11 files changed, 72 insertions, 32 deletions

diff --git a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
index 6900835b14d..0f92c1f1210 100644
--- a/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
+++ b/lib/bulk_imports/common/pipelines/wiki_pipeline.rb
@@ -22,7 +22,7 @@ module BulkImports
           wiki = context.portable.wiki
           url = data[:url].sub("://", "://oauth2:#{context.configuration.access_token}@")
 
-          Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
+          Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
 
           wiki.ensure_repository
           wiki.repository.fetch_as_mirror(url)
diff --git a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
index f5ccc1dd922..a2b1f8c5176 100644
--- a/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
+++ b/lib/bulk_imports/projects/pipelines/repository_pipeline.rb
@@ -21,7 +21,7 @@ module BulkImports
           url = url.sub("://", "://oauth2:#{context.configuration.access_token}@")
           project = context.portable
 
-          Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
+          Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
 
           project.ensure_repository
           project.repository.fetch_as_mirror(url)
diff --git a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
index 6d423717a51..e29601927be 100644
--- a/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
+++ b/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline.rb
@@ -55,7 +55,9 @@ module BulkImports
           Gitlab::UrlBlocker.validate!(
             url,
             allow_local_network: allow_local_requests?,
-            allow_localhost: allow_local_requests?)
+            allow_localhost: allow_local_requests?,
+            schemes: %w[http https]
+          )
         end
 
         def cleanup_snippet_repository(snippet)
diff --git a/lib/error_tracking/sentry_client.rb b/lib/error_tracking/sentry_client.rb
index 6a341ddbe86..67c57a07988 100644
--- a/lib/error_tracking/sentry_client.rb
+++ b/lib/error_tracking/sentry_client.rb
@@ -10,6 +10,7 @@ module ErrorTracking
 
     Error = Class.new(StandardError)
     MissingKeysError = Class.new(StandardError)
+    InvalidFieldValueError = Class.new(StandardError)
 
     attr_accessor :url, :token
 
@@ -92,5 +93,15 @@ module ErrorTracking
     def raise_error(message)
       raise SentryClient::Error, message
     end
+
+    def ensure_numeric!(field, value)
+      return value if /\A\d+\z/.match?(value)
+
+      raise_invalid_field_value!(field, "#{value.inspect} is not numeric")
+    end
+
+    def raise_invalid_field_value!(field, message)
+      raise InvalidFieldValueError, %(Sentry API response contains invalid value for field "#{field}": #{message})
+    end
   end
 end
diff --git a/lib/error_tracking/sentry_client/event.rb b/lib/error_tracking/sentry_client/event.rb
index 1db31abeeb2..d8ae81f5411 100644
--- a/lib/error_tracking/sentry_client/event.rb
+++ b/lib/error_tracking/sentry_client/event.rb
@@ -16,7 +16,7 @@ module ErrorTracking
 
         Gitlab::ErrorTracking::ErrorEvent.new(
           project_id: event['projectID'],
-          issue_id: event['groupID'],
+          issue_id: ensure_numeric!('issue_id', event['groupID']),
           date_received: event['dateReceived'],
           stack_trace_entries: stack_trace
         )
diff --git a/lib/error_tracking/sentry_client/issue.rb b/lib/error_tracking/sentry_client/issue.rb
index d0e6bd783f3..18a686df4f2 100644
--- a/lib/error_tracking/sentry_client/issue.rb
+++ b/lib/error_tracking/sentry_client/issue.rb
@@ -120,8 +120,10 @@ module ErrorTracking
       end
 
       def map_to_error(issue)
+        id = ensure_numeric!('id', issue.fetch('id'))
+
         Gitlab::ErrorTracking::Error.new(
-          id: issue.fetch('id'),
+          id: id,
           first_seen: issue.fetch('firstSeen', nil),
           last_seen: issue.fetch('lastSeen', nil),
           title: issue.fetch('title', nil),
@@ -130,7 +132,7 @@ module ErrorTracking
           count: issue.fetch('count', nil),
           message: issue.dig('metadata', 'value'),
           culprit: issue.fetch('culprit', nil),
-          external_url: issue_url(issue.fetch('id')),
+          external_url: issue_url(id),
           short_id: issue.fetch('shortId', nil),
           status: issue.fetch('status', nil),
           frequency: issue.dig('stats', '24h'),
@@ -141,8 +143,10 @@ module ErrorTracking
       end
 
       def map_to_detailed_error(issue)
+        id = ensure_numeric!('id', issue.fetch('id'))
+
         Gitlab::ErrorTracking::DetailedError.new(
-          id: issue.fetch('id'),
+          id: id,
           first_seen: issue.fetch('firstSeen', nil),
           last_seen: issue.fetch('lastSeen', nil),
           tags: extract_tags(issue),
@@ -152,7 +156,7 @@ module ErrorTracking
           count: issue.fetch('count', nil),
           message: issue.dig('metadata', 'value'),
           culprit: issue.fetch('culprit', nil),
-          external_url: issue_url(issue.fetch('id')),
+          external_url: issue_url(id),
           external_base_url: project_url,
           short_id: issue.fetch('shortId', nil),
           status: issue.fetch('status', nil),
diff --git a/lib/gitlab/checks/tag_check.rb b/lib/gitlab/checks/tag_check.rb
index 5dd7720b67d..007a775eaf5 100644
--- a/lib/gitlab/checks/tag_check.rb
+++ b/lib/gitlab/checks/tag_check.rb
@@ -9,11 +9,13 @@ module Gitlab
         delete_protected_tag: 'You are not allowed to delete protected tags from this project. '\
           'Only a project maintainer or owner can delete a protected tag.',
         delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
-        create_protected_tag: 'You are not allowed to create this tag as it is protected.'
+        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
+        default_branch_collision: 'You cannot use default branch name to create a tag'
       }.freeze
 
       LOG_MESSAGES = {
         tag_checks: "Checking if you are allowed to change existing tags...",
+        default_branch_collision_check: "Checking if you are providing a valid tag name...",
         protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
       }.freeze
 
@@ -26,6 +28,7 @@ module Gitlab
           end
         end
 
+        default_branch_collision_check
         protected_tag_checks
       end
 
@@ -52,6 +55,14 @@ module Gitlab
           end
         end
       end
+
+      def default_branch_collision_check
+        logger.log_timed(LOG_MESSAGES[:default_branch_collision_check]) do
+          if creation? && tag_name == project.default_branch
+            raise GitAccess::ForbiddenError, ERROR_MESSAGES[:default_branch_collision]
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/ci/ansi2json/line.rb b/lib/gitlab/ci/ansi2json/line.rb
index e48080993ab..abe2f272ca7 100644
--- a/lib/gitlab/ci/ansi2json/line.rb
+++ b/lib/gitlab/ci/ansi2json/line.rb
@@ -80,7 +80,8 @@ module Gitlab
         end
 
         def set_section_duration(duration_in_seconds)
-          duration = ActiveSupport::Duration.build(duration_in_seconds.to_i)
+          normalized_duration_in_seconds = duration_in_seconds.to_i.clamp(0, 1.year)
+          duration = ActiveSupport::Duration.build(normalized_duration_in_seconds)
           hours = duration.in_hours.floor
           hours = hours > 0 ? "%02d" % hours : nil
           minutes = "%02d" % duration.parts[:minutes].to_i
diff --git a/lib/gitlab/gfm/uploads_rewriter.rb b/lib/gitlab/gfm/uploads_rewriter.rb
index b0bf68f4204..58b46a85aae 100644
--- a/lib/gitlab/gfm/uploads_rewriter.rb
+++ b/lib/gitlab/gfm/uploads_rewriter.rb
@@ -23,33 +23,24 @@ module Gitlab
       def rewrite(target_parent)
         return @text unless needs_rewrite?
 
-        @text.gsub!(@pattern) do |markdown|
-          file = find_file($~[:secret], $~[:file])
-          # No file will be returned for a path traversal
-          next if file.nil?
+        @target_parent = target_parent
 
-          break markdown unless file.try(:exists?)
-
-          klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
-          moved = klass.copy_to(file, target_parent)
-
-          moved_markdown = moved.markdown_link
-
-          # Prevents rewrite of plain links as embedded
-          if was_embedded?(markdown)
-            moved_markdown
-          else
-            moved_markdown.delete_prefix('!')
-          end
+        rewritten_text = Gitlab::StringRegexMarker.new(@text).mark(@pattern) do |markdown, left:, right:, mode:|
+          transform_markdown(markdown)
         end
+
+        # MarkdownContentRewriterService relies on the text being changed _in place_.
+        @text.gsub!(@text, rewritten_text)
       end
 
       def needs_rewrite?
         strong_memoize(:needs_rewrite) do
-          FileUploader::MARKDOWN_PATTERN.match?(@text)
+          @pattern.match?(@text)
         end
       end
 
+      private
+
       def was_embedded?(markdown)
         markdown.starts_with?("!")
       end
@@ -57,6 +48,28 @@ module Gitlab
       def find_file(secret, file_name)
         UploaderFinder.new(@source_project, secret, file_name).execute
       end
+
+      def transform_markdown(markdown)
+        match = @pattern.match(markdown)
+        file = find_file(match[:secret], match[:file])
+
+        # No file will be returned for a path traversal
+        return '' if file.nil?
+
+        return markdown unless file.try(:exists?)
+
+        klass = @target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
+        moved = klass.copy_to(file, @target_parent)
+
+        moved_markdown = moved.markdown_link
+
+        # Prevents rewrite of plain links as embedded
+        if was_embedded?(markdown)
+          moved_markdown
+        else
+          moved_markdown.delete_prefix('!')
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/hook_data/group_member_builder.rb b/lib/gitlab/hook_data/group_member_builder.rb
index 2998550a4b5..d70885018e9 100644
--- a/lib/gitlab/hook_data/group_member_builder.rb
+++ b/lib/gitlab/hook_data/group_member_builder.rb
@@ -39,7 +39,7 @@ module Gitlab
           group_id: group_member.group.id,
           user_username: group_member.user.username,
           user_name: group_member.user.name,
-          user_email: group_member.user.email,
+          user_email: group_member.user.webhook_email,
           user_id: group_member.user.id,
           group_access: group_member.human_access,
           expires_at: group_member.expires_at&.xmlschema
diff --git a/lib/gitlab/json_cache.rb b/lib/gitlab/json_cache.rb
index d5c018cfc68..d2916a01809 100644
--- a/lib/gitlab/json_cache.rb
+++ b/lib/gitlab/json_cache.rb
@@ -43,9 +43,7 @@ module Gitlab
     end
 
     def write(key, value, options = nil)
-      # As we use json as the serialization format, return everything from
-      # ActiveModel objects included encrypted values.
-      backend.write(cache_key(key), value.to_json(unsafe_serialization_hash: true), options)
+      backend.write(cache_key(key), value.to_json, options)
     end
 
     def fetch(key, options = {}, &block)