Hide private members in project member autocomplete

See merge request gitlab/gitlabhq!3212

Nested GraphQL query with circular relationship can cause Denial of Service

See merge request gitlab/gitlabhq!3360

Improper access control allows the attacker to comment in internal commit after they are no longer admin

See merge request gitlab/gitlabhq!3372

Improper access control allows the attacker to comment in internal commit after they are no longer admin

Labels visible despite no access to issues & repositories

See merge request gitlab/gitlabhq!3409

Project path reveals labels from Private project if the issue is moved to public project

See merge request gitlab/gitlabhq!3419

Require Maintainer permission on group where project is transferred to

See merge request gitlab/gitlabhq!3420

Sanitize search text to prevent XSS

See merge request gitlab/gitlabhq!3453

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3454

Only assign merge params when allowed

See merge request gitlab/gitlabhq!3458

Pass all wiki markup formats through our Banzai pipeline filters

See merge request gitlab/gitlabhq!3461

Mask sentry auth token

See merge request gitlab/gitlabhq!3462

Use the '\A' and '\z' regex anchors in `InternalRedirect` to mitigate an Open Redirect issue.

Closes #2934

See merge request gitlab/gitlabhq!3466

Filter out search results based on permissions to avoid bugs leaking data

See merge request gitlab/gitlabhq!3493

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3505

[ci skip]