[merge-train skip]

[ci skip]

[ci skip]

Update GITHUB_MEDIA_CDN to avoid SSRF when importing from Github

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4013



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aaron Huntsman <ahuntsman@gitlab.com>
Co-authored-by: Ivane Gkomarteli <igkomarteli@gitlab.com>

Merge branch 'security-github-media-cdn-ssrf-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!4013

Changelog: security

Merge branch 'security-fix-namespace-banned-user-sees-proj-confidential-issue-updates-16-9' into '16-9-stable-ee'

Prevent namespace banned users from reading project todos

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3941



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mario Celi <mcelicalderon@gitlab.com>
Co-authored-by: Eugie Limpin <elimpin@gitlab.com>

Merge branch 'security-fix-namespace-banned-user-sees-proj-confidential-issue-updates-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3941

Changelog: security

Merge branch 'security-unauthenticated-redos-in-gitrefsfinder-when-using-wildcards-in-branch-search-16-9' into '16-9-stable-ee'

ReDoS in GitRefsFinder when using wildcards in branch search

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3997



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com>
Co-authored-by: Javiera Tapia <jtapia@gitlab.com>

Merge branch 'security-unauthenticated-redos-in-gitrefsfinder-when-using-wildcards-in-branch-search-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3997

Changelog: security

ReDos in escape and commit reference filters

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3974



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Allison Browne <abrowne@gitlab.com>
Co-authored-by: Brett Walker <bwalker@gitlab.com>

Merge branch 'security-fix-escape-filters-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3974

Changelog: security

Validate request origin before MR approval

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4009



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Sam Figueroa <sfigueroa@gitlab.com>

Merge branch 'security-sec-1060-gitlab-438686_16-9-ee-backport' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!4009

Changelog: security

Check request size before updating user pins

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4016



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Mario Celi <mcelicalderon@gitlab.com>
Co-authored-by: Thomas Hutterer <thutterer@gitlab.com>

Merge branch 'security-pins-max-size-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!4016

Changelog: security

Enforce per_page validation for Branches/TagsFinders

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4000



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Hunter Stewart <hustewart@gitlab.com>
Co-authored-by: Vasilii Iakliushin <viakliushin@gitlab.com>

Merge branch 'security-enforce-max_page-validation-16-10-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!4000

Changelog: security

Update Integrations::Discord::ATTACHMENT_REGEX regex

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3986



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Luke Duncalfe <lduncalfe@gitlab.com>
Co-authored-by: George Koltsov <gkoltsov@gitlab.com>

Merge branch 'security-discord-integration-regex-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3986

Changelog: security

Update BaseMessage::RELATIVE_LINK_REGEX regex

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3994



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Robert May <rmay@gitlab.com>
Co-authored-by: George Koltsov <gkoltsov@gitlab.com>

Merge branch 'security-google-chat-integration-regex-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3994

Changelog: security

Require confirmation before linking JWT identity

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3992



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bogdan Denkovych <bdenkovych@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Merge branch 'security-dblessing_jwt_confirm_id_link-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3992

Changelog: security

Fix confidentiality check optimization

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4004



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Merge branch 'security-1079-fix-confidentiality-check-optimization-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!4004

Changelog: security

Cherry-pick MR 151750 into '16-9-stable-ee'

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151908



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Dat Tang <dattang@gitlab.com>

Fix passing down variables to release_environments pipeline

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151750



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: Rémy Coutable <remy@rymai.me>


(cherry picked from commit cc2a6cbf)

ec48511c

 Fix passing down variables to release_environments pipeline

Co-authored-by: Dat Tang <dattang@gitlab.com>

Changed the email validation for only encoded chars

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151530



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Bogdan Denkovych <bdenkovych@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'release-environment-notification' into 'master'

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151539



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Dat Tang <dattang@gitlab.com>

Add release environment notification

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149268



Merged-by: Dat Tang <dattang@gitlab.com>
Approved-by: David Dieulivol <ddieulivol@gitlab.com>
Reviewed-by: Mayra Cabrera <mcabrera@gitlab.com>
Reviewed-by: David Dieulivol <ddieulivol@gitlab.com>


(cherry picked from commit b0cf85c4

)

a44f6097 Add release environment notification
0f664361 Change stage names to be start and finish to be more extendable
00055bdf Improve release environment pipeline
fd76aeec Write spec for release environment notification
1b3e181d Add delivery as feature_category to the spec
c8ed2307 Update from feedback
4c1d75c8 Update from feedback
94086cbe Fix rspec after removing checking CI_PIPELINE_ID
5ad5ad9f Add notification when QA fails
5fee001a Rename environment variables
a47f7799 Remove feature branch when calling pipeline
aa3c4ccf Update rspec for release_environment
15b63838 Fix code coverage
c427c30c Small refactors from MR review feedback
2c67b70d Fix passing VERSION variable to jobs correctly
c3d89451 Speed up downloading gitlab repo in CI jobs
8c7ddfe1 Add rspec for initialize method
43774757 Update GIT_DEPTH to 20

Co-authored-by: Dat Tang <dattang@gitlab.com>

Email validation was added earlier to stop user from entering
encoded email format. Regexp introduced earlier caused existing
email ids in system to throw errors while logging in. With this
change we are limiting the regex to only check for ecoded emails.

Changelog: fixed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151484/

Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150605



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Anna Vovchenko <avovchenko@gitlab.com>
Approved-by: Hunter Stewart <hustewart@gitlab.com>
Co-authored-by: Pam Artiaga <partiaga@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Gitlab::Kas.version and Gitlab::Kas.version_info are called
when the API or ~frontend needs to display the KAS semantic version.

Both Gitlab::Kas.version and Gitlab::Kas.version_info bases the version
on the contents of the GITLAB_KAS_VERSION file. We want to handle the
possibility that the content of the GITLAB_KAS_VERSION file is a SHA.
In this situation, Gitlab::Kas.version and Gitlab::Kas.version_info
will be based on the Gitlab version, with the SHA as the suffix.

Changelog: changed

Validation for encoded formatting characters

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3951



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'security-extend-email-verification-regex-16-9' into '16-9-stable-ee'

See merge request gitlab-org/security/gitlab!3951

Changelog: security

Forbid untrusted sign-ins to GitLab with Bitbucket and fix related uid

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3985



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Bogdan Denkovych <bdenkovych@gitlab.com>