Merge branch 'master' into 'security-arbitrary-protocol-redirection'

# Conflicts:
#   internal/auth/auth_test.go

11 files changed, 101 insertions, 207 deletions

diff --git a/.gitlab/issue_templates/release.md b/.gitlab/issue_templates/release.md
deleted file mode 100644
index 7b985184..00000000
--- a/.gitlab/issue_templates/release.md
+++ /dev/null
@@ -1,45 +0,0 @@
-- [ ] Set the milestone on this issue
-- Decide on the version number by reference to
-    the [Versioning](https://gitlab.com/gitlab-org/gitlab-pages/blob/master/PROCESS.md#versioning)
-    * Typically if you want to release code from current `master` branch you will update `MINOR` version, e.g. `1.12.0` -> `1.13.0`. In that case you **don't** need to create stable branch
-    * If you want to backport some bug fix or security fix you will need to create a stable branch `X-Y-stable` on the [security project](https://gitlab.com/gitlab-org/security/gitlab-pages). You will need maintainer access to create the stable branch.
-- [ ] Create an MR for [gitlab-pages project](https://gitlab.com/gitlab-org/gitlab-pages).
-    You can use [this MR](https://gitlab.com/gitlab-org/gitlab-pages/-/merge_requests/711) as an example.
-    - [ ] Update `VERSION`, and push your branch
-    - [ ] Update `CHANGELOG` by running `GITLAB_PRIVATE_TOKEN= make changelog`, note that you need to create a personal access token
-    - [ ] Assign to reviewer
-- [ ] Once `gitlab-pages` is merged create a signed+annotated tag pointing to the **merge commit** on the **stable branch**
-    In case of `master` branch:
-    ```shell
-    git fetch origin master
-    git fetch dev master
-    git tag -a -s -m "Release v1.0.0" v1.0.0 origin/master
-    ```
-    In case of `stable` branch:
-    ```shell
-    git fetch origin 1-0-stable
-    git fetch dev 1-0-stable
-    git tag -a -s -m "Release v1.0.0" v1.0.0 origin/1-0-stable
-    ```
-- [ ] Verify that you created tag properly:
-    ```shell
-    git show v1.0.0
-    ```
-    it should include something like:
-    * ```(tag: v1.0.0, origin/master, dev/master, master)``` for `master`
-    * ```(tag: v1.0.1, origin/1-0-stable, dev/1-0-stable, 1-0-stable)``` for `stable` branch
-- [ ] Push this tag to origin(**Skip this for security release!**)
-    ```shell
-    git push origin v1.0.0
-    ```
-- [ ] Wait for tag to be mirrored to `dev` or push it:
-    ```shell
-    git push dev v1.0.0
-    ```
-- [ ] Create an MR for [gitlab project](https://gitlab.com/gitlab-org/gitlab).
-    You can use [this MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82901) as an example.
-    - [ ] Update `GITLAB_PAGES_VERSION`
-    - [ ] Added `Changelog: added` footer to your commit
-    - [ ] Assign to a reviewer
-
-/label ~backend ~"Category:Pages" ~"section::dev" ~"devops::create" ~"group::editor" ~"type::maintenance"
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md
index 2f7b41d7..7f115f16 100644
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -26,9 +26,8 @@ When submitting a merge request for gitlab-pages, CE and EE merge requests for u
 
 ## Reviewer checklist
 
-- [ ] Correct milestone is applied and the title is matching across all backports
-- [ ] Merge this merge request
-- [ ] Create corresponding tag and push it to https://gitlab.com/gitlab-org/security/gitlab-pages
+- [ ] Correct milestone is applied and the title is matching across all backports.
+- [ ] Approve the MR. Do not merge it, release managers will assist with merging at the time of release.
 
 [CHANGELOG entry]: https://docs.gitlab.com/ee/development/changelog.html#overview
 
diff --git a/.ruby-version b/.ruby-version
new file mode 100644
index 00000000..eca690e7
--- /dev/null
+++ b/.ruby-version
@@ -0,0 +1 @@
+3.0.5
diff --git a/.tool-versions b/.tool-versions
index ce61bc0e..7c1b88d1 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1,2 +1,3 @@
 golang 1.18.7
-ruby 3.0.4
+golangci-lint 1.46.2
+ruby 3.0.5
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6ded69c4..10508e71 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,37 @@
+## 15.7.0 (2022-12-21)
+
+No changes. Same content of 1.64.0.
+
+## 15.6.3 (2022-12-21)
+
+No changes.
+
+## 15.6.2 (2022-12-15)
+
+No changes. Same content of 1.63.0.
+
+## 15.5.6 (2022-12-15)
+
+No changes. Same content of 1.62.0.
+
+## 15.4.6 (2022-12-15)
+
+No changes. Same content of 1.62.0.
+
+## 1.64.0 (2022-12-01)
+
+No changes.
+
+## 1.63.0 (2022-11-10)
+
+### Security (1 change)
+
+- [Fix CVE-2022-32149 in golang.org/x/text](gitlab-org/gitlab-pages@7e01bfda3f59a5bcb78af4f4d3001dfa7fe1078a) ([merge request](gitlab-org/gitlab-pages!832))
+
+### Other (1 change)
+
+- [Add note about docs](gitlab-org/gitlab-pages@b6b2bf5a25558a1c9173b2ca55063528bc6c6c7f) ([merge request](gitlab-org/gitlab-pages!835))
+
 ## 1.62.0 (2022-07-28)
 
 ### Fixed (2 changes)
diff --git a/PROCESS.md b/PROCESS.md
index 37708dd8..f32731c6 100644
--- a/PROCESS.md
+++ b/PROCESS.md
@@ -16,41 +16,42 @@ rewritten. Tags should never be deleted.
 
 ## Releasing
 
-Pages is tightly coupled to GitLab itself. To align with GitLab's
-[development month](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/PROCESS.md),
-new versions of GitLab Pages are released before the 7th of each month (assuming
-any changes have been made).
-To do so create [release issue](https://gitlab.com/gitlab-org/gitlab-pages/issues/new?issuable_template=release) and follow the instructions.
+[GitLab Pages] releases are tagged automatically by [Release Tools] when a Release Manager 
+tags a GitLab version.
+
+The version of GitLab Pages used will depend on the `GITLAB_PAGES_VERSION` file in 
+the [`gitlab-org/gitlab`](https://gitlab.com/gitlab-org/gitlab) repository. This file
+is managed manually, so when changes to GitLab Pages are ready to be released with GitLab, the
+target commit SHA from the GitLab Pages default branch should be committed to the
+`GITLAB_PAGES_VERSION` file on the `gitlab-org/gitlab` default branch. When GitLab.com
+is deployed, the new version of GitLab Pages will be used. When GitLab is tagged for a monthly release,
+the version of GitLab Pages from the selected deployment of GitLab will be used for tagging
+GitLab Pages.
 
 ## Stable releases
 
-Typically, release tags point to a specific commit on the **master** branch. As
-the Pages repository experiences a low rate of change, this allows most releases
-to happen in conformance with semver, without the overhead of multiple
-[stable branches](https://docs.gitlab.com/ee/workflow/gitlab_flow.html).
+Each month, when GitLab is released, a new stable branch will be created in alignment
+with the version of GitLab being released. For example, release of version 15.2.0 
+will result in a branch named `15-2-stable` being created on [GitLab Pages].
 
-A bug fix may required in a particular version after the **master** branch has
-moved on. This may happen between the 7th and 22nd of a release month, relating
-to the **previous** release, or at any time for a security fix.
+To backport a change: 
 
-GitLab may backport security fixes for up to three releases, which may
-correspond to three separate minor versions of GitLab Pages - and so three new
-versions to release. See [Security releases](#Security releases) for the details.
-
-In either case, the fix should first be developed against the master branch.
-Once ready, the fix should be merged to master, where it will be
-included in the next major or minor release as usual.
-
-The fix may be cherry-picked into each relevant stable branch, and a new patch
-release made in the same way as defined above.
-
-When updating `GITLAB_PAGES_VERSION` in the [GitLab](https://gitlab.com/gitlab-org/gitlab)
-repository, you should target the relevant `X-Y-stable` branches there. In
-general, these branches should only ever have the patch version of GitLab pages
-incremented.
+1. Develop an MR to fix the bug against the master branch.
+1. Once ready, the MR should be merged to master, where it will be included in the next major or minor release as usual.
+1. Create a merge request for `gitlab-org/gitlab` that updates `GITLAB_PAGES_VERSION` with the
+merge commit SHA from the GitLab Pages default branch to deploy the changes.
+1. To create a backport MR for a given stable version:
+   1. Create a new branch off of the stable branch for the targeted version.
+   1. Cherry-pick the commit onto the new branch.
+   1. Open an MR targeting the relevant stable branch.
+   1. Have the MR reviewed and merged. Note: security backports should not be merged, see [security releases](#Security releases) for more details.
+1. When release managers tag a patch or security release, the stable branch will be tagged automatically.
 
 ## Security releases
 
+This process is currently [under discussion](https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/2746). Please consult with release managers
+about any process changes in the interim. 
+
 Pages security releases are built on top of the [GitLab Security Release process]. Engineers follow
 the same steps stated on the [Security Developer] guidelines with some adjustments:
 
diff --git a/VERSION b/VERSION
index 76d05362..94057304 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.62.0
+1.64.0
diff --git a/doc/dependency_decisions.yml b/doc/dependency_decisions.yml
deleted file mode 100644
index 69231c06..00000000
--- a/doc/dependency_decisions.yml
+++ /dev/null
@@ -1,126 +0,0 @@
----
-- - :license
-  - github.com/beorn7/perks/quantile
-  - MIT
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 13:58:37.693164000 Z
-- - :license
-  - github.com/matttproud/golang_protobuf_extensions/pbutil
-  - Apache 2.0
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:08:10.359320000 Z
-- - :license
-  - github.com/karrick/godirwalk
-  - BSD-2-Clause
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:09:35.519709000 Z
-- - :license
-  - github.com/pkg/errors
-  - BSD-2-Clause
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:10:49.901903000 Z
-- - :license
-  - github.com/prometheus/client_golang/prometheus
-  - Apache-2.0
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:11:57.417366000 Z
-- - :license
-  - github.com/prometheus/client_model/go
-  - Apache-2.0
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:14:16.841551000 Z
-- - :license
-  - gitlab.com/gitlab-org/gitaly/auth
-  - MIT
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:15:26.240245000 Z
-- - :license
-  - gitlab.com/gitlab-org/gitlab-pages-proto/go
-  - MIT
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:16:18.620931000 Z
-- - :license
-  - google.golang.org/genproto/googleapis/rpc/status
-  - Apache-2.0
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-03 15:19:19.394529000 Z
-- - :license
-  - golang.org/x/crypto/ssh/terminal
-  - BSD-3-clause
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-04-05 10:26:09.636346000 Z
-- - :ignore
-  - github.com/certifi/gocertifi
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-07-10 17:01:35.894437233 Z
-- - :license
-  - github.com/go-logfmt/logfmt
-  - MIT
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-09-10 14:57:15.905705202 Z
-- - :license
-  - github.com/pmezard/go-difflib
-  - BSD-3-Clause
-  - :who: 
-    :why: 
-    :versions: []
-    :when: 2019-09-10 14:59:14.300178506 Z
-- - :license
-  - github.com/gogo/protobuf
-  - BSD-3-clause
-  - :who: Ben Kochie
-    :why: https://github.com/gogo/protobuf/blob/master/LICENSE
-    :versions: []
-    :when: 2019-09-11 12:57:17.184823077 Z
-- - :license
-  - github.com/modern-go/concurrent
-  - Apache-2.0
-  - :who: Ben Kochie
-    :why: https://github.com/modern-go/concurrent/blob/master/LICENSE
-    :versions: []
-    :when: 2019-09-11 12:58:04.927007992 Z
-- - :license
-  - github.com/modern-go/reflect2
-  - Apache-2.0
-  - :who: Ben Kochie
-    :why: https://github.com/modern-go/reflect2/blob/master/LICENSE
-    :versions: []
-    :when: 2019-09-11 12:58:33.840590099 Z
-- - :license
-  - gopkg.in/check.v1
-  - BSD-2-Clause
-  - :who: Krasimir Angelov
-    :why: https://github.com/go-check/check/blob/e54ca221ea41951970e0249fb5163642c915dbb2/LICENSE
-    :versions: []
-    :when: 2019-10-08 02:12:00.000000000 Z
-- - :license
-  - github.com/kr/pretty
-  - MIT
-  - :who: Krasimir Angelov
-    :why: https://github.com/kr/pretty/blob/088c856450c08c03eb32f7a6c221e6eefaa10e6f/License
-    :versions: []
-    :when: 2019-10-08 02:12:00.000000000 Z
diff --git a/docs/README.md b/docs/README.md
new file mode 100644
index 00000000..805fcc8b
--- /dev/null
+++ b/docs/README.md
@@ -0,0 +1,3 @@
+# GitLab Pages Documentation
+
+The GitLab Pages documentation has moved to the [GitLab development documentation](https://docs.gitlab.com/ee/development/pages/).
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 4f085e38..8df98178 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -416,9 +416,14 @@ func (a *Auth) checkTokenExists(session *hostSession, w http.ResponseWriter, r *
 	if session.Values["access_token"] == nil {
 		logRequest(r).Debug("No access token exists, redirecting user to OAuth2 login")
 
-		// Generate state hash and store requested address
-		state := base64.URLEncoding.EncodeToString(securecookie.GenerateRandomKey(16))
-		session.Values["state"] = state
+		// When the user tries to authenticate and reload the page concurrently,
+		// gitlab pages might receive a authentication request with the state already set.
+		// In these cases, we should re-use the state instead of creating a new one.
+		if session.Values["state"] == nil {
+			//Generate state hash and store requested address
+			session.Values["state"] = base64.URLEncoding.EncodeToString(securecookie.GenerateRandomKey(16))
+		}
+
 		session.Values["uri"] = getRequestAddress(r)
 
 		// Clear possible proxying
@@ -435,7 +440,7 @@ func (a *Auth) checkTokenExists(session *hostSession, w http.ResponseWriter, r *
 
 		// Because the pages domain might be in public suffix list, we have to
 		// redirect to pages domain to trigger authorization flow
-		http.Redirect(w, r, a.getProxyAddress(r, state), http.StatusFound)
+		http.Redirect(w, r, a.getProxyAddress(r, session.Values["state"].(string)), http.StatusFound)
 
 		return true
 	}
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index c2b25635..9226f847 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -173,6 +173,27 @@ func TestTryAuthenticateWithDomainAndState(t *testing.T) {
 	require.Equal(t, "/public-gitlab.example.com/oauth/authorize?client_id=id&redirect_uri=http://pages.gitlab-example.com/auth&response_type=code&state=state&scope=scope", redirect.String())
 }
 
+func TestCheckAuthenticationWhenStateIsAlreadySet(t *testing.T) {
+	auth := createTestAuth(t, "", "")
+
+	result := httptest.NewRecorder()
+
+	r, err := http.NewRequest("Get", "https://example.com/", nil)
+	require.NoError(t, err)
+
+	// pre-set an state
+	setSessionValues(t, r, auth, map[interface{}]interface{}{
+		"state": "given_state",
+	})
+
+	contentServed := auth.CheckAuthentication(result, r, &domainMock{projectID: 1000})
+	require.True(t, contentServed)
+
+	// check if the state was re-used instead of re-created
+	session, _ := auth.getSessionFromStore(r)
+	require.Equal(t, "given_state", session.Values["state"], "did not reuse the pre-set state")
+}
+
 func TestTryAuthenticateWithNonHttpDomainAndState(t *testing.T) {
 	auth := createTestAuth(t, "", "")