Merge branch 'ce-to-ee-2018-08-29' into 'master'

CE upstream - 2018-08-29 20:05 UTC

Closes #2695 and gitlab-com/migration#766

See merge request gitlab-org/gitlab-ee!7053

CHANGELOG.md

@@ -276,6 +276,7 @@ entry.
 ## 11.1.5 (2018-08-27)
 
 - No changes.
+
 ### Security (3 changes)
 
 - Fixed persistent XSS rendering/escaping of diff location lines.

app/assets/javascripts/performance_bar/index.js

 import Vue from 'vue';
-import Flash from '../flash';
 import PerformanceBarService from './services/performance_bar_service';
 import PerformanceBarStore from './stores/performance_bar_store';
 
@@ -46,7 +45,8 @@ export default ({ container }) =>
             this.store.addRequestDetails(requestId, res.data.data);
           })
           .catch(() =>
-            Flash(`Error getting performance bar results for ${requestId}`),
+            // eslint-disable-next-line no-console
+            console.warn(`Error getting performance bar results for ${requestId}`),
           );
       },
     },

app/assets/javascripts/performance_bar/services/performance_bar_service.js

@@ -11,13 +11,10 @@ export default class PerformanceBarService {
 
   static registerInterceptor(peekUrl, callback) {
     const interceptor = response => {
-      const requestId = response.headers['x-request-id'];
-      // Get the request URL from response.config for Axios, and response for
-      // Vue Resource.
-      const requestUrl = (response.config || response).url;
-      const cachedResponse = response.headers['x-gitlab-from-cache'] === 'true';
+      const [fireCallback, requestId, requestUrl] =
+        PerformanceBarService.callbackParams(response, peekUrl);
 
-      if (requestUrl !== peekUrl && requestId && !cachedResponse) {
+      if (fireCallback) {
         callback(requestId, requestUrl);
       }
 
@@ -38,4 +35,16 @@ export default class PerformanceBarService {
       vueResourceInterceptor,
     );
   }
+
+  static callbackParams(response, peekUrl) {
+    const requestId = response.headers && response.headers['x-request-id'];
+    // Get the request URL from response.config for Axios, and response for
+    // Vue Resource.
+    const requestUrl = (response.config || response).url;
+    const apiRequest = requestUrl && requestUrl.match(/^\/api\//);
+    const cachedResponse = response.headers && response.headers['x-gitlab-from-cache'] === 'true';
+    const fireCallback = requestUrl !== peekUrl && requestId && !apiRequest && !cachedResponse;
+
+    return [fireCallback, requestId, requestUrl];
+  }
 }

app/assets/javascripts/pipelines/components/graph/dropdown_job_component.vue

 <script>
 import $ from 'jquery';
-import _ from 'underscore';
 import JobNameComponent from './job_name_component.vue';
 import JobComponent from './job_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -47,7 +46,7 @@ export default {
 
   computed: {
     tooltipText() {
-      return _.escape(`${this.job.name} - ${this.job.status.label}`);
+      return `${this.job.name} - ${this.job.status.label}`;
     },
   },
 

app/assets/javascripts/pipelines/components/graph/job_component.vue

 <script>
-import _ from 'underscore';
 import ActionComponent from './action_component.vue';
 import JobNameComponent from './job_name_component.vue';
 import tooltip from '../../../vue_shared/directives/tooltip';
@@ -62,7 +61,7 @@ export default {
       const textBuilder = [];
 
       if (this.job.name) {
-        textBuilder.push(_.escape(this.job.name));
+        textBuilder.push(this.job.name);
       }
 
       if (this.job.name && this.status.tooltip) {
@@ -106,7 +105,6 @@ export default {
       :class="cssClassJobName"
       :data-boundary="tooltipBoundary"
       data-container="body"
-      data-html="true"
       class="js-pipeline-graph-job-link"
     >
 
@@ -122,7 +120,6 @@ export default {
       :title="tooltipText"
       :class="cssClassJobName"
       class="js-job-component-tooltip non-details-job-component"
-      data-html="true"
       data-container="body"
     >
 

app/views/ci/status/_dropdown_graph_badge.html.haml

@@ -6,12 +6,12 @@
 - tooltip = "#{subject.name} - #{status.status_tooltip}"
 
 - if status.has_details?
-  = link_to status.details_path, class: 'mini-pipeline-graph-dropdown-item', data: { toggle: 'tooltip', title: tooltip, html: 'true', container: 'body' }  do
+  = link_to status.details_path, class: 'mini-pipeline-graph-dropdown-item', data: { toggle: 'tooltip', title: tooltip, container: 'body' }  do
     %span{ class: klass }= sprite_icon(status.icon)
     %span.ci-build-text= subject.name
 
 - else
-  .menu-item.mini-pipeline-graph-dropdown-item{ data: { toggle: 'tooltip', html: 'true', title: tooltip, container: 'body' } }
+  .menu-item.mini-pipeline-graph-dropdown-item{ data: { toggle: 'tooltip', title: tooltip, container: 'body' } }
     %span{ class: klass }= sprite_icon(status.icon)
     %span.ci-build-text= subject.name
 

app/views/projects/diffs/_line.html.haml

@@ -32,9 +32,9 @@
         %a{ href: "##{line_code}", data: { linenumber: link_text } }
     %td.line_content.noteable_line{ class: type }<
       - if email
-        %pre= line.text
+        %pre= line.rich_text
       - else
-        = diff_line_content(line.text)
+        = diff_line_content(line.rich_text)
 
 - if line_discussions&.any?
   - discussion_expanded = local_assigns.fetch(:discussion_expanded, line_discussions.any?(&:expanded?))

app/views/projects/diffs/_parallel_view.html.haml

@@ -24,7 +24,7 @@
               - discussion_left = discussions_left.try(:first)
               - if discussion_left && discussion_left.resolvable?
                 %diff-note-avatars{ "discussion-id" => discussion_left.id }
-            %td.line_content.parallel.noteable_line.left-side{ id: left_line_code, class: left.type }= diff_line_content(left.text)
+            %td.line_content.parallel.noteable_line.left-side{ id: left_line_code, class: left.type }= diff_line_content(left.rich_text)
         - else
           %td.old_line.diff-line-num.empty-cell
           %td.line_content.parallel.left-side
@@ -45,7 +45,7 @@
               - discussion_right = discussions_right.try(:first)
               - if discussion_right && discussion_right.resolvable?
                 %diff-note-avatars{ "discussion-id" => discussion_right.id }
-            %td.line_content.parallel.noteable_line.right-side{ id: right_line_code, class: right.type }= diff_line_content(right.text)
+            %td.line_content.parallel.noteable_line.right-side{ id: right_line_code, class: right.type }= diff_line_content(right.rich_text)
         - else
           %td.old_line.diff-line-num.empty-cell
           %td.line_content.parallel.right-side

app/views/projects/jobs/_sidebar.html.haml

@@ -82,7 +82,7 @@
         - builds.select{|build| build.status == build_status}.each do |build|
           .build-job{ class: sidebar_build_class(build, @build), data: { stage: build.stage } }
             - tooltip = sanitize(build.tooltip_message.dup)
-            = link_to(project_job_path(@project, build), data: { toggle: 'tooltip', html: 'true', title: tooltip, container: 'body' }) do
+            = link_to(project_job_path(@project, build), data: { toggle: 'tooltip', title: tooltip, container: 'body' }) do
               = sprite_icon('arrow-right', size:16, css_class: 'icon-arrow-right')
               %span{ class: "ci-status-icon-#{build.status}" }
                 = ci_icon_for_status(build.status)

changelogs/unreleased/50801-error-getting-performance-bar-results-for-uuid.yml

+---
+title: Don't show flash messages for performance bar errors
+merge_request: 21411
+author:
+type: other

changelogs/unreleased/rails5-silence-stream.yml

+---
+title: 'Rails 5: replace removed silence_stream'
+merge_request: 21387
+author: Jasper Maes
+type: other

changelogs/unreleased/security-49085-persistent-xss-rendering.yml

+---
+title: Fixed persistent XSS rendering/escaping of diff location lines
+merge_request:
+author:
+type: security

changelogs/unreleased/sh-block-link-local-master.yml

+---
+title: Block link-local addresses in URLBlocker
+merge_request:
+author:
+type: security

doc/install/kubernetes/gitlab_chart.md

@@ -30,7 +30,7 @@ The `gitlab` chart includes all required dependencies, and takes a few minutes
 to deploy.
 
 TIP: **Tip:**
-For large scale deployments, we strongly recommend using the
+For production deployments, we strongly recommend using the
 [detailed installation instructions](https://gitlab.com/charts/gitlab/blob/master/doc/installation/README.md)
 utilizing [external Postgres, Redis, and object storage](https://gitlab.com/charts/gitlab/tree/master/doc/advanced) services.
 

lib/gitlab/ci/status/build/failed.rb

@@ -34,7 +34,7 @@ module Gitlab
           end
 
           def description
-            "<br> (#{failure_reason_message})"
+            "- (#{failure_reason_message})"
           end
 
           def failure_reason_message

lib/gitlab/diff/highlight.rb

@@ -37,7 +37,7 @@ module Gitlab
             end
           end
 
-          diff_line.text = rich_line
+          diff_line.rich_text = rich_line
 
           diff_line
         end

lib/gitlab/diff/line.rb

 module Gitlab
   module Diff
     class Line
-      SERIALIZE_KEYS = %i(line_code text type index old_pos new_pos).freeze
+      SERIALIZE_KEYS = %i(line_code rich_text text type index old_pos new_pos).freeze
 
       attr_reader :line_code, :type, :index, :old_pos, :new_pos
       attr_writer :rich_text
       attr_accessor :text
 
-      def initialize(text, type, index, old_pos, new_pos, parent_file: nil, line_code: nil)
+      def initialize(text, type, index, old_pos, new_pos, parent_file: nil, line_code: nil, rich_text: nil)
         @text, @type, @index = text, type, index
         @old_pos, @new_pos = old_pos, new_pos
         @parent_file = parent_file
+        @rich_text = rich_text
 
         # When line code is not provided from cache store we build it
         # using the parent_file(Diff::File or Conflict::File).
@@ -18,7 +19,7 @@ module Gitlab
       end
 
       def self.init_from_hash(hash)
-        new(hash[:text], hash[:type], hash[:index], hash[:old_pos], hash[:new_pos], line_code: hash[:line_code])
+        new(hash[:text], hash[:type], hash[:index], hash[:old_pos], hash[:new_pos], line_code: hash[:line_code], rich_text: hash[:rich_text])
       end
 
       def to_hash
@@ -85,7 +86,7 @@ module Gitlab
           old_line: old_line,
           new_line: new_line,
           text: text,
-          rich_text: rich_text || text,
+          rich_text: rich_text || CGI.escapeHTML(text),
           meta_data: meta_positions
         }
       end

lib/gitlab/import_export/uploads_manager.rb

@@ -13,13 +13,11 @@ module Gitlab
       end
 
       def save
-        copy_files(@from, uploads_export_path) if File.directory?(@from)
-
         if File.file?(@from) && @relative_export_path == 'avatar'
           copy_files(@from, File.join(uploads_export_path, @project.avatar.filename))
         end
 
-        copy_from_object_storage
+        copy_project_uploads
 
         true
       rescue => e
@@ -48,14 +46,19 @@ module Gitlab
         UploadService.new(@project, File.open(upload, 'r'), FileUploader, uploader_context).execute
       end
 
-      def copy_from_object_storage
-        return unless Gitlab::ImportExport.object_storage?
-
+      def copy_project_uploads
         each_uploader do |uploader|
           next unless uploader.file
-          next if uploader.upload.local? # Already copied, using  the old  method
 
-          download_and_copy(uploader)
+          if uploader.upload.local?
+            next unless uploader.upload.exist?
+
+            copy_files(uploader.absolute_path, File.join(uploads_export_path, uploader.upload.path))
+          else
+            next unless Gitlab::ImportExport.object_storage?
+
+            download_and_copy(uploader)
+          end
         end
       end
 

lib/gitlab/url_blocker.rb

@@ -31,6 +31,7 @@ module Gitlab
 
         validate_localhost!(addrs_info) unless allow_localhost
         validate_local_network!(addrs_info) unless allow_local_network
+        validate_link_local!(addrs_info) unless allow_local_network
 
         true
       end
@@ -89,6 +90,13 @@ module Gitlab
         raise BlockedUrlError, "Requests to the local network are not allowed"
       end
 
+      def validate_link_local!(addrs_info)
+        netmask = IPAddr.new('169.254.0.0/16')
+        return unless addrs_info.any? { |addr| addr.ipv6_linklocal? || netmask.include?(addr.ip_address) }
+
+        raise BlockedUrlError, "Requests to the link local network are not allowed"
+      end
+
       def internal?(uri)
         internal_web?(uri) || internal_shell?(uri)
       end

lib/tasks/gettext.rake

@@ -82,7 +82,7 @@ namespace :gettext do
 
     # `gettext:find` writes touches to temp files to `stderr` which would cause
     # `static-analysis` to report failures. We can ignore these.
-    silence_stream($stderr) do
+    silence_sdterr do
       Rake::Task['gettext:find'].invoke
     end
 
@@ -118,4 +118,15 @@ namespace :gettext do
       end
     end
   end
+
+  def silence_sdterr(&block)
+    old_stderr = $stderr.dup
+    $stderr.reopen(File::NULL)
+    $stderr.sync = true
+
+    yield
+  ensure
+    $stderr.reopen(old_stderr)
+    old_stderr.close
+  end
 end

qa/qa/specs/features/browser_ui/3_create/repository/create_edit_delete_file_via_web_spec.rb

 # frozen_string_literal: true
 
 module QA
-  context :create do
+  context :create, :core do
     describe 'Files management' do
       it 'user creates, edits and deletes a file via the Web' do
         Runtime::Browser.visit(:gitlab, Page::Main::Login)

qa/qa/specs/features/browser_ui/4_verify/pipeline/create_and_process_pipeline_spec.rb

 # frozen_string_literal: true
 
 module QA
-  context :verify, :docker do
+  context :verify, :orchestrated, :docker do
     describe 'Pipeline creation and processing' do
       let(:executor) { "qa-runner-#{Time.now.to_i}" }
 

qa/qa/specs/features/browser_ui/6_release/deploy_key/clone_using_deploy_key_spec.rb

@@ -62,20 +62,20 @@ module QA
           end
 
           gitlab_ci = <<~YAML
-            cat-config:
-              script:
-                - mkdir -p ~/.ssh
-                - ssh-keyscan -p #{@repository_location.port} #{@repository_location.host} >> ~/.ssh/known_hosts
-                - eval $(ssh-agent -s)
-                - ssh-add -D
-                - echo "$#{deploy_key_name}" | ssh-add -
-                - git clone #{@repository_location.git_uri}
-                - cd #{@project.name}
-                - git checkout #{deploy_key_name}
-                - sha1sum .gitlab-ci.yml
-              tags:
-                - qa
-                - docker
+          cat-config:
+            script:
+              - mkdir -p ~/.ssh
+              - ssh-keyscan -p #{@repository_location.port} #{@repository_location.host} >> ~/.ssh/known_hosts
+              - eval $(ssh-agent -s)
+              - ssh-add -D
+              - echo "$#{deploy_key_name}" | ssh-add -
+              - git clone #{@repository_location.git_uri}
+              - cd #{@project.name}
+              - git checkout #{deploy_key_name}
+              - sha1sum .gitlab-ci.yml
+            tags:
+              - qa
+              - docker
           YAML
 
           Factory::Repository::ProjectPush.fabricate! do |resource|

spec/features/merge_request/user_sees_diff_spec.rb

@@ -2,6 +2,7 @@ require 'rails_helper'
 
 describe 'Merge request > User sees diff', :js do
   include ProjectForksHelper
+  include RepoHelpers
 
   let(:project) { create(:project, :public, :repository) }
   let(:merge_request) { create(:merge_request, source_project: project) }
@@ -81,5 +82,58 @@ describe 'Merge request > User sees diff', :js do
         expect(page).to have_selector('.js-cancel-fork-suggestion-button', count: 1)
       end
     end
+
+    context 'when file contains html' do
+      let(:current_user) { project.owner }
+      let(:branch_name) {"test_branch"}
+
+      def create_file(branch_name, file_name, content)
+        Files::CreateService.new(
+          project,
+          current_user,
+          start_branch: branch_name,
+          branch_name: branch_name,
+          commit_message: "Create file",
+          file_path: file_name,
+          file_content: content
+        ).execute
+
+        project.commit(branch_name)
+      end
+
+      it 'escapes any HTML special characters in the diff chunk header' do
+        file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let d = 3;
+          }
+        CONTENT
+
+        new_file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let x = 3;
+          }
+        CONTENT
+
+        file_name = 'xss_file.txt'
+
+        create_file('master', file_name, file_content)
+        merge_request = create(:merge_request, source_project: project)
+        create_file(merge_request.source_branch, file_name, new_file_content)
+
+        project.commit(merge_request.source_branch)
+
+        visit diffs_project_merge_request_path(project, merge_request)
+
+        expect(page).to have_text("function foo<input> {")
+      end
+    end
   end
 end

spec/features/projects/jobs/user_browses_job_spec.rb

@@ -40,7 +40,7 @@ describe 'User browses a job', :js do
     it 'displays the failure reason' do
       within('.builds-container') do
         build_link = first('.build-job > a')
-        expect(build_link['data-title']).to eq('test - failed <br> (unknown failure)')
+        expect(build_link['data-title']).to eq('test - failed - (unknown failure)')
       end
     end
   end
@@ -51,7 +51,7 @@ describe 'User browses a job', :js do
     it 'displays the failure reason and retried label' do
       within('.builds-container') do
         build_link = first('.build-job > a')
-        expect(build_link['data-title']).to eq('test - failed <br> (unknown failure) (retried)')
+        expect(build_link['data-title']).to eq('test - failed - (unknown failure) (retried)')
       end
     end
   end

spec/features/projects/jobs/user_browses_jobs_spec.rb

@@ -36,7 +36,7 @@ describe 'User browses jobs' do
     it 'displays a tooltip with the failure reason' do
       page.within('.ci-table') do
         failed_job_link = page.find('.ci-failed')
-        expect(failed_job_link[:title]).to eq('Failed <br> (unknown failure)')
+        expect(failed_job_link[:title]).to eq('Failed - (unknown failure)')
       end
     end
   end

spec/features/projects/pipelines/pipeline_spec.rb

@@ -126,7 +126,7 @@ describe 'Pipeline', :js do
         it 'should include the failure reason' do
           page.within('#ci-badge-test') do
             build_link = page.find('.js-pipeline-graph-job-link')
-            expect(build_link['data-original-title']).to eq('test - failed <br> (unknown failure)')
+            expect(build_link['data-original-title']).to eq('test - failed - (unknown failure)')
           end
         end
       end
@@ -319,7 +319,7 @@ describe 'Pipeline', :js do
       it 'displays a tooltip with the failure reason' do
         page.within('.ci-table') do
           failed_job_link = page.find('.ci-failed')
-          expect(failed_job_link[:title]).to eq('Failed <br> (unknown failure)')
+          expect(failed_job_link[:title]).to eq('Failed - (unknown failure)')
         end
       end
     end

spec/features/projects/pipelines/pipelines_spec.rb

@@ -406,7 +406,7 @@ describe 'Pipelines', :js do
 
             within('.js-builds-dropdown-list') do
               build_element = page.find('.mini-pipeline-graph-dropdown-item')
-              expect(build_element['data-original-title']).to eq('build - failed <br> (unknown failure)')
+              expect(build_element['data-original-title']).to eq('build - failed - (unknown failure)')
             end
           end
         end

spec/javascripts/performance_bar/services/performance_bar_service_spec.js

+import PerformanceBarService from '~/performance_bar/services/performance_bar_service';
+
+describe('PerformanceBarService', () => {
+  describe('callbackParams', () => {
+    describe('fireCallback', () => {
+      function fireCallback(response, peekUrl) {
+        return PerformanceBarService.callbackParams(response, peekUrl)[0];
+      }
+
+      it('returns false when the request URL is the peek URL', () => {
+        expect(fireCallback({ headers: { 'x-request-id': '123' }, url: '/peek' }, '/peek'))
+          .toBeFalsy();
+      });
+
+      it('returns false when there is no request ID', () => {
+        expect(fireCallback({ headers: {}, url: '/request' }, '/peek'))
+          .toBeFalsy();
+      });
+
+      it('returns false when the request is an API request', () => {
+        expect(fireCallback({ headers: { 'x-request-id': '123' }, url: '/api/' }, '/peek'))
+          .toBeFalsy();
+      });
+
+      it('returns false when the response is from the cache', () => {
+        expect(fireCallback({ headers: { 'x-request-id': '123', 'x-gitlab-from-cache': 'true' }, url: '/request' }, '/peek'))
+          .toBeFalsy();
+      });
+
+      it('returns true when all conditions are met', () => {
+        expect(fireCallback({ headers: { 'x-request-id': '123' }, url: '/request' }, '/peek'))
+          .toBeTruthy();
+      });
+    });
+
+    describe('requestId', () => {
+      function requestId(response, peekUrl) {
+        return PerformanceBarService.callbackParams(response, peekUrl)[1];
+      }
+
+      it('gets the request ID from the headers', () => {
+        expect(requestId({ headers: { 'x-request-id': '123' } }, '/peek'))
+          .toEqual('123');
+      });
+    });
+
+    describe('requestUrl', () => {
+      function requestUrl(response, peekUrl) {
+        return PerformanceBarService.callbackParams(response, peekUrl)[2];
+      }
+
+      it('gets the request URL from the response object', () => {
+        expect(requestUrl({ headers: {}, url: '/request' }, '/peek'))
+          .toEqual('/request');
+      });
+
+      it('gets the request URL from response.config if present', () => {
+        expect(requestUrl({ headers: {}, config: { url: '/config-url' }, url: '/request' }, '/peek'))
+          .toEqual('/config-url');
+      });
+    });
+  });
+});

spec/javascripts/pipelines/graph/dropdown_job_component_spec.js

@@ -82,12 +82,4 @@ describe('dropdown job component', () => {
   it('renders dropdown with jobs', () => {
     expect(vm.$el.querySelectorAll('.scrollable-menu>ul>li').length).toEqual(mock.jobs.length);
   });
-
-  it('escapes tooltip title', () => {
-    expect(
-      vm.$el.querySelector('.js-pipeline-graph-job-link').getAttribute('data-original-title'),
-    ).toEqual(
-      '<img src=x onerror=alert(document.domain)> - passed',
-    );
-  });
 });

spec/javascripts/pipelines/graph/job_component_spec.js

@@ -161,24 +161,4 @@ describe('pipeline graph job component', () => {
       expect(component.$el.querySelector(tooltipBoundary)).toBeNull();
     });
   });
-
-  describe('tooltipText', () => {
-    it('escapes job name', () => {
-      component = mountComponent(JobComponent, {
-        job: {
-          id: 4259,
-          name: '<img src=x onerror=alert(document.domain)>',
-          status: {
-            icon: 'status_success',
-            label: 'success',
-            tooltip: 'failed',
-          },
-        },
-      });
-
-      expect(
-        component.$el.querySelector('.js-job-component-tooltip').getAttribute('data-original-title'),
-      ).toEqual('&lt;img src=x onerror=alert(document.domain)&gt; - failed');
-    });
-  });
 });

spec/lib/gitlab/ci/status/build/factory_spec.rb

@@ -88,7 +88,7 @@ describe Gitlab::Ci::Status::Build::Factory do
         expect(status.icon).to eq 'status_failed'
         expect(status.favicon).to eq 'favicon_status_failed'
         expect(status.label).to eq 'failed'
-        expect(status.status_tooltip).to eq 'failed <br> (unknown failure)'
+        expect(status.status_tooltip).to eq 'failed - (unknown failure)'
         expect(status).to have_details
         expect(status).to have_action
       end

spec/lib/gitlab/ci/status/build/failed_allowed_spec.rb

@@ -76,7 +76,7 @@ describe Gitlab::Ci::Status::Build::FailedAllowed do
     let(:status) { described_class.new(build_status) }
 
     it 'does override badge_tooltip' do
-      expect(status.badge_tooltip).to eq('failed <br> (unknown failure)')
+      expect(status.badge_tooltip).to eq('failed - (unknown failure)')
     end
   end
 
@@ -87,7 +87,7 @@ describe Gitlab::Ci::Status::Build::FailedAllowed do
     let(:status) { described_class.new(build_status) }
 
     it 'does override status_tooltip' do
-      expect(status.status_tooltip).to eq 'failed <br> (unknown failure) (allowed to fail)'
+      expect(status.status_tooltip).to eq 'failed - (unknown failure) (allowed to fail)'
     end
   end
 

spec/lib/gitlab/ci/status/build/failed_spec.rb

@@ -52,7 +52,7 @@ describe Gitlab::Ci::Status::Build::Failed do
     let(:status) { Gitlab::Ci::Status::Failed.new(build, user) }
 
     it 'does override badge_tooltip' do
-      expect(subject.badge_tooltip).to eq 'failed <br> (script failure)'
+      expect(subject.badge_tooltip).to eq 'failed - (script failure)'
     end
   end
 
@@ -61,7 +61,7 @@ describe Gitlab::Ci::Status::Build::Failed do
     let(:status) { Gitlab::Ci::Status::Failed.new(build, user) }
 
     it 'does override status_tooltip' do
-      expect(subject.status_tooltip).to eq 'failed <br> (script failure)'
+      expect(subject.status_tooltip).to eq 'failed - (script failure)'
     end
   end
 

spec/lib/gitlab/ci/status/build/retried_spec.rb

@@ -66,7 +66,7 @@ describe Gitlab::Ci::Status::Build::Retried do
       let(:status) { Gitlab::Ci::Status::Build::Failed.new(failed_status) }
 
       it 'does override status_tooltip' do
-        expect(subject.status_tooltip).to eq 'failed <br> (unknown failure) (retried)'
+        expect(subject.status_tooltip).to eq 'failed - (unknown failure) (retried)'
       end
     end
 

spec/lib/gitlab/conflict/file_spec.rb

@@ -69,10 +69,6 @@ describe Gitlab::Conflict::File do
       CGI.unescapeHTML(ActionView::Base.full_sanitizer.sanitize(html)).delete("\n")
     end
 
-    it 'modifies the existing lines' do
-      expect { conflict_file.highlight_lines! }.to change { conflict_file.lines.map(&:instance_variables) }
-    end
-
     it 'is called implicitly when rich_text is accessed on a line' do
       expect(conflict_file).to receive(:highlight_lines!).once.and_call_original
 

spec/lib/gitlab/diff/highlight_spec.rb

@@ -24,19 +24,19 @@ describe Gitlab::Diff::Highlight do
       it 'highlights and marks unchanged lines' do
         code = %Q{ <span id="LC7" class="line" lang="ruby">  <span class="k">def</span> <span class="nf">popen</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="kp">nil</span><span class="p">)</span></span>\n}
 
-        expect(subject[2].text).to eq(code)
+        expect(subject[2].rich_text).to eq(code)
       end
 
       it 'highlights and marks removed lines' do
         code = %Q{-<span id="LC9" class="line" lang="ruby">      <span class="k">raise</span> <span class="s2">"System commands must be given as an array of strings"</span></span>\n}
 
-        expect(subject[4].text).to eq(code)
+        expect(subject[4].rich_text).to eq(code)
       end
 
       it 'highlights and marks added lines' do
         code = %Q{+<span id="LC9" class="line" lang="ruby">      <span class="k">raise</span> <span class="no"><span class="idiff left">RuntimeError</span></span><span class="p"><span class="idiff">,</span></span><span class="idiff right"> </span><span class="s2">"System commands must be given as an array of strings"</span></span>\n}
 
-        expect(subject[5].text).to eq(code)
+        expect(subject[5].rich_text).to eq(code)
       end
     end
 
@@ -69,8 +69,8 @@ describe Gitlab::Diff::Highlight do
       it 'marks added lines' do
         code = %q{+      raise <span class="idiff left right">RuntimeError, </span>&quot;System commands must be given as an array of strings&quot;}
 
-        expect(subject[5].text).to eq(code)
-        expect(subject[5].text).to be_html_safe
+        expect(subject[5].rich_text).to eq(code)
+        expect(subject[5].rich_text).to be_html_safe
       end
 
       context 'when the inline diff marker has an invalid range' do

spec/lib/gitlab/diff/line_spec.rb

+describe Gitlab::Diff::Line do
+  describe '.init_from_hash' do
+    it 'round-trips correctly with to_hash' do
+      line = described_class.new('<input>', 'match', 0, 0, 1,
+                                 parent_file: double(:file),
+                                 line_code: double(:line_code),
+                                 rich_text: '&lt;input&gt;')
+
+      expect(described_class.init_from_hash(line.to_hash).to_hash)
+        .to eq(line.to_hash)
+    end
+  end
+
+  context "when setting rich text" do
+    it 'escapes any HTML special characters in the diff chunk header' do
+      subject = described_class.new("<input>", "", 0, 0, 0)
+      line = subject.as_json
+
+      expect(line[:rich_text]).to eq("&lt;input&gt;")
+    end
+  end
+end

spec/lib/gitlab/import_export/uploads_manager_spec.rb

@@ -36,6 +36,38 @@ describe Gitlab::ImportExport::UploadsManager do
 
         expect(File).to exist(exported_file_path)
       end
+
+      context 'with orphaned project upload files' do
+        let(:orphan_path) { File.join(FileUploader.absolute_base_dir(project), 'f93f088ddf492ffd950cf059002cbbb6', 'orphan.jpg') }
+        let(:exported_orphan_path) { "#{shared.export_path}/uploads/f93f088ddf492ffd950cf059002cbbb6/orphan.jpg" }
+
+        before do
+          FileUtils.mkdir_p(File.dirname(orphan_path))
+          FileUtils.touch(orphan_path)
+        end
+
+        after do
+          File.delete(orphan_path) if File.exist?(orphan_path)
+        end
+
+        it 'excludes orphaned upload files' do
+          manager.save
+
+          expect(File).not_to exist(exported_orphan_path)
+        end
+      end
+
+      context 'with an upload missing its file' do
+        before do
+          File.delete(upload.absolute_path)
+        end
+
+        it 'does not cause errors' do
+          manager.save
+
+          expect(shared.errors).to be_empty
+        end
+      end
     end
 
     context 'using object storage' do

spec/lib/gitlab/url_blocker_spec.rb

+# coding: utf-8
 require 'spec_helper'
 
 describe Gitlab::UrlBlocker do
@@ -82,6 +83,17 @@ describe Gitlab::UrlBlocker do
             expect(described_class).not_to be_blocked_url("http://#{ip}")
           end
         end
+
+        it 'allows IPv4 link-local endpoints' do
+          expect(described_class).not_to be_blocked_url('http://169.254.169.254')
+          expect(described_class).not_to be_blocked_url('http://169.254.168.100')
+        end
+
+        # This is blocked due to the hostname check: https://gitlab.com/gitlab-org/gitlab-ce/issues/50227
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]')
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]')
+        end
       end
 
       context 'false' do
@@ -96,10 +108,21 @@ describe Gitlab::UrlBlocker do
             expect(described_class).to be_blocked_url("http://#{ip}", allow_local_network: false)
           end
         end
+
+        it 'blocks IPv4 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://169.254.169.254', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://169.254.168.100', allow_local_network: false)
+        end
+
+        it 'blocks IPv6 link-local endpoints' do
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.169.254]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[::ffff:169.254.168.100]', allow_local_network: false)
+          expect(described_class).to be_blocked_url('http://[FE80::C800:EFF:FE74:8]', allow_local_network: false)
+        end
       end
 
       def stub_domain_resolv(domain, ip)
-        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true)])
+        allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false)])
       end
 
       def unstub_domain_resolv

spec/presenters/ci/build_presenter_spec.rb

@@ -78,7 +78,7 @@ describe Ci::BuildPresenter do
       it 'returns the reason of failure' do
         status_title = presenter.status_title
 
-        expect(status_title).to eq('Failed <br> (unknown failure)')
+        expect(status_title).to eq('Failed - (unknown failure)')
       end
     end
 
@@ -89,7 +89,7 @@ describe Ci::BuildPresenter do
         status_title = presenter.status_title
 
         expect(status_title).not_to include('(retried)')
-        expect(status_title).to eq('Failed <br> (unknown failure)')
+        expect(status_title).to eq('Failed - (unknown failure)')
       end
     end
 
@@ -99,7 +99,7 @@ describe Ci::BuildPresenter do
       it 'returns the reason of failure' do
         status_title = presenter.status_title
 
-        expect(status_title).to eq('Failed <br> (unknown failure)')
+        expect(status_title).to eq('Failed - (unknown failure)')
       end
     end
 
@@ -173,7 +173,7 @@ describe Ci::BuildPresenter do
       it 'returns the reason of failure' do
         tooltip = subject.tooltip_message
 
-        expect(tooltip).to eq("#{build.name} - failed <br> (script failure)")
+        expect(tooltip).to eq("#{build.name} - failed - (script failure)")
       end
     end
 
@@ -183,7 +183,7 @@ describe Ci::BuildPresenter do
       it 'should include the reason of failure and the retried title' do
         tooltip = subject.tooltip_message
 
-        expect(tooltip).to eq("#{build.name} - failed <br> (script failure) (retried)")
+        expect(tooltip).to eq("#{build.name} - failed - (script failure) (retried)")
       end
     end
 
@@ -193,7 +193,7 @@ describe Ci::BuildPresenter do
       it 'should include the reason of failure' do
         tooltip = subject.tooltip_message
 
-        expect(tooltip).to eq("#{build.name} - failed <br> (script failure) (allowed to fail)")
+        expect(tooltip).to eq("#{build.name} - failed - (script failure) (allowed to fail)")
       end
     end
 

spec/serializers/build_serializer_spec.rb

@@ -37,7 +37,7 @@ describe BuildSerializer do
       it 'serializes only status' do
         expect(subject[:text]).to eq(status.text)
         expect(subject[:label]).to eq('failed')
-        expect(subject[:tooltip]).to eq('failed <br> (unknown failure)')
+        expect(subject[:tooltip]).to eq('failed - (unknown failure)')
         expect(subject[:icon]).to eq(status.icon)
         expect(subject[:favicon]).to match_asset_path("/assets/ci_favicons/#{status.favicon}.png")
       end

spec/serializers/job_entity_spec.rb

@@ -142,7 +142,7 @@ describe JobEntity do
     end
 
     it 'should indicate the failure reason on tooltip' do
-      expect(subject[:status][:tooltip]).to eq('failed <br> (API failure)')
+      expect(subject[:status][:tooltip]).to eq('failed - (API failure)')
     end
 
     it 'should include a callout message with a verbose output' do
@@ -166,7 +166,7 @@ describe JobEntity do
     end
 
     it 'should indicate the failure reason on tooltip' do
-      expect(subject[:status][:tooltip]).to eq('failed <br> (API failure) (allowed to fail)')
+      expect(subject[:status][:tooltip]).to eq('failed - (API failure) (allowed to fail)')
     end
 
     it 'should include a callout message with a verbose output' do