From e0ab280b774e34fcfd6fd031616247714230ca68 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Sep 2021 12:57:02 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

---
 lib/api/import_bitbucket_server.rb                 | 4 ++++
 lib/gitlab/auth.rb                                 | 6 +++++-
 lib/gitlab/auth/two_factor_auth_verifier.rb        | 4 ++++
 lib/gitlab/import_export/group/import_export.yml   | 1 +
 lib/gitlab/import_export/project/import_export.yml | 2 +-
 lib/gitlab/legacy_github_import/client.rb          | 6 ++++--
 6 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/api/import_bitbucket_server.rb b/lib/api/import_bitbucket_server.rb
index ecd78c6e6db..0f0d62dcbfb 100644
--- a/lib/api/import_bitbucket_server.rb
+++ b/lib/api/import_bitbucket_server.rb
@@ -4,6 +4,10 @@ module API
   class ImportBitbucketServer < ::API::Base
     feature_category :importers
 
+    before do
+      forbidden! unless Gitlab::CurrentSettings.import_sources&.include?('bitbucket_server')
+    end
+
     helpers do
       def client
         @client ||= BitbucketServer::Client.new(credentials)
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 1afb2eda149..0970b92723b 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -172,7 +172,11 @@ module Gitlab
         user = find_with_user_password(login, password)
         return unless user
 
-        raise Gitlab::Auth::MissingPersonalAccessTokenError if user.two_factor_enabled?
+        verifier = TwoFactorAuthVerifier.new(user)
+
+        if user.two_factor_enabled? || verifier.two_factor_authentication_enforced?
+          raise Gitlab::Auth::MissingPersonalAccessTokenError
+        end
 
         Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
       end
diff --git a/lib/gitlab/auth/two_factor_auth_verifier.rb b/lib/gitlab/auth/two_factor_auth_verifier.rb
index 86552ef1267..5a203a1fe9c 100644
--- a/lib/gitlab/auth/two_factor_auth_verifier.rb
+++ b/lib/gitlab/auth/two_factor_auth_verifier.rb
@@ -9,6 +9,10 @@ module Gitlab
         @current_user = current_user
       end
 
+      def two_factor_authentication_enforced?
+        two_factor_authentication_required? && two_factor_grace_period_expired?
+      end
+
       def two_factor_authentication_required?
         Gitlab::CurrentSettings.require_two_factor_authentication? ||
           current_user&.require_two_factor_authentication_from_group?
diff --git a/lib/gitlab/import_export/group/import_export.yml b/lib/gitlab/import_export/group/import_export.yml
index 630f918a78b..f7ab1677001 100644
--- a/lib/gitlab/import_export/group/import_export.yml
+++ b/lib/gitlab/import_export/group/import_export.yml
@@ -37,6 +37,7 @@ excluded_attributes:
     - :trial_ends_on
     - :shared_runners_minute_limit
     - :extra_shared_runners_minutes_limit
+    - :repository_size_limit
   epics:
     - :state_id
 
diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml
index fe0974d27a6..8046fedc4f3 100644
--- a/lib/gitlab/import_export/project/import_export.yml
+++ b/lib/gitlab/import_export/project/import_export.yml
@@ -88,7 +88,6 @@ tree:
       - :external_pull_request
       - :merge_request
     - :auto_devops
-    - :triggers
     - :pipeline_schedules
     - :container_expiration_policy
     - protected_branches:
@@ -211,6 +210,7 @@ excluded_attributes:
     - :show_default_award_emojis
     - :services
     - :exported_protected_branches
+    - :repository_size_limit
   namespaces:
     - :runners_token
     - :runners_token_encrypted
diff --git a/lib/gitlab/legacy_github_import/client.rb b/lib/gitlab/legacy_github_import/client.rb
index 4482610523e..48a8e0ce6d7 100644
--- a/lib/gitlab/legacy_github_import/client.rb
+++ b/lib/gitlab/legacy_github_import/client.rb
@@ -8,9 +8,10 @@ module Gitlab
 
       attr_reader :access_token, :host, :api_version, :wait_for_rate_limit_reset
 
-      def initialize(access_token, host: nil, api_version: 'v3', wait_for_rate_limit_reset: true)
+      def initialize(access_token, host: nil, api_version: 'v3', wait_for_rate_limit_reset: true, hostname: nil)
         @access_token = access_token
         @host = host.to_s.sub(%r{/+\z}, '')
+        @hostname = hostname
         @api_version = api_version
         @users = {}
         @wait_for_rate_limit_reset = wait_for_rate_limit_reset
@@ -28,7 +29,8 @@ module Gitlab
           # If there is no config, we're connecting to github.com and we
           # should verify ssl.
           connection_options: {
-            ssl: { verify: config ? config['verify_ssl'] : true }
+            ssl: { verify: config ? config['verify_ssl'] : true },
+            headers: { host: @hostname }.compact
           }
         )
       end
-- 
cgit v1.2.3