Forbid scripting for wiki files

Wiki files (not pages - files in the repo) are just sent to the browser
with whatever content-type the mime_types gem assigns to them based on
their extension. As this is from the same domain as the GitLab
application, this is an XSS vulnerability.

Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
files.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298.

See merge request !1969

Remove 'unscoped' from project builds selection

This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188

/cc @kamil @grzegorz @stanhu

See merge request !1968

[ci skip]

Prevent privilege escalation via notes API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577

See merge request !1964

Prevent information disclosure via new merge request page

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.

See merge request !1963
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix vulnerability that leaks private labels and milestones

This fixes vulnerability that leaks information about private labels and milestones because of  insecure direct object reference in issueable create service.
This affects merge requests and issues.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does.

`IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

See merge request !1954
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent information disclosure via snippet API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580

See merge request !1958
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576

See merge request !1959
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent privilege escalation via "impersonate" feature

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548

See merge request !1956

Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Bump Git version requirement to 2.7.4 (for 8.2)

[ci skip]

See merge request !3285

Fix note polling

Closes #4032

See merge request !2084

[ci skip]

Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact). 

Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed. 

I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.

Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624

See merge request !2044

Use YAML.safe_load

See merge request !1941

Fix 500 error when creating a merge request that removes a submodule

Fixes #3476

See merge request !1989

[ci skip]

Fix problems with award-emoji-only comment

This fixes a conflict between note with only a single emoji in content
and award-emojis mechanisms.

Closes #3734 

cc @vsizov

See merge request !1936

Add added, modified and removed properties to commit object in webhook

https://gitlab.com/gitlab-org/gitlab-ee/issues/20

See merge request !1988

Fix Error 500 when creating global milestones with Unicode characters

Two issues:

1. The constraints in the resources were incorrect. Here's what it was before:

```
group_milestone  GET /groups/:group_id/milestones/:id(.:format)  groups/milestones#show {:id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/}
```

In this case, id is actually the title of the milestone, which can be anything at the moment.

After:
```
group_milestone  GET /groups/:group_id/milestones/:id(.:format)  groups/milestones#show {:id=>/[^\/]+/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/}
```

2. `parameterize` would strip all Unicode characters, leaving a blank string. Rails would report something like:

```
ActionView::Template::Error (No route matches {:action=>"show", :controller=>"groups/milestones", :group_id=>#<Group id: 48, name: "ops-dev", path: "ops-dev", owner_id: nil, created_at: "2015-11-15 08:55:30", updated_at: "2015-12-02 06:23:26", type: "Group", description: "", avatar: "sha1.c71e73d51af1865c1bbbf6208e10044d46c9bb93.png", public: false>, :id=>"", :title=>"肯定不是中文的问题"} missing required keys: [:id]):
```

This change uses the babosa library to create a better slug, which surprisingly
isn't actually used by the global milestone controllers. Instead, they use the
title passed as a query string for some reason.

Closes https://github.com/gitlabhq/gitlabhq/issues/9881

See merge request !1983

fixed the documentation of the Guest role in permission.md

This MR fixes the documentation of the Guest role.

closes gitlab-org/gitlab-ce#3777

[ci skip]

See merge request !1952

Fix application settings cache not expiring after changes

cache_key is an instance method that relies on updated_at. When changes
were made, the time-dependent key was being used instead of X.application_setting.last.

Closes #3609

See merge request !1972

Show Gmail actions links only on expected set of emails



See merge request !1901

Install gitlab-shell 2.6.8 in installations from source

[ci skip]

See merge request !1932

Fire update hook from GitLab

https://gitlab.com/gitlab-org/gitlab-ce/issues/3069

See merge request !1882

[ci skip]

See merge request !1916

Fix Error 500 when viewing user's personal projects from admin page

This is a regression introduced in 4d7f00fd.

Closes #3680

Closes https://github.com/gitlabhq/gitlabhq/issues/9861

Closes gitlab-org/gitlab-ee#90

See merge request !1909