_relative_link_filter.rb
index eca105ce9d9..fd526df4c48 100644
--- a/lib/banzai/filter/base_relative_link_filter.rb
+++ b/lib/banzai/filter/base_relative_link_filter.rb
@@ -38,7 +38,7 @@ module Banzai
       private
 
       def unescape_and_scrub_uri(uri)
-        Addressable::URI.unescape(uri).scrub
+        Addressable::URI.unescape(uri).scrub.delete("\0")
       end
     end
   end
diff --git a/lib/gitlab/markdown_cache.rb b/lib/gitlab/markdown_cache.rb
index 489fc6fddac..21797bf988d 100644
--- a/lib/gitlab/markdown_cache.rb
+++ b/lib/gitlab/markdown_cache.rb
@@ -3,7 +3,7 @@
 module Gitlab
   module MarkdownCache
     # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 21
+    CACHE_COMMONMARK_VERSION        = 23
     CACHE_COMMONMARK_VERSION_START  = 10
 
     BaseError = Class.new(StandardError)
-- 
cgit v1.2.3