Forbid scripting for wiki files

Wiki files (not pages - files in the repo) are just sent to the browser
with whatever content-type the mime_types gem assigns to them based on
their extension. As this is from the same domain as the GitLab
application, this is an XSS vulnerability.

Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these
files.

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298.

See merge request !1969

Remove 'unscoped' from project builds selection

This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188

/cc @kamil @grzegorz @stanhu

See merge request !1968

[ci skip]

Prevent privilege escalation via notes API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577

See merge request !1964

This reverts commit 550f9a74.

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576

See merge request !1959
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent XSS via custom issue tracker URL

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437

See merge request !1955
Signed-off-by: Rémy Coutable <remy@rymai.me>

Prevent information disclosure via milestone API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579

See merge request !1961

Prevent information disclosure via new merge request page

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591.

See merge request !1963

Prevent privilege escalation via "impersonate" feature

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548

See merge request !1956

Prevent information disclosure via snippet API

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580

See merge request !1958

Fix vulnerability that leaks private labels and milestones

This fixes vulnerability that leaks information about private labels and milestones because of  insecure direct object reference in issueable create service.
This affects merge requests and issues.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does.

`IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439

See merge request !1954

Fixes XSS injection

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434

**Without the fix**

![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif)


**With the fix**

![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif)


See merge request !1952

Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix 2FA authentication spoofing

This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

Current 2FA code is a bit tricky, so it probably needs some refactoring.
Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't fetch any tags from a forked repo

Closes #13957

See merge request !3504
Signed-off-by: Rémy Coutable <remy@rymai.me>

Bump Git version requirement to 2.7.4 (for 8.5)

[ci skip]

See merge request !3286

Install Git 2.7.3, not 2.4.3



See merge request !3248

Bump Git version requirement to 2.7.3

[ci skip]

See merge request !3240

[ci skip]

Use leases for LDAP checks in 8.5

Back-port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3143

See merge request !3181