Reject parameters that override upload fields

See merge request gitlab-org/security/gitlab-workhorse!3

When Workhorse intercepts file uploads, we store the files and send the
information about the temporary file in new multipart form values called
`file.path`, `file.size` etc.

Since we're also copying all other multipart form values from the
original client request, it was possible to override the values we
set in Workhorse, causing Rails to e.g. load the uploaded file from
an injected `file.path` parameter.

To avoid this, we check if client parameters have the same name as any
of our own added fields and reject the request.

The `path` and `remote_*` fields are not always set in Workhorse
depending on the storage type, but still picked up in Rails.

To avoid injecting any client params with the same name, we just set
these fields to empty strings.

Resolve "PyPi - Object storage upload route for package files"

See merge request gitlab-org/gitlab-workhorse!474

Release v8.27.0

See merge request gitlab-org/gitlab-workhorse!476

Remove Set-Cookie header from archive and raw blob responses

See merge request gitlab-org/gitlab-workhorse!475

CDNs don't cache responses with Set-Cookie header as they assume they
contain some sort of state or user-specific data, which is not the case for
raw blobs and repository archives.

This change allows GitLab installations that sit behind a CDN to benefit from its
caching feature seamlessly.

Related to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829
and https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/4

Release Workhorse v8.26.0

See merge request gitlab-org/gitlab-workhorse!472

Add route for project imports direct upload via UI

See merge request gitlab-org/gitlab-workhorse!470

Release v8.25.0

See merge request gitlab-org/gitlab-workhorse!471

Add route for project imports direct upload

See merge request gitlab-org/gitlab-workhorse!459

Prepare 8.24.0 release with Continuous Profiling

See merge request gitlab-org/gitlab-workhorse!469

Simple version bump to support
https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/461.

Add Stackdriver Profiler through Labkit

See merge request gitlab-org/gitlab-workhorse!461

This updates the labkit library and adds minimal changes
to the `monitoring.Serve` initialization, given the profiler
can be initialized without requiring Prometheus.

Add Alessio to the maintainers' list

See merge request gitlab-org/gitlab-workhorse!468

Test against go 1.12 - 1.14

See merge request gitlab-org/gitlab-workhorse!467

Add table explaining interaction between authBackend and authSocket

See merge request gitlab-org/gitlab-workhorse!463

Release v8.23.0

See merge request gitlab-org/gitlab-workhorse!465

Ignore toml files in project root

See merge request gitlab-org/gitlab-workhorse!464

Don't set Cache-Control header for git archives

See merge request gitlab-org/gitlab-workhorse!462

Rails already sets Cache-Control according to the project visibility.
Always setting the header value to `private` prevents us from doing
proper caching (e.g. at CDN level) for public projects.

Related to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829

Add CI jobs for dependency scanning and static analysis

See merge request gitlab-org/gitlab-workhorse!458

Prepare 8.22.0 release

See merge request gitlab-org/gitlab-workhorse!460