Automatic merge of gitlab-org/gitlab master

.gitlab/ci/frontend.gitlab-ci.yml

@@ -121,7 +121,7 @@ rspec frontend_fixture as-if-foss:
 rspec-ee frontend_fixture:
   extends:
     - .frontend-fixtures-base
-    - .frontend:rules:default-frontend-jobs
+    - .frontend:rules:default-frontend-jobs-ee
   parallel: 2
 
 graphql-schema-dump:
@@ -169,8 +169,10 @@ karma:
   extends:
     - .karma-base
     - .frontend:rules:default-frontend-jobs
-  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
-  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture"]
+  needs:
+    - job: "rspec frontend_fixture"
+    - job: "rspec-ee frontend_fixture"
+      optional: true
   coverage: '/^Statements *: (\d+\.\d+%)/'
   artifacts:
     name: coverage-javascript
@@ -201,8 +203,10 @@ jest:
   extends:
     - .jest-base
     - .frontend:rules:default-frontend-jobs
-  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
-  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture"]
+  needs:
+    - job: "rspec frontend_fixture"
+    - job: "rspec-ee frontend_fixture"
+      optional: true
   artifacts:
     name: coverage-frontend
     expire_in: 31d
@@ -222,8 +226,11 @@ jest-integration:
   script:
     - *yarn-install
     - run_timed_command "yarn jest:integration --ci"
-  # Don't use `needs` since `rspec-ee frontend_fixture` doesn't exist in `gitlab-foss` pipelines.
-  dependencies: ["rspec frontend_fixture", "rspec-ee frontend_fixture", "graphql-schema-dump"]
+  needs:
+    - job: "rspec frontend_fixture"
+    - job: "rspec-ee frontend_fixture"
+      optional: true
+    - job: "graphql-schema-dump"
 
 jest-as-if-foss:
   extends:

.gitlab/ci/pages.gitlab-ci.yml

@@ -3,7 +3,7 @@ pages:
     - .default-retry
     - .pages:rules
   stage: pages
-  dependencies:
+  needs:
     - rspec:coverage
     - coverage-frontend
     - karma

.gitlab/ci/review.gitlab-ci.yml

@@ -35,9 +35,6 @@ review-build-cng:
       artifacts: false
   script:
     - BUILD_TRIGGER_TOKEN=$REVIEW_APPS_BUILD_TRIGGER_TOKEN ./scripts/trigger-build cng
-    # When the job is manual, review-deploy is also manual and we don't want people
-    # to have to manually start the jobs in sequence, so we do it for them.
-    - '[ -z $CI_JOB_MANUAL ] || scripts/api/play_job.rb --job-name "review-deploy"'
 
 .review-workflow-base:
   extends:
@@ -59,7 +56,7 @@ review-deploy:
     - .review-workflow-base
     - .review:rules:review-deploy
   stage: review
-  dependencies: []
+  needs: ["review-build-cng"]
   resource_group: "review/${CI_COMMIT_REF_NAME}"
   before_script:
     - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
@@ -75,10 +72,6 @@ review-deploy:
     - date
     - deploy || (display_deployment_debug && exit 1)
     - disable_sign_ups || (delete_release && exit 1)
-    # When the job is manual, review-qa-smoke is also manual and we don't want people
-    # to have to manually start the jobs in sequence, so we do it for them.
-    - '[ -z $CI_JOB_MANUAL ] || scripts/api/play_job.rb --job-name "review-qa-smoke"'
-    - '[ -z $CI_JOB_MANUAL ] || scripts/api/play_job.rb --job-name "review-performance"'
   after_script:
     # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
     # Set DAST_RUN to true when jobs are manually scheduled.
@@ -123,9 +116,7 @@ review-stop:
     - .use-docker-in-docker
   image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.7
   stage: qa
-  # This is needed so that manual jobs with needs don't block the pipeline.
-  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
-  dependencies: ["review-deploy"]
+  needs: ["review-deploy"]
   variables:
     QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
     QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
@@ -175,9 +166,7 @@ review-performance:
     name: sitespeedio/sitespeed.io
     entrypoint: [""]
   stage: qa
-  # This is needed so that manual jobs with needs don't block the pipeline.
-  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
-  dependencies: ["review-deploy"]
+  needs: ["review-deploy"]
   before_script:
     - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
     - echo "${CI_ENVIRONMENT_URL}"
@@ -200,7 +189,7 @@ parallel-spec-reports:
     - .review:rules:review-qa-all
   image: ${GITLAB_DEPENDENCY_PROXY}ruby:2.7-alpine
   stage: post-qa
-  dependencies: ["review-qa-all"]
+  needs: ["review-qa-all"]
   variables:
     NEW_PARALLEL_SPECS_REPORT: qa/report-new.html
     BASE_ARTIFACT_URL: "${CI_PROJECT_URL}/-/jobs/${CI_JOB_ID}/artifacts/file/qa/"

.gitlab/ci/rules.gitlab-ci.yml

@@ -424,6 +424,13 @@
     - <<: *if-default-refs
       changes: *code-backstage-patterns
 
+.frontend:rules:default-frontend-jobs-ee:
+  rules:
+    - <<: *if-not-ee
+      when: never
+    - <<: *if-default-refs
+      changes: *code-backstage-patterns
+
 .frontend:rules:default-frontend-jobs-as-if-foss:
   rules:
     - <<: *if-not-ee
@@ -1069,7 +1076,6 @@
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes: *code-patterns
-      when: manual
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes: *qa-patterns
@@ -1090,7 +1096,6 @@
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes: *code-qa-patterns
-      when: manual
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-schedule
       allow_failure: true
@@ -1113,7 +1118,6 @@
       allow_failure: true
     - <<: *if-dot-com-gitlab-org-merge-request
       changes: *code-qa-patterns
-      when: manual
       allow_failure: true
 
 .review:rules:review-qa-all:

app/assets/javascripts/repository/components/upload_blob_modal.vue

@@ -93,7 +93,7 @@ export default {
         text: PRIMARY_OPTIONS_TEXT,
         attributes: [
           {
-            variant: 'success',
+            variant: 'confirm',
             loading: this.loading,
             disabled: !this.formCompleted || this.loading,
           },

changelogs/unreleased/remove-success-variant-upload-blob.yml

+---
+title: Remove success variant for primary button in upload file modal
+merge_request:
+author: Yogi (@yo)
+type: changed

lib/gitlab/import_export/command_line_util.rb

@@ -30,6 +30,8 @@ module Gitlab
       end
 
       def download(url, upload_path)
+        validate_url!(url)
+
         File.open(upload_path, 'w') do |file|
           # Download (stream) file from the uploader's location
           IO.copy_stream(URI.parse(url).open, file)
@@ -63,6 +65,19 @@ module Gitlab
         FileUtils.copy_entry(source, destination)
         true
       end
+
+      def validate_url!(url)
+        ::Gitlab::UrlBlocker.validate!(
+          url,
+          allow_localhost: allow_local_requests?,
+          allow_local_network: allow_local_requests?,
+          schemes: %w(http https)
+        )
+      end
+
+      def allow_local_requests?
+        ::Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+      end
     end
   end
 end

spec/lib/gitlab/import_export/command_line_util_spec.rb

@@ -16,6 +16,10 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
       def initialize
         @shared = Gitlab::ImportExport::Shared.new(nil)
       end
+
+      def execute_download(url)
+        download(url, 'path')
+      end
     end.new
   end
 
@@ -35,4 +39,29 @@ RSpec.describe Gitlab::ImportExport::CommandLineUtil do
   it 'has the right mask for uploads' do
     expect(file_permissions("#{path}/uploads")).to eq(0755) # originally 555
   end
+
+  context 'validates the URL before executing the download' do
+    before do
+      stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+    end
+
+    it 'raises error when the given URL is blocked' do
+      expect { subject.execute_download('http://localhost:3000/file') }
+        .to raise_error(Gitlab::UrlBlocker::BlockedUrlError, 'Requests to localhost are not allowed')
+    end
+
+    it 'executes the download when the URL is allowed' do
+      expect_next_instance_of(URI::HTTP) do |uri|
+        expect(uri)
+          .to receive(:open)
+          .and_return('file content')
+      end
+
+      expect(IO)
+        .to receive(:copy_stream)
+        .with('file content', instance_of(File))
+
+      subject.execute_download('http://some.url.remote/file')
+    end
+  end
 end