Update upstream source from tag 'upstream/11.10.8+dfsg'

Update to upstream version '11.10.8+dfsg'
with Debian dir 890e9ebfea

.gitlab-ci.yml

@@ -1,4 +1,4 @@
-image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.5.3-golang-1.11-git-2.18-chrome-71.0-node-10.x-yarn-1.12-postgresql-9.6-graphicsmagick-1.3.29"
+image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.5.3-golang-1.11-git-2.18-chrome-73.0-node-10.x-yarn-1.12-postgresql-9.6-graphicsmagick-1.3.29"
 
 include:
   - local: /lib/gitlab/ci/templates/Code-Quality.gitlab-ci.yml
@@ -655,7 +655,7 @@ gitlab:setup-mysql:
 # Frontend-related jobs
 gitlab:assets:compile:
   <<: *dedicated-no-docs-pull-cache-job
-  image: dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.5.3-git-2.18-chrome-71.0-node-8.x-yarn-1.12-graphicsmagick-1.3.29-docker-18.06.1
+  image: dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.5.3-git-2.18-chrome-73.0-node-8.x-yarn-1.12-graphicsmagick-1.3.29-docker-18.06.1
   dependencies:
     - setup-test-env
   services:

CHANGELOG.md

@@ -2,6 +2,53 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.10.8 (2019-06-27)
+
+- No changes.
+### Security (10 changes)
+
+- Fix Denial of Service for comments when rendering issues/MR comments.
+- Gate MR head_pipeline behind read_pipeline ability.
+- Fix DoS vulnerability in color validation regex.
+- Expose merge requests count based on user access.
+- Persist tmp snippet uploads at users.
+- Add missing authorizations in GraphQL.
+- Disable Rails SQL query cache when applying service templates.
+- Prevent Billion Laughs attack.
+- Correctly check permissions when creating snippet notes.
+- Prevent the detection of merge request templates by unauthorized users.
+
+### Performance (1 change)
+
+- Add improvements to global search of issues and merge requests. !27817
+
+
+## 11.10.7 (2019-06-26)
+
+### Fixed (3 changes)
+
+- Remove a default git depth in Pipelines for merge requests. !28926
+- Fix label click scrolling to top. !29202
+- Fix scrolling to top on assignee change. !29500
+
+
+## 11.10.6 (2019-06-04)
+
+### Fixed (7 changes, 1 of them is from the community)
+
+- Allow a member to have an access level equal to parent group. !27913
+- Fix uploading of LFS tracked file through UI. !28052
+- Use 3-way merge for squashing commits. !28078
+- Use a path for the related merge requests endpoint. !28171
+- Fix project visibility level validation. !28305 (Peter Marko)
+- Fix Rugged get_tree_entries recursive flag not working. !28494
+- Use source ref in pipeline webhook. !28772
+
+### Other (1 change)
+
+- Fix input group height.
+
+
 ## 11.10.5 (2019-05-30)
 
 ### Security (12 changes, 1 of them is from the community)

GITALY_SERVER_VERSION

@@ -1 +1 @@
-1.34.1
+1.34.3

Gemfile

@@ -419,7 +419,7 @@ group :ed25519 do
 end
 
 # Gitaly GRPC client
-gem 'gitaly-proto', '~> 1.19.0', require: 'gitaly'
+gem 'gitaly-proto', '~> 1.22.1', require: 'gitaly'
 
 gem 'grpc', '~> 1.15.0'
 

Gemfile.lock

@@ -281,7 +281,7 @@ GEM
       gettext_i18n_rails (>= 0.7.1)
       po_to_json (>= 1.0.0)
       rails (>= 3.2.0)
-    gitaly-proto (1.19.0)
+    gitaly-proto (1.22.1)
       grpc (~> 1.0)
     github-markup (1.7.0)
     gitlab-default_value_for (3.1.1)
@@ -1020,7 +1020,7 @@ DEPENDENCIES
   gettext (~> 3.2.2)
   gettext_i18n_rails (~> 1.8.0)
   gettext_i18n_rails_js (~> 1.3)
-  gitaly-proto (~> 1.19.0)
+  gitaly-proto (~> 1.22.1)
   github-markup (~> 1.7.0)
   gitlab-default_value_for (~> 3.1.1)
   gitlab-markup (~> 1.7.0)

VERSION

@@ -1 +1 @@
-11.10.5
+11.10.8

app/assets/javascripts/diffs/workers/tree_worker.js

@@ -4,6 +4,11 @@ import { generateTreeList } from '../store/utils';
 // eslint-disable-next-line no-restricted-globals
 self.addEventListener('message', e => {
   const { data } = e;
+
+  if (data === undefined) {
+    return;
+  }
+
   const { treeEntries, tree } = generateTreeList(data);
 
   // eslint-disable-next-line no-restricted-globals

app/assets/javascripts/gl_dropdown.js

@@ -561,6 +561,11 @@ GitLabDropdown = (function() {
         !$target.data('isLink')
       ) {
         e.stopPropagation();
+
+        // This prevents automatic scrolling to the top
+        if ($target.closest('a').length) {
+          return false;
+        }
       }
 
       return true;

app/assets/stylesheets/framework/forms.scss

@@ -275,3 +275,7 @@ label {
   max-width: $input-lg-width;
   width: 100%;
 }
+
+.input-group-text {
+  max-height: $input-height;
+}

app/assets/stylesheets/framework/variables_overrides.scss

@@ -7,6 +7,7 @@ $secondary: $gray-light;
 $input-disabled-bg: $gray-light;
 $input-border-color: $gray-200;
 $input-color: $gl-text-color;
+$input-font-size: $gl-font-size;
 $font-family-sans-serif: $regular-font;
 $font-family-monospace: $monospace-font;
 $btn-line-height: 20px;

app/assets/stylesheets/pages/search.scss

@@ -75,6 +75,8 @@ input[type='checkbox']:hover {
   }
 
   .search-input-wrap {
+    width: 100%;
+
     .search-icon,
     .clear-icon {
       position: absolute;

app/controllers/concerns/issuable_collections.rb

@@ -41,7 +41,7 @@ module IssuableCollections
     return if pagination_disabled?
 
     @issuables          = @issuables.page(params[:page])
-    @issuable_meta_data = issuable_meta_data(@issuables, collection_type)
+    @issuable_meta_data = issuable_meta_data(@issuables, collection_type, current_user)
     @total_pages        = issuable_page_count
   end
   # rubocop:enable Gitlab/ModuleWithInstanceVariables

app/controllers/concerns/issuable_collections_action.rb

@@ -11,7 +11,7 @@ module IssuableCollectionsAction
               .non_archived
               .page(params[:page])
 
-    @issuable_meta_data = issuable_meta_data(@issues, collection_type)
+    @issuable_meta_data = issuable_meta_data(@issues, collection_type, current_user)
 
     respond_to do |format|
       format.html
@@ -22,7 +22,7 @@ module IssuableCollectionsAction
   def merge_requests
     @merge_requests = issuables_collection.page(params[:page])
 
-    @issuable_meta_data = issuable_meta_data(@merge_requests, collection_type)
+    @issuable_meta_data = issuable_meta_data(@merge_requests, collection_type, current_user)
   end
   # rubocop:enable Gitlab/ModuleWithInstanceVariables
 

app/controllers/concerns/notes_actions.rb

@@ -203,17 +203,17 @@ module NotesActions
 
       # These params are also sent by the client but we need to set these based on
       # target_type and target_id because we're checking permissions based on that
-      create_params[:noteable_type] = params[:target_type].classify
+      create_params[:noteable_type] = noteable.class.name
 
-      case params[:target_type]
+      case noteable
-      when 'commit'
+      when Commit
-        create_params[:commit_id] = params[:target_id]
+        create_params[:commit_id] = noteable.id
-      when 'merge_request'
+      when MergeRequest
-        create_params[:noteable_id] = params[:target_id]
+        create_params[:noteable_id] = noteable.id
         # Notes on MergeRequest can have an extra `commit_id` context
         create_params[:commit_id] = params.dig(:note, :commit_id)
       else
-        create_params[:noteable_id] = params[:target_id]
+        create_params[:noteable_id] = noteable.id
       end
     end
   end

app/controllers/projects/application_controller.rb

@@ -13,6 +13,11 @@ class Projects::ApplicationController < ApplicationController
 
   helper_method :repository, :can_collaborate_with_project?, :user_access
 
+  rescue_from Gitlab::Template::Finders::RepoTemplateFinder::FileNotFoundError do |exception|
+    log_exception(exception)
+    render_404
+  end
+
   private
 
   def project

app/controllers/projects/templates_controller.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class Projects::TemplatesController < Projects::ApplicationController
-  before_action :authenticate_user!, :get_template_class
+  before_action :authenticate_user!
+  before_action :authorize_can_read_issuable!
+  before_action :get_template_class
 
   def show
     template = @template_type.find(params[:key], project)
@@ -13,9 +15,20 @@ class Projects::TemplatesController < Projects::ApplicationController
 
   private
 
+  # User must have:
+  # - `read_merge_request` to see merge request templates, or
+  # - `read_issue` to see issue templates
+  #
+  # Note params[:template_type] has a route constraint to limit it to
+  # `merge_request` or `issue`
+  def authorize_can_read_issuable!
+    action = [:read_, params[:template_type]].join
+
+    authorize_action!(action)
+  end
+
   def get_template_class
     template_types = { issue: Gitlab::Template::IssueTemplate, merge_request: Gitlab::Template::MergeRequestTemplate }.with_indifferent_access
     @template_type = template_types[params[:template_type]]
-    render json: [], status: :not_found unless @template_type
   end
 end

app/controllers/projects_controller.rb

@@ -297,7 +297,7 @@ class ProjectsController < Projects::ApplicationController
       elsif @project.feature_available?(:issues, current_user)
         @issues = issuables_collection.page(params[:page])
         @collection_type = 'Issue'
-        @issuable_meta_data = issuable_meta_data(@issues, @collection_type)
+        @issuable_meta_data = issuable_meta_data(@issues, @collection_type, current_user)
       end
 
       render :show

app/controllers/snippets/notes_controller.rb

@@ -5,8 +5,8 @@ class Snippets::NotesController < ApplicationController
   include ToggleAwardEmoji
 
   skip_before_action :authenticate_user!, only: [:index]
-  before_action :snippet
+  before_action :authorize_read_snippet!, only: [:show, :index]
-  before_action :authorize_read_snippet!, only: [:show, :index, :create]
+  before_action :authorize_create_note!, only: [:create]
 
   private
 
@@ -33,4 +33,8 @@ class Snippets::NotesController < ApplicationController
   def authorize_read_snippet!
     return render_404 unless can?(current_user, :read_personal_snippet, snippet)
   end
+
+  def authorize_create_note!
+    access_denied! unless can?(current_user, :create_note, noteable)
+  end
 end

app/controllers/snippets_controller.rb

@@ -137,7 +137,7 @@ class SnippetsController < ApplicationController
 
   def move_temporary_files
     params[:files].each do |file|
-      FileMover.new(file, @snippet).execute
+      FileMover.new(file, from_model: current_user, to_model: @snippet).execute
     end
   end
 end

app/controllers/uploads_controller.rb

@@ -41,7 +41,11 @@ class UploadsController < ApplicationController
       when Note
         can?(current_user, :read_project, model.project)
       when User
-        true
+        # We validate the current user has enough (writing)
+        # access to itself when a secret is given.
+        # For instance, user avatars are readable by anyone,
+        # while temporary, user snippet uploads are not.
+        !secret? || can?(current_user, :update_user, model)
       when Appearance
         true
       else
@@ -56,8 +60,13 @@ class UploadsController < ApplicationController
   def authorize_create_access!
     return unless model
 
-    # for now we support only personal snippets comments
+    authorized =
-    authorized = can?(current_user, :comment_personal_snippet, model)
+      case model
+      when User
+        can?(current_user, :update_user, model)
+      else
+        can?(current_user, :comment_personal_snippet, model)
+      end
 
     render_unauthorized unless authorized
   end
@@ -74,6 +83,10 @@ class UploadsController < ApplicationController
     User === model || Appearance === model
   end
 
+  def secret?
+    params[:secret].present?
+  end
+
   def upload_model_class
     MODEL_CLASSES[params[:model]] || raise(UnknownUploadModelError)
   end

app/finders/issuable_finder.rb

@@ -29,6 +29,7 @@
 #     updated_after: datetime
 #     updated_before: datetime
 #     attempt_group_search_optimizations: boolean
+#     attempt_project_search_optimizations: boolean
 #
 class IssuableFinder
   prepend FinderWithCrossProjectAccess
@@ -184,7 +185,6 @@ class IssuableFinder
     @project = project
   end
 
-  # rubocop: disable CodeReuse/ActiveRecord
   def projects
     return @projects if defined?(@projects)
 
@@ -192,17 +192,25 @@ class IssuableFinder
 
     projects =
       if current_user && params[:authorized_only].presence && !current_user_related?
-        current_user.authorized_projects
+        current_user.authorized_projects(min_access_level)
       elsif group
-        finder_options = { include_subgroups: params[:include_subgroups], only_owned: true }
+        find_group_projects
-        GroupProjectsFinder.new(group: group, current_user: current_user, options: finder_options).execute # rubocop: disable CodeReuse/Finder
       else
-        ProjectsFinder.new(current_user: current_user).execute # rubocop: disable CodeReuse/Finder
+        Project.public_or_visible_to_user(current_user, min_access_level)
       end
 
-    @projects = projects.with_feature_available_for_user(klass, current_user).reorder(nil)
+    @projects = projects.with_feature_available_for_user(klass, current_user).reorder(nil) # rubocop: disable CodeReuse/ActiveRecord
+  end
+
+  def find_group_projects
+    return Project.none unless group
+
+    if params[:include_subgroups]
+      Project.where(namespace_id: group.self_and_descendants) # rubocop: disable CodeReuse/ActiveRecord
+    else
+      group.projects
+    end.public_or_visible_to_user(current_user, min_access_level)
   end
-  # rubocop: enable CodeReuse/ActiveRecord
 
   def search
     params[:search].presence
@@ -572,4 +580,8 @@ class IssuableFinder
     scope = params[:scope]
     scope == 'created_by_me' || scope == 'authored' || scope == 'assigned_to_me'
   end
+
+  def min_access_level
+    ProjectFeature.required_minimum_access_level(klass)
+  end
 end

app/finders/issues_finder.rb

@@ -48,9 +48,9 @@ class IssuesFinder < IssuableFinder
       OR (issues.confidential = TRUE
         AND (issues.author_id = :user_id
           OR EXISTS (SELECT TRUE FROM issue_assignees WHERE user_id = :user_id AND issue_id = issues.id)
-          OR issues.project_id IN(:project_ids)))',
+          OR EXISTS (:authorizations)))',
       user_id: current_user.id,
-      project_ids: current_user.authorized_projects(CONFIDENTIAL_ACCESS_LEVEL).select(:id))
+      authorizations: current_user.authorizations_for_projects(min_access_level: CONFIDENTIAL_ACCESS_LEVEL, related_project_column: "issues.project_id"))
   end
   # rubocop: enable CodeReuse/ActiveRecord
 

app/finders/projects_finder.rb

@@ -62,7 +62,7 @@ class ProjectsFinder < UnionFinder
     collection = by_personal(collection)
     collection = by_starred(collection)
     collection = by_trending(collection)
-    collection = by_visibilty_level(collection)
+    collection = by_visibility_level(collection)
     collection = by_tags(collection)
     collection = by_search(collection)
     collection = by_archived(collection)
@@ -71,12 +71,11 @@ class ProjectsFinder < UnionFinder
     collection
   end
 
-  # rubocop: disable CodeReuse/ActiveRecord
   def collection_with_user
     if owned_projects?
       current_user.owned_projects
     elsif min_access_level?
-      current_user.authorized_projects.where('project_authorizations.access_level >= ?', params[:min_access_level])
+      current_user.authorized_projects(params[:min_access_level])
     else
       if private_only?
         current_user.authorized_projects
@@ -85,7 +84,6 @@ class ProjectsFinder < UnionFinder
       end
     end
   end
-  # rubocop: enable CodeReuse/ActiveRecord
 
   # Builds a collection for an anonymous user.
   def collection_without_user
@@ -131,7 +129,7 @@ class ProjectsFinder < UnionFinder
   end
 
   # rubocop: disable CodeReuse/ActiveRecord
-  def by_visibilty_level(items)
+  def by_visibility_level(items)
     params[:visibility_level].present? ? items.where(visibility_level: params[:visibility_level]) : items
   end
   # rubocop: enable CodeReuse/ActiveRecord

app/graphql/types/label_type.rb

@@ -4,6 +4,8 @@ module Types
   class LabelType < BaseObject
     graphql_name 'Label'
 
+    authorize :read_label
+
     field :description, GraphQL::STRING_TYPE, null: true
     field :title, GraphQL::STRING_TYPE, null: false
     field :color, GraphQL::STRING_TYPE, null: false

app/graphql/types/metadata_type.rb

@@ -4,6 +4,8 @@ module Types
   class MetadataType < ::Types::BaseObject
     graphql_name 'Metadata'
 
+    authorize :read_instance_metadata
+
     field :version, GraphQL::STRING_TYPE, null: false
     field :revision, GraphQL::STRING_TYPE, null: false
   end

app/graphql/types/query_type.rb

@@ -12,10 +12,7 @@ module Types
     field :metadata, Types::MetadataType,
           null: true,
           resolver: Resolvers::MetadataResolver,
-          description: 'Metadata about GitLab' do |*args|
+          description: 'Metadata about GitLab'
-
-      authorize :read_instance_metadata
-    end
 
     field :echo, GraphQL::STRING_TYPE, null: false, function: Functions::Echo.new
   end

app/helpers/issuables_helper.rb

@@ -277,7 +277,7 @@ module IssuablesHelper
       initialTaskStatus: issuable.task_status
     }
 
-    data[:hasClosingMergeRequest] = issuable.merge_requests_count != 0 if issuable.is_a?(Issue)
+    data[:hasClosingMergeRequest] = issuable.merge_requests_count(current_user) != 0 if issuable.is_a?(Issue)
 
     if parent.is_a?(Group)
       data[:groupPath] = parent.path

app/helpers/snippets_helper.rb

@@ -1,6 +1,16 @@
 # frozen_string_literal: true
 
 module SnippetsHelper
+  def snippets_upload_path(snippet, user)
+    return unless user
+
+    if snippet&.persisted?
+      upload_path('personal_snippet', id: snippet.id)
+    else
+      upload_path('user', id: user.id)
+    end
+  end
+
   def reliable_snippet_path(snippet, opts = nil)
     if snippet.project_id?
       project_snippet_path(snippet.project, snippet, opts)

app/models/concerns/issuable.rb

@@ -29,7 +29,11 @@ module Issuable
   # This object is used to gather issuable meta data for displaying
   # upvotes, downvotes, notes and closing merge requests count for issues and merge requests
   # lists avoiding n+1 queries and improving performance.
-  IssuableMeta = Struct.new(:upvotes, :downvotes, :user_notes_count, :merge_requests_count)
+  IssuableMeta = Struct.new(:upvotes, :downvotes, :user_notes_count, :mrs_count) do
+    def merge_requests_count(user = nil)
+      mrs_count
+    end
+  end
 
   included do
     cache_markdown_field :title, pipeline: :single_line

app/models/issue.rb

@@ -270,8 +270,8 @@ class Issue < ApplicationRecord
   end
   # rubocop: enable CodeReuse/ServiceClass
 
-  def merge_requests_count
+  def merge_requests_count(user = nil)
-    merge_requests_closing_issues.count
+    ::MergeRequestsClosingIssues.count_for_issue(self.id, user)
   end
 
   private

app/models/member.rb

@@ -446,10 +446,10 @@ class Member < ApplicationRecord
   end
 
   def higher_access_level_than_group
-    if highest_group_member && highest_group_member.access_level >= access_level
+    if highest_group_member && highest_group_member.access_level > access_level
       error_parameters = { access: highest_group_member.human_access, group_name: highest_group_member.group.name }
 
-      errors.add(:access_level, s_("should be higher than %{access} inherited membership from group %{group_name}") % error_parameters)
+      errors.add(:access_level, s_("should be greater than or equal to %{access} inherited membership from group %{group_name}") % error_parameters)
     end
   end
 end

app/models/merge_requests_closing_issues.rb

@@ -7,11 +7,38 @@ class MergeRequestsClosingIssues < ApplicationRecord
   validates :merge_request_id, uniqueness: { scope: :issue_id }, presence: true
   validates :issue_id, presence: true
 
+  scope :with_issues, ->(ids) { where(issue_id: ids) }
+  scope :with_merge_requests_enabled, -> do
+    joins(:merge_request)
+      .joins('INNER JOIN project_features ON merge_requests.target_project_id = project_features.project_id')
+      .where('project_features.merge_requests_access_level >= :access', access: ProjectFeature::ENABLED)
+  end
+
+  scope :accessible_by, ->(user) do
+    joins(:merge_request)
+      .joins('INNER JOIN project_features ON merge_requests.target_project_id = project_features.project_id')
+      .where('project_features.merge_requests_access_level >= :access OR EXISTS(:authorizations)',
+             access: ProjectFeature::ENABLED,
+             authorizations: user.authorizations_for_projects(min_access_level: Gitlab::Access::REPORTER, related_project_column: "merge_requests.target_project_id")
+            )
+  end
+
   class << self
-    def count_for_collection(ids)
+    def count_for_collection(ids, current_user)
-      group(:issue_id)
+      closing_merge_requests(ids, current_user).group(:issue_id).pluck('issue_id', 'COUNT(*) as count')
-        .where(issue_id: ids)
+    end
-        .pluck('issue_id', 'COUNT(*) as count')
+
+    def count_for_issue(id, current_user)
+      closing_merge_requests(id, current_user).count
+    end
+
+    private
+
+    def closing_merge_requests(ids, current_user)
+      return with_issues(ids) if current_user&.admin?
+      return with_issues(ids).with_merge_requests_enabled if current_user.blank?
+
+      with_issues(ids).accessible_by(current_user)
     end
   end
 end

app/models/project.rb

@@ -461,10 +461,12 @@ class Project < ApplicationRecord
 
   # Returns a collection of projects that is either public or visible to the
   # logged in user.
-  def self.public_or_visible_to_user(user = nil)
+  def self.public_or_visible_to_user(user = nil, min_access_level = nil)
+    min_access_level = nil if user&.admin?
+
     if user
       where('EXISTS (?) OR projects.visibility_level IN (?)',
-            user.authorizations_for_projects,
+            user.authorizations_for_projects(min_access_level: min_access_level),
             Gitlab::VisibilityLevel.levels_for_user(user))
     else
       public_to_user
@@ -474,30 +476,32 @@ class Project < ApplicationRecord
   # project features may be "disabled", "internal", "enabled" or "public". If "internal",
   # they are only available to team members. This scope returns projects where
   # the feature is either public, enabled, or internal with permission for the user.
+  # Note: this scope doesn't enforce that the user has access to the projects, it just checks
+  # that the user has access to the feature. It's important to use this scope with others
+  # that checks project authorizations first.
   #
   # This method uses an optimised version of `with_feature_access_level` for
   # logged in users to more efficiently get private projects with the given
   # feature.
   def self.with_feature_available_for_user(feature, user)
     visible = [ProjectFeature::ENABLED, ProjectFeature::PUBLIC]
-    min_access_level = ProjectFeature.required_minimum_access_level(feature)
 
     if user&.admin?
       with_feature_enabled(feature)
     elsif user
+      min_access_level = ProjectFeature.required_minimum_access_level(feature)
       column = ProjectFeature.quoted_access_level_column(feature)
 
       with_project_feature
-        .where(
+      .where("#{column} IS NULL OR #{column} IN (:public_visible) OR (#{column} = :private_visible AND EXISTS (:authorizations))",
-          "(projects.visibility_level > :private AND (#{column} IS NULL OR #{column} >= (:public_visible) OR (#{column} = :private_visible AND EXISTS(:authorizations))))"\
-          " OR (projects.visibility_level = :private AND (#{column} IS NULL OR #{column} >= :private_visible) AND EXISTS(:authorizations))",
             {
-            private: Gitlab::VisibilityLevel::PRIVATE,
+              public_visible: visible,
-            public_visible: ProjectFeature::ENABLED,
               private_visible: ProjectFeature::PRIVATE,
               authorizations: user.authorizations_for_projects(min_access_level: min_access_level)
             })
     else
+      # This has to be added to include features whose value is nil in the db
+      visible << nil
       with_feature_access_level(feature, visible)
     end
   end

app/models/user.rb

@@ -761,11 +761,15 @@ class User < ApplicationRecord
 
   # Typically used in conjunction with projects table to get projects
   # a user has been given access to.
+  # The param `related_project_column` is the column to compare to the
+  # project_authorizations. By default is projects.id
   #
   # Example use:
   # `Project.where('EXISTS(?)', user.authorizations_for_projects)`
-  def authorizations_for_projects(min_access_level: nil)
+  def authorizations_for_projects(min_access_level: nil, related_project_column: 'projects.id')
-    authorizations = project_authorizations.select(1).where('project_authorizations.project_id = projects.id')
+    authorizations = project_authorizations
+                      .select(1)
+                      .where("project_authorizations.project_id = #{related_project_column}")
 
     return authorizations unless min_access_level.present?
 

app/policies/repository_policy.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class RepositoryPolicy < BasePolicy
+  delegate { @subject.project }
+end

app/presenters/ci/build_runner_presenter.rb

@@ -4,7 +4,6 @@ module Ci
   class BuildRunnerPresenter < SimpleDelegator
     include Gitlab::Utils::StrongMemoize
 
-    DEFAULT_GIT_DEPTH_MERGE_REQUEST = 10
     RUNNER_REMOTE_TAG_PREFIX = 'refs/tags/'.freeze
     RUNNER_REMOTE_BRANCH_PREFIX = 'refs/remotes/origin/'.freeze
 
@@ -28,7 +27,6 @@ module Ci
     def git_depth
       strong_memoize(:git_depth) do
         git_depth = variables&.find { |variable| variable[:key] == 'GIT_DEPTH' }&.dig(:value)
-        git_depth ||= DEFAULT_GIT_DEPTH_MERGE_REQUEST if merge_request_ref?
         git_depth.to_i
       end
     end
@@ -39,12 +37,13 @@ module Ci
       if git_depth > 0
         specs << refspec_for_branch(ref) if branch? || legacy_detached_merge_request_pipeline?
         specs << refspec_for_tag(ref) if tag?
-        specs << refspec_for_merge_request_ref if merge_request_ref?
       else
         specs << refspec_for_branch
         specs << refspec_for_tag
       end
 
+      specs << refspec_for_merge_request_ref if merge_request_ref?
+
       specs
     end
 

app/services/lfs/file_transformer.rb

@@ -24,7 +24,7 @@ module Lfs
 
     def new_file(file_path, file_content, encoding: nil)
       if project.lfs_enabled? && lfs_file?(file_path)
-        file_content = Base64.decode64(file_content) if encoding == 'base64'
+        file_content = parse_file_content(file_content, encoding: encoding)
         lfs_pointer_file = Gitlab::Git::LfsPointerFile.new(file_content)
         lfs_object = create_lfs_object!(lfs_pointer_file, file_content)
 
@@ -66,5 +66,12 @@ module Lfs
     def link_lfs_object!(lfs_object)
       project.lfs_objects << lfs_object
     end
+
+    def parse_file_content(file_content, encoding: nil)
+      return file_content.read if file_content.respond_to?(:read)
+      return Base64.decode64(file_content) if encoding == 'base64'
+
+      file_content
+    end
   end
 end

app/services/projects/after_import_service.rb

@@ -9,7 +9,7 @@ module Projects
     end
 
     def execute
-      Projects::HousekeepingService.new(@project, :gc).execute do
+      Projects::HousekeepingService.new(@project).execute do
         repository.delete_all_refs_except(RESERVED_REF_PREFIXES)
       end
     rescue Projects::HousekeepingService::LeaseTaken => e

app/services/projects/propagate_service_template.rb

@@ -24,7 +24,7 @@ module Projects
 
     def propagate_projects_with_template
       loop do
-        batch = project_ids_batch
+        batch = Project.uncached { project_ids_batch }
 
         bulk_create_from_template(batch) unless batch.empty?
 

app/uploaders/file_mover.rb

@@ -1,22 +1,29 @@
 # frozen_string_literal: true
 
 class FileMover
-  attr_reader :secret, :file_name, :model, :update_field
+  include Gitlab::Utils::StrongMemoize
 
-  def initialize(file_path, model, update_field = :description)
+  attr_reader :secret, :file_name, :from_model, :to_model, :update_field
+
+  def initialize(file_path, update_field = :description, from_model:, to_model:)
     @secret = File.split(File.dirname(file_path)).last
     @file_name = File.basename(file_path)
-    @model = model
+    @from_model = from_model
+    @to_model = to_model
     @update_field = update_field
   end
 
   def execute
+    temp_file_uploader.retrieve_from_store!(file_name)
+
     return unless valid?
 
+    uploader.retrieve_from_store!(file_name)
+
     move
 
     if update_markdown
-      uploader.record_upload
+      update_upload_model
       uploader.schedule_background_upload
     end
   end
@@ -24,52 +31,77 @@ class FileMover
   private
 
   def valid?
+    if temp_file_uploader.file_storage?
       Pathname.new(temp_file_path).realpath.to_path.start_with?(
         (Pathname(temp_file_uploader.root) + temp_file_uploader.base_dir).to_path
       )
+    else
+      temp_file_uploader.exists?
+    end
   end
 
   def move
+    if temp_file_uploader.file_storage?
       FileUtils.mkdir_p(File.dirname(file_path))
       FileUtils.move(temp_file_path, file_path)
+    else
+      uploader.copy_file(temp_file_uploader.file)
+      temp_file_uploader.upload.destroy!
+    end
   end
 
   def update_markdown
-    updated_text = model.read_attribute(update_field)
+    updated_text = to_model.read_attribute(update_field)
                            .gsub(temp_file_uploader.markdown_link, uploader.markdown_link)
-    model.update_attribute(update_field, updated_text)
+    to_model.update_attribute(update_field, updated_text)
   rescue
     revert
     false
   end
 
+  def update_upload_model
+    return unless upload = temp_file_uploader.upload
+    return if upload.destroyed?
+
+    upload.update!(model: to_model)
+  end
+
   def temp_file_path
-    return @temp_file_path if @temp_file_path
+    strong_memoize(:temp_file_path) do
-
+      temp_file_uploader.file.path
-    temp_file_uploader.retrieve_from_store!(file_name)
+    end
-
-    @temp_file_path = temp_file_uploader.file.path
   end
 
   def file_path
-    return @file_path if @file_path
+    strong_memoize(:file_path) do
-
+      uploader.file.path
-    uploader.retrieve_from_store!(file_name)
+    end
-
-    @file_path = uploader.file.path
   end
 
   def uploader
-    @uploader ||= PersonalFileUploader.new(model, secret: secret)
+    @uploader ||=
+      begin
+        uploader = PersonalFileUploader.new(to_model, secret: secret)
+
+        # Enforcing a REMOTE object storage given FileUploader#retrieve_from_store! won't do it
+        # (there's no upload at the target yet).
+        if uploader.class.object_store_enabled?
+          uploader.object_store = ::ObjectStorage::Store::REMOTE
+        end
+
+        uploader
+      end
   end
 
   def temp_file_uploader
-    @temp_file_uploader ||= PersonalFileUploader.new(nil, secret: secret)
+    @temp_file_uploader ||= PersonalFileUploader.new(from_model, secret: secret)
   end
 
   def revert
-    Rails.logger.warn("Markdown not updated, file move reverted for #{model}")
+    Rails.logger.warn("Markdown not updated, file move reverted for #{to_model}")
 
+    if temp_file_uploader.file_storage?
       FileUtils.move(file_path, temp_file_path)
     end
+  end
 end

app/validators/color_validator.rb

@@ -12,7 +12,7 @@
 #   end
 #
 class ColorValidator < ActiveModel::EachValidator
-  PATTERN = /\A\#[0-9A-Fa-f]{3}{1,2}+\Z/.freeze
+  PATTERN = /\A\#(?:[0-9A-Fa-f]{3}){1,2}\Z/.freeze
 
   def validate_each(record, attribute, value)
     unless value =~ PATTERN

app/views/layouts/snippets.html.haml

@@ -1,9 +1,10 @@
 - header_title _("Snippets"), snippets_path
+- snippets_upload_path = snippets_upload_path(@snippet, current_user)
 
 - content_for :page_specific_javascripts do
-  - if @snippet && current_user
+  - if snippets_upload_path
     -# haml-lint:disable InlineJavaScript
     :javascript
-      window.uploads_path = "#{upload_path('personal_snippet', id: @snippet.id)}";
+      window.uploads_path = "#{snippets_upload_path}";
 
 = render template: "layouts/application"

app/views/projects/issues/show.html.haml

@@ -77,7 +77,7 @@
 
       = edited_time_ago_with_tooltip(@issue, placement: 'bottom', html_class: 'issue-edited-ago js-issue-edited-ago')
 
-    #js-related-merge-requests{ data: { endpoint: expose_url(api_v4_projects_issues_related_merge_requests_path(id: @project.id, issue_iid: @issue.iid)), project_namespace: @project.namespace.path, project_path: @project.path } }
+    #js-related-merge-requests{ data: { endpoint: expose_path(api_v4_projects_issues_related_merge_requests_path(id: @project.id, issue_iid: @issue.iid)), project_namespace: @project.namespace.path, project_path: @project.path } }
 
     - if can?(current_user, :download_code, @project)
       #related-branches{ data: { url: related_branches_project_issue_path(@project, @issue) } }

app/views/shared/_issuable_meta_data.html.haml

@@ -2,7 +2,7 @@
 - issue_votes        = @issuable_meta_data[issuable.id]
 - upvotes, downvotes = issue_votes.upvotes, issue_votes.downvotes
 - issuable_url       = @collection_type == "Issue" ? issue_path(issuable, anchor: 'notes') : merge_request_path(issuable, anchor: 'notes')
-- issuable_mr        = @issuable_meta_data[issuable.id].merge_requests_count
+- issuable_mr        = @issuable_meta_data[issuable.id].merge_requests_count(current_user)
 
 - if issuable_mr > 0
   %li.issuable-mr.d-none.d-sm-block.has-tooltip{ title: _('Related merge requests') }

config/routes/project.rb

@@ -41,7 +41,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
       #
       # Templates
       #
-      get '/templates/:template_type/:key' => 'templates#show', as: :template, constraints: { key: %r{[^/]+} }
+      get '/templates/:template_type/:key' => 'templates#show',
+          as: :template,
+          defaults: { format: 'json' },
+          constraints: { key: %r{[^/]+}, template_type: /issue|merge_request/, format: 'json' }
 
       resource  :avatar, only: [:show, :destroy]
       resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do

config/routes/uploads.rb

@@ -7,7 +7,7 @@ scope path: :uploads do
   # show uploads for models, snippets (notes) available for now
   get '-/system/:model/:id/:secret/:filename',
     to: 'uploads#show',
-    constraints: { model: /personal_snippet/, id: /\d+/, filename: %r{[^/]+} }
+    constraints: { model: /personal_snippet|user/, id: /\d+/, filename: %r{[^/]+} }
 
   # show temporary uploads
   get '-/system/temp/:secret/:filename',
@@ -28,7 +28,7 @@ scope path: :uploads do
   # create uploads for models, snippets (notes) available for now
   post ':model',
     to: 'uploads#create',
-    constraints: { model: /personal_snippet/, id: /\d+/ },
+    constraints: { model: /personal_snippet|user/, id: /\d+/ },
     as: 'upload'
 end
 

lib/api/entities.rb

@@ -493,9 +493,9 @@ module API
       expose :state, :created_at, :updated_at
 
       # Avoids an N+1 query when metadata is included
-      def issuable_metadata(subject, options, method)
+      def issuable_metadata(subject, options, method, args = nil)
         cached_subject = options.dig(:issuable_metadata, subject.id)
-        (cached_subject || subject).public_send(method) # rubocop: disable GitlabSecurity/PublicSend
+        (cached_subject || subject).public_send(method, *args) # rubocop: disable GitlabSecurity/PublicSend
       end
     end
 
@@ -554,7 +554,7 @@ module API
       end
 
       expose(:user_notes_count)     { |issue, options| issuable_metadata(issue, options, :user_notes_count) }
-      expose(:merge_requests_count) { |issue, options| issuable_metadata(issue, options, :merge_requests_count) }
+      expose(:merge_requests_count) { |issue, options| issuable_metadata(issue, options, :merge_requests_count, options[:current_user]) }
       expose(:upvotes)              { |issue, options| issuable_metadata(issue, options, :upvotes) }
       expose(:downvotes)            { |issue, options| issuable_metadata(issue, options, :downvotes) }
       expose :due_date
@@ -731,7 +731,9 @@ module API
         merge_request.metrics&.pipeline
       end
 
-      expose :head_pipeline, using: 'API::Entities::Pipeline'
+      expose :head_pipeline, using: 'API::Entities::Pipeline', if: -> (_, options) do
+        Ability.allowed?(options[:current_user], :read_pipeline, options[:project])
+      end
 
       expose :diff_refs, using: Entities::DiffRefs
 

lib/api/helpers/related_resources_helpers.rb

@@ -13,6 +13,10 @@ module API
         available?(:merge_requests, project, options[:current_user])
       end
 
+      def expose_path(path)
+        Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, path)
+      end
+
       def expose_url(path)
         url_options = Gitlab::Application.routes.default_url_options
         protocol, host, port, script_name = url_options.values_at(:protocol, :host, :port, :script_name)

lib/api/issues.rb

@@ -93,7 +93,7 @@ module API
         options = {
           with: Entities::IssueBasic,
           current_user: current_user,
-          issuable_metadata: issuable_meta_data(issues, 'Issue')
+          issuable_metadata: issuable_meta_data(issues, 'Issue', current_user)
         }
 
         present issues, options
@@ -120,7 +120,7 @@ module API
         options = {
           with: Entities::IssueBasic,
           current_user: current_user,
-          issuable_metadata: issuable_meta_data(issues, 'Issue')
+          issuable_metadata: issuable_meta_data(issues, 'Issue', current_user)
         }
 
         present issues, options
@@ -150,7 +150,7 @@ module API
           with: Entities::IssueBasic,
           current_user: current_user,
           project: user_project,
-          issuable_metadata: issuable_meta_data(issues, 'Issue')
+          issuable_metadata: issuable_meta_data(issues, 'Issue', current_user)
         }
 
         present issues, options

lib/api/merge_requests.rb

@@ -71,7 +71,7 @@ module API
         if params[:view] == 'simple'
           options[:with] = Entities::MergeRequestSimple
         else
-          options[:issuable_metadata] = issuable_meta_data(merge_requests, 'MergeRequest')
+          options[:issuable_metadata] = issuable_meta_data(merge_requests, 'MergeRequest', current_user)
         end
 
         options

lib/api/todos.rb

@@ -65,7 +65,7 @@ module API
             next unless collection
 
             targets = collection.map(&:target)
-            options[type] = { issuable_metadata: issuable_meta_data(targets, type) }
+            options[type] = { issuable_metadata: issuable_meta_data(targets, type, current_user) }
           end
         end
       end

lib/banzai/filter/relative_link_filter.rb

@@ -100,7 +100,7 @@ module Banzai
       end
 
       def relative_file_path(uri)
-        path = Addressable::URI.unescape(uri.path)
+        path = Addressable::URI.unescape(uri.path).delete("\0")
         request_path = Addressable::URI.unescape(context[:requested_path])
         nested_path = build_relative_path(path, request_path)
         file_exists?(nested_path) ? nested_path : path

lib/gitlab/ci/config.rb

@@ -15,6 +15,9 @@ module Gitlab
 
         @global = Entry::Global.new(@config)
         @global.compose!
+      rescue Gitlab::Config::Loader::Yaml::DataTooLargeError => e
+        Gitlab::Sentry.track_exception(e, extra: { user: user.inspect, project: project.inspect })
+        raise Config::ConfigError, e.message
       rescue Gitlab::Config::Loader::FormatError,
              Extendable::ExtensionError,
              External::Processor::IncludeError => e

lib/gitlab/config/loader/yaml.rb

@@ -4,6 +4,13 @@ module Gitlab
   module Config
     module Loader
       class Yaml
+        DataTooLargeError = Class.new(Loader::FormatError)
+
+        include Gitlab::Utils::StrongMemoize
+
+        MAX_YAML_SIZE = 1.megabyte
+        MAX_YAML_DEPTH = 100
+
         def initialize(config)
           @config = YAML.safe_load(config, [Symbol], [], true)
         rescue Psych::Exception => e
@@ -11,16 +18,35 @@ module Gitlab
         end
 
         def valid?
-          @config.is_a?(Hash)
+          hash? && !too_big?
         end
 
         def load!
-          unless valid?
+          raise DataTooLargeError, 'The parsed YAML is too big' if too_big?
-            raise Loader::FormatError, 'Invalid configuration format'
+          raise Loader::FormatError, 'Invalid configuration format' unless hash?
-          end
 
           @config.deep_symbolize_keys
         end
+
+        private
+
+        def hash?
+          @config.is_a?(Hash)
+        end
+
+        def too_big?
+          return false unless Feature.enabled?(:ci_yaml_limit_size, default_enabled: true)
+
+          !deep_size.valid?
+        end
+
+        def deep_size
+          strong_memoize(:deep_size) do
+            Gitlab::Utils::DeepSize.new(@config,
+              max_size: MAX_YAML_SIZE,
+              max_depth: MAX_YAML_DEPTH)
+          end
+        end
       end
     end
   end

lib/gitlab/data_builder/pipeline.rb

@@ -19,7 +19,7 @@ module Gitlab
       def hook_attrs(pipeline)
         {
           id: pipeline.id,
-          ref: pipeline.ref,
+          ref: pipeline.source_ref,
           tag: pipeline.tag,
           sha: pipeline.sha,
           before_sha: pipeline.before_sha,

lib/gitlab/database/migration_helpers.rb

@@ -905,6 +905,12 @@ module Gitlab
         end
       end
 
+      def remove_foreign_key_if_exists(*args)
+        if foreign_key_exists?(*args)
+          remove_foreign_key(*args)
+        end
+      end
+
       def remove_foreign_key_without_error(*args)
         remove_foreign_key(*args)
       rescue ArgumentError

lib/gitlab/git/repository.rb

@@ -303,6 +303,11 @@ module Gitlab
         (size.to_f / 1024).round(2)
       end
 
+      # Return git object directory size in bytes
+      def object_directory_size
+        gitaly_repository_client.get_object_directory_size.to_f * 1024
+      end
+
       # Build an array of commits.
       #
       # Usage.

lib/gitlab/git/rugged_impl/tree.rb

@@ -43,6 +43,8 @@ module Gitlab
                 ordered_entries.concat(tree_entries_from_rugged(repository, sha, entry.path, true))
               end
             end
+
+            ordered_entries
           end
 
           def rugged_populate_flat_path(repository, sha, path, entries)

lib/gitlab/gitaly_client/repository_service.rb

@@ -47,6 +47,13 @@ module Gitlab
         response.size
       end
 
+      def get_object_directory_size
+        request = Gitaly::GetObjectDirectorySizeRequest.new(repository: @gitaly_repo)
+        response = GitalyClient.call(@storage, :repository_service, :get_object_directory_size, request, timeout: GitalyClient.medium_timeout)
+
+        response.size
+      end
+
       def apply_gitattributes(revision)
         request = Gitaly::ApplyGitattributesRequest.new(repository: @gitaly_repo, revision: encode_binary(revision))
         GitalyClient.call(@storage, :repository_service, :apply_gitattributes, request, timeout: GitalyClient.fast_timeout)

lib/gitlab/graphql/authorize/authorize_field_service.rb

@@ -39,6 +39,8 @@ module Gitlab
             type = node_type_for_basic_connection(type)
           end
 
+          type = type.unwrap if type.kind.non_null?
+
           Array.wrap(type.metadata[:authorize])
         end
 

lib/gitlab/group_search_results.rb

@@ -2,6 +2,8 @@
 
 module Gitlab
   class GroupSearchResults < SearchResults
+    attr_reader :group
+
     def initialize(current_user, limit_projects, group, query, default_project_filter: false, per_page: 20)
       super(current_user, limit_projects, query, default_project_filter: default_project_filter, per_page: per_page)
 
@@ -26,5 +28,9 @@ module Gitlab
         .where(id: groups.select('members.user_id'))
     end
     # rubocop:enable CodeReuse/ActiveRecord
+
+    def issuable_params
+      super.merge(group_id: group.id)
+    end
   end
 end

lib/gitlab/issuable_metadata.rb

@@ -2,7 +2,7 @@
 
 module Gitlab
   module IssuableMetadata
-    def issuable_meta_data(issuable_collection, collection_type)
+    def issuable_meta_data(issuable_collection, collection_type, user = nil)
       # ActiveRecord uses Object#extend for null relations.
       if !(issuable_collection.singleton_class < ActiveRecord::NullRelation) &&
           issuable_collection.respond_to?(:limit_value) &&
@@ -23,7 +23,7 @@ module Gitlab
       issuable_votes_count = ::AwardEmoji.votes_for_collection(issuable_ids, collection_type)
       issuable_merge_requests_count =
         if collection_type == 'Issue'
-          ::MergeRequestsClosingIssues.count_for_collection(issuable_ids)
+          ::MergeRequestsClosingIssues.count_for_collection(issuable_ids, user)
         else
           []
         end

lib/gitlab/project_search_results.rb

@@ -151,5 +151,9 @@ module Gitlab
     def repository_wiki_ref
       @repository_wiki_ref ||= repository_ref || project.wiki.default_branch
     end
+
+    def issuable_params
+      super.merge(project_id: project.id)
+    end
   end
 end

lib/gitlab/search_results.rb

@@ -2,6 +2,8 @@
 
 module Gitlab
   class SearchResults
+    COUNT_LIMIT = 1001
+
     attr_reader :current_user, :query, :per_page
 
     # Limit search results by passed projects
@@ -25,29 +27,26 @@ module Gitlab
     def objects(scope, page = nil, without_count = true)
       collection = case scope
                    when 'projects'
-                     projects.page(page).per(per_page)
+                     projects
                    when 'issues'
-                     issues.page(page).per(per_page)
+                     issues
                    when 'merge_requests'
-                     merge_requests.page(page).per(per_page)
+                     merge_requests
                    when 'milestones'
-                     milestones.page(page).per(per_page)
+                     milestones
                    when 'users'
-                     users.page(page).per(per_page)
+                     users
                    else
-                     Kaminari.paginate_array([]).page(page).per(per_page)
+                     Kaminari.paginate_array([])
-                   end
+                   end.page(page).per(per_page)
 
       without_count ? collection.without_count : collection
     end
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def limited_projects_count
-      @limited_projects_count ||= projects.limit(count_limit).count
+      @limited_projects_count ||= limited_count(projects)
     end
-    # rubocop: enable CodeReuse/ActiveRecord
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def limited_issues_count
       return @limited_issues_count if @limited_issues_count
 
@@ -56,35 +55,28 @@ module Gitlab
       # and confidential issues user has access to, is too complex.
       # It's faster to try to fetch all public issues first, then only
       # if necessary try to fetch all issues.
-      sum = issues(public_only: true).limit(count_limit).count
+      sum = limited_count(issues(public_only: true))
-      @limited_issues_count = sum < count_limit ? issues.limit(count_limit).count : sum
+      @limited_issues_count = sum < count_limit ? limited_count(issues) : sum
     end
-    # rubocop: enable CodeReuse/ActiveRecord
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def limited_merge_requests_count
-      @limited_merge_requests_count ||= merge_requests.limit(count_limit).count
+      @limited_merge_requests_count ||= limited_count(merge_requests)
     end
-    # rubocop: enable CodeReuse/ActiveRecord
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def limited_milestones_count
-      @limited_milestones_count ||= milestones.limit(count_limit).count
+      @limited_milestones_count ||= limited_count(milestones)
     end
-    # rubocop: enable CodeReuse/ActiveRecord
 
-    # rubocop:disable CodeReuse/ActiveRecord
     def limited_users_count
-      @limited_users_count ||= users.limit(count_limit).count
+      @limited_users_count ||= limited_count(users)
     end
-    # rubocop:enable CodeReuse/ActiveRecord
 
     def single_commit_result?
       false
     end
 
     def count_limit
-      1001
+      COUNT_LIMIT
     end
 
     def users
@@ -99,24 +91,16 @@ module Gitlab
       limit_projects.search(query)
     end
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def issues(finder_params = {})
-      issues = IssuesFinder.new(current_user, finder_params).execute
+      issues = IssuesFinder.new(current_user, issuable_params.merge(finder_params)).execute
+
       unless default_project_filter
-        issues = issues.where(project_id: project_ids_relation)
+        issues = issues.where(project_id: project_ids_relation) # rubocop: disable CodeReuse/ActiveRecord
       end
 
-      issues =
+      issues
-        if query =~ /#(\d+)\z/
-          issues.where(iid: $1)
-        else
-          issues.full_search(query)
     end
 
-      issues.reorder('updated_at DESC')
-    end
-    # rubocop: enable CodeReuse/ActiveRecord
-
     # rubocop: disable CodeReuse/ActiveRecord
     def milestones
       milestones = Milestone.search(query)
@@ -127,24 +111,16 @@ module Gitlab
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def merge_requests
-      merge_requests = MergeRequestsFinder.new(current_user).execute
+      merge_requests = MergeRequestsFinder.new(current_user, issuable_params).execute
+
       unless default_project_filter
         merge_requests = merge_requests.in_projects(project_ids_relation)
       end
 
-      merge_requests =
+      merge_requests
-        if query =~ /[#!](\d+)\z/
-          merge_requests.where(iid: $1)
-        else
-          merge_requests.full_search(query)
     end
 
-      merge_requests.reorder('updated_at DESC')
-    end
-    # rubocop: enable CodeReuse/ActiveRecord
-
     def default_scope
       'projects'
     end
@@ -174,5 +150,23 @@ module Gitlab
       limit_projects.select(:id).reorder(nil)
     end
     # rubocop: enable CodeReuse/ActiveRecord
+
+    def issuable_params
+      {}.tap do |params|
+        params[:sort] = 'updated_desc'
+
+        if query =~ /#(\d+)\z/
+          params[:iids] = $1
+        else
+          params[:search] = query
+        end
+      end
+    end
+
+    # rubocop: disable CodeReuse/ActiveRecord
+    def limited_count(relation)
+      relation.reorder(nil).limit(count_limit).size
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
   end
 end

lib/gitlab/utils/deep_size.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'objspace'
+
+module Gitlab
+  module Utils
+    class DeepSize
+      Error = Class.new(StandardError)
+      TooMuchDataError = Class.new(Error)
+
+      DEFAULT_MAX_SIZE = 1.megabyte
+      DEFAULT_MAX_DEPTH = 100
+
+      def initialize(root, max_size: DEFAULT_MAX_SIZE, max_depth: DEFAULT_MAX_DEPTH)
+        @root = root
+        @max_size = max_size
+        @max_depth = max_depth
+        @size = 0
+        @depth = 0
+
+        evaluate
+      end
+
+      def valid?
+        !too_big? && !too_deep?
+      end
+
+      private
+
+      def evaluate
+        add_object(@root)
+      rescue Error
+        # NOOP
+      end
+
+      def too_big?
+        @size > @max_size
+      end
+
+      def too_deep?
+        @depth > @max_depth
+      end
+
+      def add_object(object)
+        @size += ObjectSpace.memsize_of(object)
+        raise TooMuchDataError if @size > @max_size
+
+        add_array(object) if object.is_a?(Array)
+        add_hash(object) if object.is_a?(Hash)
+      end
+
+      def add_array(object)
+        with_nesting do
+          object.each do |n|
+            add_object(n)
+          end
+        end
+      end
+
+      def add_hash(object)
+        with_nesting do
+          object.each do |key, value|
+            add_object(key)
+            add_object(value)
+          end
+        end
+      end
+
+      def with_nesting
+        @depth += 1
+        raise TooMuchDataError if too_deep?
+
+        yield
+
+        @depth -= 1
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -10281,7 +10281,7 @@ msgstr[1] ""
 msgid "score"
 msgstr ""
 
-msgid "should be higher than %{access} inherited membership from group %{group_name}"
+msgid "should be greater than or equal to %{access} inherited membership from group %{group_name}"
 msgstr ""
 
 msgid "show less"

spec/controllers/projects/notes_controller_spec.rb

@@ -250,7 +250,7 @@ describe Projects::NotesController do
       before do
         service_params = ActionController::Parameters.new({
           note: 'some note',
-          noteable_id: merge_request.id.to_s,
+          noteable_id: merge_request.id,
           noteable_type: 'MergeRequest',
           commit_id: nil,
           merge_request_diff_head_sha: 'sha'

spec/controllers/projects/templates_controller_spec.rb

@@ -1,49 +1,101 @@
 require 'spec_helper'
 
 describe Projects::TemplatesController do
-  let(:project) { create(:project, :repository) }
+  let(:project) { create(:project, :repository, :private) }
   let(:user) { create(:user) }
-  let(:user2) { create(:user) }
+  let(:file_path_1) { '.gitlab/issue_templates/issue_template.md' }
-  let(:file_path_1) { '.gitlab/issue_templates/bug.md' }
+  let(:file_path_2) { '.gitlab/merge_request_templates/merge_request_template.md' }
   let(:body) { JSON.parse(response.body) }
+  let!(:file_1) { project.repository.create_file(user, file_path_1, 'issue content', message: 'message', branch_name: 'master') }
+  let!(:file_2) { project.repository.create_file(user, file_path_2, 'merge request content', message: 'message', branch_name: 'master') }
 
+  describe '#show' do
+    shared_examples 'renders issue templates as json' do
+      it do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'issue', key: 'issue_template', project_id: project }, format: :json)
+
+        expect(response.status).to eq(200)
+        expect(body['name']).to eq('issue_template')
+        expect(body['content']).to eq('issue content')
+      end
+    end
+
+    shared_examples 'renders merge request templates as json' do
+      it do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'merge_request', key: 'merge_request_template', project_id: project }, format: :json)
+
+        expect(response.status).to eq(200)
+        expect(body['name']).to eq('merge_request_template')
+        expect(body['content']).to eq('merge request content')
+      end
+    end
+
+    shared_examples 'renders 404 when requesting an issue template' do
+      it do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'issue', key: 'issue_template', project_id: project }, format: :json)
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    shared_examples 'renders 404 when requesting a merge request template' do
+      it do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'merge_request', key: 'merge_request_template', project_id: project }, format: :json)
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    shared_examples 'renders 404 when params are invalid' do
+      it 'does not route when the template type is invalid' do
+        expect do
+          get(:show, params: { namespace_id: project.namespace, template_type: 'invalid_type', key: 'issue_template', project_id: project }, format: :json)
+        end.to raise_error(ActionController::UrlGenerationError)
+      end
+
+      it 'renders 404 when the format type is invalid' do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'issue', key: 'issue_template', project_id: project }, format: :html)
+
+        expect(response.status).to eq(404)
+      end
+
+      it 'renders 404 when the key is unknown' do
+        get(:show, params: { namespace_id: project.namespace, template_type: 'issue', key: 'unknown_template', project_id: project }, format: :json)
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    context 'when the user is not a member of the project' do
+      before do
+        sign_in(user)
+      end
+
+      include_examples 'renders 404 when requesting an issue template'
+      include_examples 'renders 404 when requesting a merge request template'
+      include_examples 'renders 404 when params are invalid'
+    end
+
+    context 'when user is a member of the project' do
       before do
         project.add_developer(user)
         sign_in(user)
       end
 
+      include_examples 'renders issue templates as json'
+      include_examples 'renders merge request templates as json'
+      include_examples 'renders 404 when params are invalid'
+    end
+
+    context 'when user is a guest of the project' do
       before do
-    project.add_user(user, Gitlab::Access::MAINTAINER)
+        project.add_guest(user)
-    project.repository.create_file(user, file_path_1, 'something valid',
-      message: 'test 3', branch_name: 'master')
-  end
-
-  describe '#show' do
-    it 'renders template name and content as json' do
-      get(:show, params: { namespace_id: project.namespace.to_param, template_type: "issue", key: "bug", project_id: project }, format: :json)
-
-      expect(response.status).to eq(200)
-      expect(body["name"]).to eq("bug")
-      expect(body["content"]).to eq("something valid")
-    end
-
-    it 'renders 404 when unauthorized' do
-      sign_in(user2)
-      get(:show, params: { namespace_id: project.namespace.to_param, template_type: "issue", key: "bug", project_id: project }, format: :json)
-
-      expect(response.status).to eq(404)
-    end
-
-    it 'renders 404 when template type is not found' do
         sign_in(user)
-      get(:show, params: { namespace_id: project.namespace.to_param, template_type: "dont_exist", key: "bug", project_id: project }, format: :json)
-
-      expect(response.status).to eq(404)
       end
 
-    it 'renders 404 without errors' do
+      include_examples 'renders issue templates as json'
-      sign_in(user)
+      include_examples 'renders 404 when requesting a merge request template'
-      expect { get(:show, params: { namespace_id: project.namespace.to_param, template_type: "dont_exist", key: "bug", project_id: project }, format: :json) }.not_to raise_error
+      include_examples 'renders 404 when params are invalid'
     end
   end
 end

spec/controllers/snippets/notes_controller_spec.rb

@@ -117,6 +117,119 @@ describe Snippets::NotesController do
     end
   end
 
+  describe 'POST create' do
+    context 'when a snippet is public' do
+      let(:request_params) do
+        {
+          note: attributes_for(:note_on_personal_snippet, noteable: public_snippet),
+          snippet_id: public_snippet.id
+        }
+      end
+
+      before do
+        sign_in user
+      end
+
+      it 'returns status 302' do
+        post :create, params: request_params
+
+        expect(response).to have_gitlab_http_status(302)
+      end
+
+      it 'creates the note' do
+        expect { post :create, params: request_params }.to change { Note.count }.by(1)
+      end
+    end
+
+    context 'when a snippet is internal' do
+      let(:request_params) do
+        {
+          note: attributes_for(:note_on_personal_snippet, noteable: internal_snippet),
+          snippet_id: internal_snippet.id
+        }
+      end
+
+      before do
+        sign_in user
+      end
+
+      it 'returns status 302' do
+        post :create, params: request_params
+
+        expect(response).to have_gitlab_http_status(302)
+      end
+
+      it 'creates the note' do
+        expect { post :create, params: request_params }.to change { Note.count }.by(1)
+      end
+    end
+
+    context 'when a snippet is private' do
+      let(:request_params) do
+        {
+          note: attributes_for(:note_on_personal_snippet, noteable: private_snippet),
+          snippet_id: private_snippet.id
+        }
+      end
+
+      before do
+        sign_in user
+      end
+
+      context 'when user is not the author' do
+        before do
+          sign_in(user)
+        end
+
+        it 'returns status 404' do
+          post :create, params: request_params
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+
+        it 'does not create the note' do
+          expect { post :create, params: request_params }.not_to change { Note.count }
+        end
+
+        context 'when user sends a snippet_id for a public snippet' do
+          let(:request_params) do
+            {
+              note: attributes_for(:note_on_personal_snippet, noteable: private_snippet),
+              snippet_id: public_snippet.id
+            }
+          end
+
+          it 'returns status 302' do
+            post :create, params: request_params
+
+            expect(response).to have_gitlab_http_status(302)
+          end
+
+          it 'creates the note on the public snippet' do
+            expect { post :create, params: request_params }.to change { Note.count }.by(1)
+            expect(Note.last.noteable).to eq public_snippet
+          end
+        end
+      end
+
+      context 'when user is the author' do
+        before do
+          sign_in(private_snippet.author)
+        end
+
+        it 'returns status 302' do
+          post :create, params: request_params
+
+          expect(response).to have_gitlab_http_status(302)
+        end
+
+        it 'creates the note' do
+          expect { post :create, params: request_params }.to change { Note.count }.by(1)
+        end
+      end
+    end
+  end
+
   describe 'DELETE destroy' do
     let(:request_params) do
       {

spec/controllers/snippets_controller_spec.rb

@@ -207,8 +207,8 @@ describe SnippetsController do
     context 'when the snippet description contains a file' do
       include FileMoverHelpers
 
-      let(:picture_file) { '/-/system/temp/secret56/picture.jpg' }
+      let(:picture_file) { "/-/system/user/#{user.id}/secret56/picture.jpg" }
-      let(:text_file) { '/-/system/temp/secret78/text.txt' }
+      let(:text_file) { "/-/system/user/#{user.id}/secret78/text.txt" }
       let(:description) do
         "Description with picture: ![picture](/uploads#{picture_file}) and "\
         "text: [text.txt](/uploads#{text_file})"

spec/controllers/uploads_controller_spec.rb

@@ -22,11 +22,13 @@ describe UploadsController do
   let!(:user) { create(:user, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) }
 
   describe 'POST create' do
-    let(:model)   { 'personal_snippet' }
-    let(:snippet) { create(:personal_snippet, :public) }
     let(:jpg)     { fixture_file_upload('spec/fixtures/rails_sample.jpg', 'image/jpg') }
     let(:txt)     { fixture_file_upload('spec/fixtures/doc_sample.txt', 'text/plain') }
 
+    context 'snippet uploads' do
+      let(:model)   { 'personal_snippet' }
+      let(:snippet) { create(:personal_snippet, :public) }
+
       context 'when a user does not have permissions to upload a file' do
         it "returns 401 when the user is not logged in" do
           post :create, params: { model: model, id: snippet.id }, format: :json
@@ -105,38 +107,75 @@ describe UploadsController do
             end
           end
         end
+      end
+    end
+
+    context 'user uploads' do
+      let(:model) { 'user' }
+
+      it 'returns 401 when the user has no access' do
+        post :create, params: { model: 'user', id: user.id }, format: :json
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+
+      context 'when user is logged in' do
+        before do
+          sign_in(user)
+        end
 
-      context 'temporal with valid image' do
         subject do
-          post :create, params: { model: 'personal_snippet', file: jpg }, format: :json
+          post :create, params: { model: model, id: user.id, file: jpg }, format: :json
         end
 
         it 'returns a content with original filename, new link, and correct type.' do
           subject
 
           expect(response.body).to match '\"alt\":\"rails_sample\"'
-          expect(response.body).to match "\"url\":\"/uploads/-/system/temp"
+          expect(response.body).to match "\"url\":\"/uploads/-/system/user/#{user.id}/"
         end
 
-        it 'does not create an Upload record' do
+        it 'creates a corresponding Upload record' do
-          expect { subject }.not_to change { Upload.count }
+          expect { subject }.to change { Upload.count }
+
+          upload = Upload.last
+
+          aggregate_failures do
+            expect(upload).to exist
+            expect(upload.model).to eq user
           end
         end
 
-      context 'temporal with valid non-image file' do
+        context 'with valid non-image file' do
           subject do
-          post :create, params: { model: 'personal_snippet', file: txt }, format: :json
+            post :create, params: { model: model, id: user.id, file: txt }, format: :json
           end
 
           it 'returns a content with original filename, new link, and correct type.' do
             subject
 
             expect(response.body).to match '\"alt\":\"doc_sample.txt\"'
-          expect(response.body).to match "\"url\":\"/uploads/-/system/temp"
+            expect(response.body).to match "\"url\":\"/uploads/-/system/user/#{user.id}/"
           end
 
-        it 'does not create an Upload record' do
+          it 'creates a corresponding Upload record' do
-          expect { subject }.not_to change { Upload.count }
+            expect { subject }.to change { Upload.count }
+
+            upload = Upload.last
+
+            aggregate_failures do
+              expect(upload).to exist
+              expect(upload.model).to eq user
+            end
+          end
+        end
+
+        it 'returns 404 when given user is not the logged in one' do
+          another_user = create(:user)
+
+          post :create, params: { model: model, id: another_user.id, file: txt }, format: :json
+
+          expect(response).to have_gitlab_http_status(404)
         end
       end
     end

spec/factories/projects.rb

@@ -260,6 +260,7 @@ FactoryBot.define do
     trait(:merge_requests_enabled)  { merge_requests_access_level ProjectFeature::ENABLED }
     trait(:merge_requests_disabled) { merge_requests_access_level ProjectFeature::DISABLED }
     trait(:merge_requests_private)  { merge_requests_access_level ProjectFeature::PRIVATE }
+    trait(:merge_requests_public)   { merge_requests_access_level ProjectFeature::PUBLIC }
     trait(:repository_enabled)      { repository_access_level ProjectFeature::ENABLED }
     trait(:repository_disabled)     { repository_access_level ProjectFeature::DISABLED }
     trait(:repository_private)      { repository_access_level ProjectFeature::PRIVATE }

spec/features/snippets/user_creates_snippet_spec.rb

@@ -41,7 +41,7 @@ describe 'User creates snippet', :js do
       expect(page).to have_content('My Snippet')
 
       link = find('a.no-attachment-icon img[alt="banana_sample"]')['src']
-      expect(link).to match(%r{/uploads/-/system/temp/\h{32}/banana_sample\.gif\z})
+      expect(link).to match(%r{/uploads/-/system/user/#{user.id}/\h{32}/banana_sample\.gif\z})
 
       reqs = inspect_requests { visit(link) }
       expect(reqs.first.status_code).to eq(200)

spec/finders/issues_finder_spec.rb

@@ -669,9 +669,7 @@ describe IssuesFinder do
         end
 
         it 'filters by confidentiality' do
-          expect(Issue).to receive(:where).with(a_string_matching('confidential'), anything)
+          expect(subject.to_sql).to match("issues.confidential")
-
-          subject
         end
       end
 
@@ -688,9 +686,7 @@ describe IssuesFinder do
         end
 
         it 'filters by confidentiality' do
-          expect(Issue).to receive(:where).with(a_string_matching('confidential'), anything)
+          expect(subject.to_sql).to match("issues.confidential")
-
-          subject
         end
       end
 

spec/finders/merge_requests_finder_spec.rb

@@ -31,7 +31,7 @@ describe MergeRequestsFinder do
       end
 
       context 'filtering by group' do
-        it 'includes all merge requests when user has access exceluding merge requests from projects the user does not have access to' do
+        it 'includes all merge requests when user has access excluding merge requests from projects the user does not have access to' do
           private_project = allow_gitaly_n_plus_1 { create(:project, :private, group: group) }
           private_project.add_guest(user)
           create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project)

spec/graphql/types/label_type_spec.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe GitlabSchema.types['Label'] do
+  it { is_expected.to require_graphql_authorizations(:read_label) }
+end

spec/graphql/types/metadata_type_spec.rb

@@ -2,4 +2,5 @@ require 'spec_helper'
 
 describe GitlabSchema.types['Metadata'] do
   it { expect(described_class.graphql_name).to eq('Metadata') }
+  it { is_expected.to require_graphql_authorizations(:read_instance_metadata) }
 end

spec/graphql/types/query_type_spec.rb

@@ -24,9 +24,5 @@ describe GitlabSchema.types['Query'] do
       is_expected.to have_graphql_type(Types::MetadataType)
       is_expected.to have_graphql_resolver(Resolvers::MetadataResolver)
     end
-
-    it 'authorizes with read_instance_metadata' do
-      is_expected.to require_graphql_authorizations(:read_instance_metadata)
-    end
   end
 end

spec/lib/api/helpers/related_resources_helpers_spec.rb

@@ -5,6 +5,40 @@ describe API::Helpers::RelatedResourcesHelpers do
     Class.new.include(described_class).new
   end
 
+  describe '#expose_path' do
+    let(:path) { '/api/v4/awesome_endpoint' }
+
+    context 'empty relative URL root' do
+      before do
+        stub_config_setting(relative_url_root: '')
+      end
+
+      it 'returns the existing path' do
+        expect(helpers.expose_path(path)).to eq(path)
+      end
+    end
+
+    context 'slash relative URL root' do
+      before do
+        stub_config_setting(relative_url_root: '/')
+      end
+
+      it 'returns the existing path' do
+        expect(helpers.expose_path(path)).to eq(path)
+      end
+    end
+
+    context 'with relative URL root' do
+      before do
+        stub_config_setting(relative_url_root: '/gitlab/root')
+      end
+
+      it 'returns the existing path' do
+        expect(helpers.expose_path(path)).to eq("/gitlab/root" + path)
+      end
+    end
+  end
+
   describe '#expose_url' do
     let(:path) { '/api/v4/awesome_endpoint' }
     subject(:url) { helpers.expose_url(path) }

spec/lib/banzai/filter/relative_link_filter_spec.rb

@@ -83,6 +83,11 @@ describe Banzai::Filter::RelativeLinkFilter do
     expect { filter(act) }.not_to raise_error
   end
 
+  it 'does not explode with an escaped null byte' do
+    act = link("/%00")
+    expect { filter(act) }.not_to raise_error
+  end
+
   it 'does not raise an exception with a space in the path' do
     act = link("/uploads/d18213acd3732630991986120e167e3d/Landscape_8.jpg  \nBut here's some more unexpected text :smile:)")
     expect { filter(act) }.not_to raise_error

spec/lib/gitlab/ci/config_spec.rb

@@ -90,6 +90,27 @@ describe Gitlab::Ci::Config do
       end
     end
 
+    context 'when yml is too big' do
+      let(:yml) do
+        <<~YAML
+          --- &1
+          - hi
+          - *1
+        YAML
+      end
+
+      describe '.new' do
+        it 'raises error' do
+          expect(Gitlab::Sentry).to receive(:track_exception)
+
+          expect { config }.to raise_error(
+            described_class::ConfigError,
+            /The parsed YAML is too big/
+          )
+        end
+      end
+    end
+
     context 'when config logic is incorrect' do
       let(:yml) { 'before_script: "ls"' }
 

spec/lib/gitlab/config/loader/yaml_spec.rb

@@ -8,7 +8,7 @@ describe Gitlab::Config::Loader::Yaml do
 
     describe '#valid?' do
       it 'returns true' do
-        expect(loader.valid?).to be true
+        expect(loader).to be_valid
       end
     end
 
@@ -24,7 +24,7 @@ describe Gitlab::Config::Loader::Yaml do
 
     describe '#valid?' do
       it 'returns false' do
-        expect(loader.valid?).to be false
+        expect(loader).not_to be_valid
       end
     end
 
@@ -43,7 +43,10 @@ describe Gitlab::Config::Loader::Yaml do
 
     describe '#initialize' do
       it 'raises FormatError' do
-        expect { loader }.to raise_error(Gitlab::Config::Loader::FormatError, 'Unknown alias: bad_alias')
+        expect { loader }.to raise_error(
+          Gitlab::Config::Loader::FormatError,
+          'Unknown alias: bad_alias'
+        )
       end
     end
   end
@@ -53,7 +56,68 @@ describe Gitlab::Config::Loader::Yaml do
 
     describe '#valid?' do
       it 'returns false' do
-        expect(loader.valid?).to be false
+        expect(loader).not_to be_valid
+      end
+    end
+  end
+
+  # Prevent Billion Laughs attack: https://gitlab.com/gitlab-org/gitlab-ce/issues/56018
+  context 'when yaml size is too large' do
+    let(:yml) do
+      <<~YAML
+        a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
+        b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+        c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+        d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+        e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+        f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+        g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+        h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+        i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
+      YAML
+    end
+
+    describe '#valid?' do
+      it 'returns false' do
+        expect(loader).not_to be_valid
+      end
+
+      it 'returns true if "ci_yaml_limit_size" feature flag is disabled' do
+        stub_feature_flags(ci_yaml_limit_size: false)
+
+        expect(loader).to be_valid
+      end
+    end
+
+    describe '#load!' do
+      it 'raises FormatError' do
+        expect { loader.load! }.to raise_error(
+          Gitlab::Config::Loader::FormatError,
+          'The parsed YAML is too big'
+        )
+      end
+    end
+  end
+
+  # Prevent Billion Laughs attack: https://gitlab.com/gitlab-org/gitlab-ce/issues/56018
+  context 'when yaml has cyclic data structure' do
+    let(:yml) do
+      <<~YAML
+        --- &1
+        - hi
+        - *1
+      YAML
+    end
+
+    describe '#valid?' do
+      it 'returns false' do
+        expect(loader.valid?).to be(false)
+      end
+    end
+
+    describe '#load!' do
+      it 'raises FormatError' do
+        expect { loader.load! }.to raise_error(Gitlab::Config::Loader::FormatError, 'The parsed YAML is too big')
       end
     end
   end

spec/lib/gitlab/data_builder/pipeline_spec.rb

@@ -50,5 +50,14 @@ describe Gitlab::DataBuilder::Pipeline do
       it { expect(attributes[:variables]).to be_a(Array) }
       it { expect(attributes[:variables]).to contain_exactly({ key: 'TRIGGER_KEY_1', value: 'TRIGGER_VALUE_1' }) }
     end
+
+    context 'when pipeline is a detached merge request pipeline' do
+      let(:merge_request) { create(:merge_request, :with_detached_merge_request_pipeline) }
+      let(:pipeline) { merge_request.all_pipelines.first }
+
+      it 'returns a source ref' do
+        expect(attributes[:ref]).to eq(merge_request.source_branch)
+      end
+    end
   end
 end

spec/lib/gitlab/git/repository_spec.rb

@@ -215,6 +215,18 @@ describe Gitlab::Git::Repository, :seed_helper do
     it { is_expected.to be < 2 }
   end
 
+  describe '#object_directory_size' do
+    before do
+      allow(repository.gitaly_repository_client)
+        .to receive(:get_object_directory_size)
+        .and_return(2)
+    end
+
+    subject { repository.object_directory_size }
+
+    it { is_expected.to eq 2048 }
+  end
+
   describe '#empty?' do
     it { expect(repository).not_to be_empty }
   end

spec/lib/gitlab/git/tree_spec.rb

@@ -19,7 +19,9 @@ describe Gitlab::Git::Tree, :seed_helper do
     it 'returns a list of tree objects' do
       entries = described_class.where(repository, SeedRepo::Commit::ID, 'files', true)
 
-      expect(entries.count).to be >= 5
+      expect(entries.map(&:path)).to include('files/html',
+                                             'files/markdown/ruby-style-guide.md')
+      expect(entries.count).to be >= 10
       expect(entries).to all(be_a(Gitlab::Git::Tree))
     end
 

spec/lib/gitlab/gitaly_client/repository_service_spec.rb

@@ -73,6 +73,17 @@ describe Gitlab::GitalyClient::RepositoryService do
     end
   end
 
+  describe '#get_object_directory_size' do
+    it 'sends a get_object_directory_size message' do
+      expect_any_instance_of(Gitaly::RepositoryService::Stub)
+        .to receive(:get_object_directory_size)
+        .with(gitaly_request_with_path(storage_name, relative_path), kind_of(Hash))
+        .and_return(size: 0)
+
+      client.get_object_directory_size
+    end
+  end
+
   describe '#apply_gitattributes' do
     let(:revision) { 'master' }
 

spec/lib/gitlab/graphql/authorize/authorize_field_service_spec.rb

@@ -7,35 +7,39 @@ require 'spec_helper'
 describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
   def type(type_authorizations = [])
     Class.new(Types::BaseObject) do
-      graphql_name "TestType"
+      graphql_name 'TestType'
 
       authorize type_authorizations
     end
   end
 
-  def type_with_field(field_type, field_authorizations = [], resolved_value = "Resolved value")
+  def type_with_field(field_type, field_authorizations = [], resolved_value = 'Resolved value', **options)
     Class.new(Types::BaseObject) do
-      graphql_name "TestTypeWithField"
+      graphql_name 'TestTypeWithField'
-      field :test_field, field_type, null: true, authorize: field_authorizations, resolve: -> (_, _, _) { resolved_value}
+      options.reverse_merge!(null: true)
+      field :test_field, field_type,
+            authorize: field_authorizations,
+            resolve: -> (_, _, _) { resolved_value },
+            **options
     end
   end
 
   let(:current_user) { double(:current_user) }
   subject(:service) { described_class.new(field) }
 
-  describe "#authorized_resolve" do
+  describe '#authorized_resolve' do
-    let(:presented_object) { double("presented object") }
+    let(:presented_object) { double('presented object') }
-    let(:presented_type) { double("parent type", object: presented_object) }
+    let(:presented_type) { double('parent type', object: presented_object) }
     subject(:resolved) { service.authorized_resolve.call(presented_type, {}, { current_user: current_user }) }
 
-    context "scalar types" do
+    context 'scalar types' do
-      shared_examples "checking permissions on the presented object" do
+      shared_examples 'checking permissions on the presented object' do
-        it "checks the abilities on the object being presented and returns the value" do
+        it 'checks the abilities on the object being presented and returns the value' do
           expected_permissions.each do |permission|
             spy_ability_check_for(permission, presented_object, passed: true)
           end
 
-          expect(resolved).to eq("Resolved value")
+          expect(resolved).to eq('Resolved value')
         end
 
         it "returns nil if the value wasn't authorized" do
@@ -45,47 +49,57 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
         end
       end
 
-      context "when the field is a scalar type" do
+      context 'when the field is a built-in scalar type' do
-        let(:field) { type_with_field(GraphQL::STRING_TYPE, :read_field).fields["testField"].to_graphql }
+        let(:field) { type_with_field(GraphQL::STRING_TYPE, :read_field).fields['testField'].to_graphql }
         let(:expected_permissions) { [:read_field] }
 
-        it_behaves_like "checking permissions on the presented object"
+        it_behaves_like 'checking permissions on the presented object'
       end
 
-      context "when the field is a list of scalar types" do
+      context 'when the field is a list of scalar types' do
-        let(:field) { type_with_field([GraphQL::STRING_TYPE], :read_field).fields["testField"].to_graphql }
+        let(:field) { type_with_field([GraphQL::STRING_TYPE], :read_field).fields['testField'].to_graphql }
         let(:expected_permissions) { [:read_field] }
 
-        it_behaves_like "checking permissions on the presented object"
+        it_behaves_like 'checking permissions on the presented object'
       end
     end
 
-    context "when the field is a specific type" do
+    context 'when the field is a specific type' do
       let(:custom_type) { type(:read_type) }
-      let(:object_in_field) { double("presented in field") }
+      let(:object_in_field) { double('presented in field') }
-      let(:field) { type_with_field(custom_type, :read_field, object_in_field).fields["testField"].to_graphql }
+      let(:field) { type_with_field(custom_type, :read_field, object_in_field).fields['testField'].to_graphql }
 
-      it "checks both field & type permissions" do
+      it 'checks both field & type permissions' do
         spy_ability_check_for(:read_field, object_in_field, passed: true)
         spy_ability_check_for(:read_type, object_in_field, passed: true)
 
         expect(resolved).to eq(object_in_field)
       end
 
-      it "returns nil if viewing was not allowed" do
+      it 'returns nil if viewing was not allowed' do
         spy_ability_check_for(:read_field, object_in_field, passed: false)
         spy_ability_check_for(:read_type, object_in_field, passed: true)
 
         expect(resolved).to be_nil
       end
 
-      context "when the field is a list" do
+      context 'when the field is not nullable' do
-        let(:object_1) { double("presented in field 1") }
+        let(:field) { type_with_field(custom_type, [], object_in_field, null: false).fields['testField'].to_graphql }
-        let(:object_2) { double("presented in field 2") }
-        let(:presented_types) { [double(object: object_1), double(object: object_2)] }
-        let(:field) { type_with_field([custom_type], :read_field, presented_types).fields["testField"].to_graphql }
 
-        it "checks all permissions" do
+        it 'returns nil when viewing is not allowed' do
+          spy_ability_check_for(:read_type, object_in_field, passed: false)
+
+          expect(resolved).to be_nil
+        end
+      end
+
+      context 'when the field is a list' do
+        let(:object_1) { double('presented in field 1') }
+        let(:object_2) { double('presented in field 2') }
+        let(:presented_types) { [double(object: object_1), double(object: object_2)] }
+        let(:field) { type_with_field([custom_type], :read_field, presented_types).fields['testField'].to_graphql }
+
+        it 'checks all permissions' do
           allow(Ability).to receive(:allowed?) { true }
 
           spy_ability_check_for(:read_field, object_1, passed: true)
@@ -96,7 +110,7 @@ describe Gitlab::Graphql::Authorize::AuthorizeFieldService do
           expect(resolved).to eq(presented_types)
         end
 
-        it "filters out objects that the user cannot see" do
+        it 'filters out objects that the user cannot see' do
           allow(Ability).to receive(:allowed?) { true }
 
           spy_ability_check_for(:read_type, object_1, passed: false)

spec/lib/gitlab/issuable_metadata_spec.rb

@@ -7,11 +7,11 @@ describe Gitlab::IssuableMetadata do
   subject { Class.new { include Gitlab::IssuableMetadata }.new }
 
   it 'returns an empty Hash if an empty collection is provided' do
-    expect(subject.issuable_meta_data(Issue.none, 'Issue')).to eq({})
+    expect(subject.issuable_meta_data(Issue.none, 'Issue', user)).to eq({})
   end
 
   it 'raises an error when given a collection with no limit' do
-    expect { subject.issuable_meta_data(Issue.all, 'Issue') }.to raise_error(/must have a limit/)
+    expect { subject.issuable_meta_data(Issue.all, 'Issue', user) }.to raise_error(/must have a limit/)
   end
 
   context 'issues' do
@@ -23,7 +23,7 @@ describe Gitlab::IssuableMetadata do
     let!(:closing_issues) { create(:merge_requests_closing_issues, issue: issue, merge_request: merge_request) }
 
     it 'aggregates stats on issues' do
-      data = subject.issuable_meta_data(Issue.all.limit(10), 'Issue')
+      data = subject.issuable_meta_data(Issue.all.limit(10), 'Issue', user)
 
       expect(data.count).to eq(2)
       expect(data[issue.id].upvotes).to eq(1)
@@ -46,7 +46,7 @@ describe Gitlab::IssuableMetadata do
     let!(:note) { create(:note_on_merge_request, author: user, project: project, noteable: merge_request, note: "a comment on a MR") }
 
     it 'aggregates stats on merge requests' do
-      data = subject.issuable_meta_data(MergeRequest.all.limit(10), 'MergeRequest')
+      data = subject.issuable_meta_data(MergeRequest.all.limit(10), 'MergeRequest', user)
 
       expect(data.count).to eq(2)
       expect(data[merge_request.id].upvotes).to eq(1)

spec/lib/gitlab/utils/deep_size_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Gitlab::Utils::DeepSize do
+  let(:data) do
+    {
+      a: [1, 2, 3],
+      b: {
+        c: [4, 5],
+        d: [
+          { e: [[6], [7]] }
+        ]
+      }
+    }
+  end
+
+  let(:max_size) { 1.kilobyte }
+  let(:max_depth) { 10 }
+  let(:deep_size) { described_class.new(data, max_size: max_size, max_depth: max_depth) }
+
+  describe '#evaluate' do
+    context 'when data within size and depth limits' do
+      it 'returns true' do
+        expect(deep_size).to be_valid
+      end
+    end
+
+    context 'when data not within size limit' do
+      let(:max_size) { 200.bytes }
+
+      it 'returns false' do
+        expect(deep_size).not_to be_valid
+      end
+    end
+
+    context 'when data not within depth limit' do
+      let(:max_depth) { 2 }
+
+      it 'returns false' do
+        expect(deep_size).not_to be_valid
+      end
+    end
+  end
+end

spec/models/member_spec.rb

@@ -70,6 +70,16 @@ describe Member do
         expect(child_member).not_to be_valid
       end
 
+      # Membership in a subgroup confers certain access rights, such as being
+      # able to merge or push code to protected branches.
+      it "is valid with an equal level" do
+        child_member.access_level = GroupMember::DEVELOPER
+
+        child_member.validate
+
+        expect(child_member).to be_valid
+      end
+
       it "is valid with a higher level" do
         child_member.access_level = GroupMember::MAINTAINER
 

spec/models/project_spec.rb

@@ -3188,63 +3188,107 @@ describe Project do
   end
 
   describe '.with_feature_available_for_user' do
-    let!(:user) { create(:user) }
+    let(:user) { create(:user) }
-    let!(:feature) { MergeRequest }
+    let(:feature) { MergeRequest }
-    let!(:project) { create(:project, :public, :merge_requests_enabled) }
 
     subject { described_class.with_feature_available_for_user(feature, user) }
 
-    context 'when user has access to project' do
+    shared_examples 'feature disabled' do
-      subject { described_class.with_feature_available_for_user(feature, user) }
+      let(:project) { create(:project, :public, :merge_requests_disabled) }
 
+      it 'does not return projects with the project feature disabled' do
+        is_expected.not_to include(project)
+      end
+    end
+
+    shared_examples 'feature public' do
+      let(:project) { create(:project, :public, :merge_requests_public) }
+
+      it 'returns projects with the project feature public' do
+        is_expected.to include(project)
+      end
+    end
+
+    shared_examples 'feature enabled' do
+      let(:project) { create(:project, :public, :merge_requests_enabled) }
+
+      it 'returns projects with the project feature enabled' do
+        is_expected.to include(project)
+      end
+    end
+
+    shared_examples 'feature access level is nil' do
+      let(:project) { create(:project, :public) }
+
+      it 'returns projects with the project feature access level nil' do
+        project.project_feature.update(merge_requests_access_level: nil)
+
+        is_expected.to include(project)
+      end
+    end
+
+    context 'with user' do
       before do
         project.add_guest(user)
       end
 
-      context 'when public project' do
+      it_behaves_like 'feature disabled'
-        context 'when feature is public' do
+      it_behaves_like 'feature public'
-          it 'returns project' do
+      it_behaves_like 'feature enabled'
-            is_expected.to include(project)
+      it_behaves_like 'feature access level is nil'
-          end
-        end
 
       context 'when feature is private' do
-          let!(:project) { create(:project, :public, :merge_requests_private) }
+        let(:project) { create(:project, :public, :merge_requests_private) }
 
-          it 'returns project when user has access to the feature' do
+        context 'when user does not has access to the feature' do
-            project.add_maintainer(user)
+          it 'does not return projects with the project feature private' do
+            is_expected.not_to include(project)
+          end
+        end
+
+        context 'when user has access to the feature' do
+          it 'returns projects with the project feature private' do
+            project.add_reporter(user)
 
             is_expected.to include(project)
           end
-
-          it 'does not return project when user does not have the minimum access level required' do
-            is_expected.not_to include(project)
         end
       end
     end
 
-      context 'when private project' do
+    context 'user is an admin' do
-        let!(:project) { create(:project) }
+      let(:user) { create(:user, :admin) }
 
-        it 'returns project when user has access to the feature' do
+      it_behaves_like 'feature disabled'
-          project.add_maintainer(user)
+      it_behaves_like 'feature public'
+      it_behaves_like 'feature enabled'
+      it_behaves_like 'feature access level is nil'
 
+      context 'when feature is private' do
+        let(:project) { create(:project, :public, :merge_requests_private) }
+
+        it 'returns projects with the project feature private' do
           is_expected.to include(project)
         end
+      end
+    end
 
-        it 'does not return project when user does not have the minimum access level required' do
+    context 'without user' do
+      let(:user) { nil }
+
+      it_behaves_like 'feature disabled'
+      it_behaves_like 'feature public'
+      it_behaves_like 'feature enabled'
+      it_behaves_like 'feature access level is nil'
+
+      context 'when feature is private' do
+        let(:project) { create(:project, :public, :merge_requests_private) }
+
+        it 'does not return projects with the project feature private' do
           is_expected.not_to include(project)
         end
       end
     end
-
-    context 'when user does not have access to project' do
-      let!(:project) { create(:project) }
-
-      it 'does not return project when user cant access project' do
-        is_expected.not_to include(project)
-      end
-    end
   end
 
   describe '#pages_available?' do

spec/presenters/ci/build_runner_presenter_spec.rb

@@ -136,24 +136,6 @@ describe Ci::BuildRunnerPresenter do
         is_expected.to eq(1)
       end
     end
-
-    context 'when pipeline is detached merge request pipeline' do
-      let(:merge_request) { create(:merge_request, :with_detached_merge_request_pipeline) }
-      let(:pipeline) { merge_request.all_pipelines.first }
-      let(:build) { create(:ci_build, ref: pipeline.ref, pipeline: pipeline) }
-
-      it 'returns the default git depth for pipelines for merge requests' do
-        is_expected.to eq(described_class::DEFAULT_GIT_DEPTH_MERGE_REQUEST)
-      end
-
-      context 'when pipeline is legacy detached merge request pipeline' do
-        let(:merge_request) { create(:merge_request, :with_legacy_detached_merge_request_pipeline) }
-
-        it 'behaves as branch pipeline' do
-          is_expected.to eq(0)
-        end
-      end
-    end
   end
 
   describe '#refspecs' do
@@ -191,7 +173,9 @@ describe Ci::BuildRunnerPresenter do
 
       it 'returns the correct refspecs' do
         is_expected
-          .to contain_exactly('+refs/merge-requests/1/head:refs/merge-requests/1/head')
+          .to contain_exactly('+refs/heads/*:refs/remotes/origin/*',
+                              '+refs/tags/*:refs/tags/*',
+                              '+refs/merge-requests/1/head:refs/merge-requests/1/head')
       end
 
       context 'when pipeline is legacy detached merge request pipeline' do

spec/requests/api/members_spec.rb

@@ -236,7 +236,7 @@ describe API::Members do
                params: { user_id: stranger.id, access_level: Member::REPORTER }
 
           expect(response).to have_gitlab_http_status(400)
-          expect(json_response['message']['access_level']).to eq(["should be higher than Developer inherited membership from group #{parent.name}"])
+          expect(json_response['message']['access_level']).to eq(["should be greater than or equal to Developer inherited membership from group #{parent.name}"])
         end
 
         it 'creates the member if group level is lower', :nested_groups do

spec/requests/api/merge_requests_spec.rb

@@ -830,6 +830,31 @@ describe API::MergeRequests do
       end
     end
 
+    context 'head_pipeline' do
+      before do
+        merge_request.update(head_pipeline: create(:ci_pipeline))
+        merge_request.project.project_feature.update(builds_access_level: 10)
+      end
+
+      context 'when user can read the pipeline' do
+        it 'exposes pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", user)
+
+          expect(json_response).to include('head_pipeline')
+        end
+      end
+
+      context 'when user can not read the pipeline' do
+        let(:guest) { create(:user) }
+
+        it 'does not expose pipeline information' do
+          get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}", guest)
+
+          expect(json_response).not_to include('head_pipeline')
+        end
+      end
+    end
+
     it 'returns the commits behind the target branch when include_diverged_commits_count is present' do
       allow_any_instance_of(merge_request.class).to receive(:diverged_commits_count).and_return(1)
 

spec/requests/api/projects_spec.rb

@@ -504,8 +504,9 @@ describe API::Projects do
           project4.add_reporter(user2)
         end
 
-        it 'returns an array of groups the user has at least developer access' do
+        it 'returns an array of projects the user has at least developer access' do
           get api('/projects', user2), params: { min_access_level: 30 }
+
           expect(response).to have_gitlab_http_status(200)
           expect(response).to include_pagination_headers
           expect(json_response).to be_an Array

spec/routing/project_routing_spec.rb

@@ -661,4 +661,24 @@ describe 'project routing' do
       end
     end
   end
+
+  describe Projects::TemplatesController, 'routing' do
+    describe '#show' do
+      def show_with_template_type(template_type)
+        "/gitlab/gitlabhq/templates/#{template_type}/template_name"
+      end
+
+      it 'routes when :template_type is `merge_request`' do
+        expect(get(show_with_template_type('merge_request'))).to route_to('projects/templates#show', namespace_id: 'gitlab', project_id: 'gitlabhq', template_type: 'merge_request', key: 'template_name', format: 'json')
+      end
+
+      it 'routes when :template_type is `issue`' do
+        expect(get(show_with_template_type('issue'))).to route_to('projects/templates#show', namespace_id: 'gitlab', project_id: 'gitlabhq', template_type: 'issue', key: 'template_name', format: 'json')
+      end
+
+      it 'routes to application#route_not_found when :template_type is unknown' do
+        expect(get(show_with_template_type('invalid'))).to route_to('application#route_not_found', unmatched_route: 'gitlab/gitlabhq/templates/invalid/template_name')
+      end
+    end
+  end
 end

spec/routing/uploads_routing_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Uploads', 'routing' do
+  it 'allows creating uploads for personal snippets' do
+    expect(post('/uploads/personal_snippet?id=1')).to route_to(
+      controller: 'uploads',
+      action: 'create',
+      model: 'personal_snippet',
+      id: '1'
+    )
+  end
+
+  it 'allows creating uploads for users' do
+    expect(post('/uploads/user?id=1')).to route_to(
+      controller: 'uploads',
+      action: 'create',
+      model: 'user',
+      id: '1'
+    )
+  end
+
+  it 'does not allow creating uploads for other models' do
+    unroutable_models = UploadsController::MODEL_CLASSES.keys.compact - %w(personal_snippet user)
+
+    unroutable_models.each do |model|
+      expect(post("/uploads/#{model}?id=1")).not_to be_routable
+    end
+  end
+end

spec/services/lfs/file_transformer_spec.rb

@@ -62,6 +62,25 @@ describe Lfs::FileTransformer do
         expect(result.encoding).to eq('text')
       end
 
+      context 'when an actual file is passed' do
+        let(:file) { Tempfile.new(file_path) }
+
+        before do
+          file.write(file_content)
+          file.rewind
+        end
+
+        after do
+          file.unlink
+        end
+
+        it "creates an LfsObject with the file's content" do
+          subject.new_file(file_path, file)
+
+          expect(LfsObject.last.file.read).to eq file_content
+        end
+      end
+
       context "when doesn't use LFS" do
         let(:file_path) { 'other.filetype' }
 

spec/services/projects/after_import_service_spec.rb

@@ -13,7 +13,7 @@ describe Projects::AfterImportService do
   describe '#execute' do
     before do
       allow(Projects::HousekeepingService)
-        .to receive(:new).with(project, :gc).and_return(housekeeping_service)
+        .to receive(:new).with(project).and_return(housekeeping_service)
 
       allow(housekeeping_service)
         .to receive(:execute).and_yield

spec/services/projects/propagate_service_template_spec.rb

@@ -70,7 +70,7 @@ describe Projects::PropagateServiceTemplate do
       expect(project.pushover_service.properties).to eq(service_template.properties)
     end
 
-    describe 'bulk update' do
+    describe 'bulk update', :use_sql_query_cache do
       let(:project_total) { 5 }
 
       before do