Fixes XSS injection

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434

**Without the fix**

![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif)


**With the fix**

![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif)


See merge request !1952

Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Check permissions when sharing project with group

## Summary

Unprivileged user was able to share project with group he didn't have access to, and therefore gain partial access to that group, which opened possibilities for further actions like listing private projects in that group.

See https://gitlab.com/gitlab-org/gitlab-ce/issues/15330

## Fix

This change introduces additional check for group read access.

## Further work

We can think about preventing such problems in the future (this is quite common problem) by moving permissions checks to another layer of abstraction (TBD).

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15330

See merge request !1949
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix revoking of authorized OAuth applications

Users were not able to revoke access to authorized OAuth applications. Clicking the "Revoke" button would result in a 404 page, and the application would still be authorized.

Added a spec and also found that the `gon` variables were not being set for this view.

Closes #14370

See merge request !3690
Signed-off-by: Rémy Coutable <remy@rymai.me>

Expire the exists cache before deletion to ensure project dir actually exists

See merge request !3413
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix #14753: Check if head is born before trying to detect main language

This MR makes sure that head exists before trying to detect the main language.
This prevents errors on repo's without a master branch.

Closes #14753

See merge request !3654

Unblocks user when active_directory is disabled and it can be found

We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242.

That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.

Fixes #14253, #13179, #13259, #13959

See merge request !3550

Update language after doing all other operations

See merge request !3533
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix 2FA authentication spoofing

## Summary

This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

## Fix

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

## Further work

Current 2FA code is a bit tricky, so it probably needs some refactoring.

See merge request !1947
Signed-off-by: Rémy Coutable <remy@rymai.me>

Return status code 303 after a branch DELETE operation to avoid project deletion

Closes #14994

See merge request !3583
Signed-off-by: Rémy Coutable <remy@rymai.me>

Only update main language if it is not already set

Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much.

cc @yorickpeterse @ayufan how does this look?

See merge request !3556
Signed-off-by: Rémy Coutable <remy@rymai.me>

Check permissions when importing project members

Closes #14899

See merge request !3535
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix Importing repos from GHE doesn't work

See merge request !3529
Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't fetch any tags from a forked repo

Closes #13957

See merge request !3504
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Update gitlab-shell version and doc to 2.6.12



See merge request !280

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Allow temp-oauth-email as notification email

Closes #14559

/cc @dblessing @rymai

See merge request !3477
Signed-off-by: Rémy Coutable <remy@rymai.me>

Ensuring Merge Request API returns boolean values for work_in_progress

Fixes #14692.

See merge request !3432
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fixes issue with dropdowns not selecting values

Fixes issue with dropdowns not selecting when navigating between tabs

Closes #14813

See merge request !3478
Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch 'snippets-with-comments-cause-a-500-when-they-show-up-in-search-results-14764' into 'master'

Fix Error 500 when searching for a comment in a project snippet

Closes #14764. /cc @stanhu, and thank you for the spec! ;)

See merge request !3468
Signed-off-by: Rémy Coutable <remy@rymai.me>

Mentions on confidential issues doesn't create todos for non-members

Closes #14569

See merge request !3374
Signed-off-by: Rémy Coutable <remy@rymai.me>

Rewrite uploads when moving issue to another project

Closes #14531

See merge request !3382
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix commit comment alignment

Closes #14780

See merge request !3466
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix Raw / Rendered diff producing different results on merge requests

The raw diff endpoint (`merge_requests/####.diff`) produces a diff based on `target_branch` instead of the original branching point. Same is valid for `merge_requests/####.patch`.

Fixes #14680, #3017

See merge request !3450
Signed-off-by: Rémy Coutable <remy@rymai.me>

Destroy related todos when an Issue/MR is deleted

Closes #14550 

Closes #14598

See merge request !3376

Signed-off-by: Rémy Coutable <remy@rymai.me>

Fixed issue with notification settings not saving

Closes #14736

See merge request !3452
Signed-off-by: Rémy Coutable <remy@rymai.me>

Gracefully handle notes on deleted commits in merge requests

Closes #3250

See merge request !3402
Signed-off-by: Rémy Coutable <remy@rymai.me>