Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/feature_flags/components/feature_flags.vue

@@ -161,7 +161,7 @@ export default {
         <gl-button
           v-if="canUserConfigure"
           v-gl-modal="'configure-feature-flags'"
-          variant="info"
+          variant="confirm"
           category="secondary"
           data-qa-selector="configure_feature_flags_button"
           data-testid="ff-configure-button"
@@ -197,7 +197,7 @@ export default {
             :href="userListPath"
             variant="confirm"
             category="tertiary"
-            class="gl-mb-0 gl-mr-4"
+            class="gl-mb-0 gl-mr-3"
             data-testid="ff-user-list-button"
           >
             {{ s__('FeatureFlags|View user lists') }}
@@ -205,11 +205,11 @@ export default {
           <gl-button
             v-if="canUserConfigure"
             v-gl-modal="'configure-feature-flags'"
-            variant="info"
+            variant="confirm"
             category="secondary"
             data-qa-selector="configure_feature_flags_button"
             data-testid="ff-configure-button"
-            class="gl-mb-0 gl-mr-4"
+            class="gl-mb-0 gl-mr-3"
           >
             {{ s__('FeatureFlags|Configure') }}
           </gl-button>

db/migrate/20220530103023_add_created_at_and_id_index_to_deployment_approvals.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddCreatedAtAndIdIndexToDeploymentApprovals < Gitlab::Database::Migration[2.0]
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_deployment_approvals_on_created_at_and_id'
+
+  def up
+    add_concurrent_index :deployment_approvals, %i[created_at id], name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index :deployment_approvals, %i[created_at id], name: INDEX_NAME
+  end
+end

db/post_migrate/20220530074027_add_project_id_index_to_job_artifacts.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddProjectIdIndexToJobArtifacts < Gitlab::Database::Migration[2.0]
+  INDEX_NAME = 'index_ci_job_artifacts_on_project_id_and_id'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :ci_job_artifacts, [:project_id, :id], name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :ci_job_artifacts, INDEX_NAME
+  end
+end

db/schema_migrations/20220530074027

@@ -0,0 +1 @@
+3cef4a4f50ebe3d8e23e9c014a57e4c98f8fd27a9f071725a882c5a1a4d228cc

db/schema_migrations/20220530103023

@@ -0,0 +1 @@
+8ad5a7cb60abd381850569ddf5ab274d66cf1960d11073825a283f902171b343

db/structure.sql

@@ -27327,6 +27327,8 @@ CREATE UNIQUE INDEX index_ci_job_artifacts_on_job_id_and_file_type ON ci_job_art
 
 CREATE INDEX index_ci_job_artifacts_on_project_id ON ci_job_artifacts USING btree (project_id);
 
+CREATE INDEX index_ci_job_artifacts_on_project_id_and_id ON ci_job_artifacts USING btree (project_id, id);
+
 CREATE INDEX index_ci_job_artifacts_on_project_id_for_security_reports ON ci_job_artifacts USING btree (project_id) WHERE (file_type = ANY (ARRAY[5, 6, 7, 8]));
 
 CREATE INDEX index_ci_job_token_project_scope_links_on_added_by_id ON ci_job_token_project_scope_links USING btree (added_by_id);
@@ -27719,6 +27721,8 @@ CREATE UNIQUE INDEX index_deploy_tokens_on_token_encrypted ON deploy_tokens USIN
 
 CREATE INDEX index_deployment_approvals_on_approval_rule_id ON deployment_approvals USING btree (approval_rule_id);
 
+CREATE INDEX index_deployment_approvals_on_created_at_and_id ON deployment_approvals USING btree (created_at, id);
+
 CREATE UNIQUE INDEX index_deployment_approvals_on_deployment_id_and_user_id ON deployment_approvals USING btree (deployment_id, user_id);
 
 CREATE INDEX index_deployment_approvals_on_user_id ON deployment_approvals USING btree (user_id);

doc/administration/instance_limits.md

@@ -164,6 +164,14 @@ This setting limits global search requests.
 | Authenticated user      | 30 |
 | Unauthenticated user    | 10 |
 
+### Pipeline creation rate limit
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/362475) in GitLab 15.0.
+
+This setting limits the request rate to the pipeline creation endpoints.
+
+Read more about [pipeline creation rate limits](../user/admin_area/settings/rate_limit_on_pipelines_creation.md).
+
 ## Gitaly concurrency limit
 
 Clone traffic can put a large strain on your Gitaly service. To prevent such workloads from overwhelming your Gitaly server, you can set concurrency limits in Gitaly's configuration file.

doc/security/rate_limits.md

@@ -32,8 +32,8 @@ similarly mitigated by a rate limit.
 You can set these rate limits in the Admin Area of your instance:
 
 - [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md)
-- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md)
-- [Notes rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md)
+- [Issue rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md)
+- [Note rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md)
 - [Protected paths](../user/admin_area/settings/protected_paths.md)
 - [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md)
 - [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md)
@@ -42,6 +42,7 @@ You can set these rate limits in the Admin Area of your instance:
 - [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md)
 - [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md)
 - [GitLab Pages rate limits](../administration/pages/index.md#rate-limits)
+- [Pipeline rate limits](../user/admin_area/settings/rate_limit_on_pipelines_creation.md)
 
 You can set these rate limits using the Rails console:
 

doc/user/application_security/dast/checks/1004.1.md

@@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set.
 To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all
-cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute
+cookies that are used for authorization should have the `HttpOnly` attribute
 set.
 
 ## Remediation

doc/user/application_security/dast/checks/16.3.md

@@ -32,4 +32,4 @@ information from the `X-Powered-By` header.
 ## Links
 
 - [CWE](https://cwe.mitre.org/data/definitions/16.html)
-- [PHP `expose_php`](https://www.php.net/manual/en/ini.core.php#ini.expose-php)
+- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php)

doc/user/application_security/dast/checks/16.5.md

@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 ## Description
 
-The target website returns AspNet headers and version information of this website. By
+The target website returns AspNet header(s) and version information of this website. By
 exposing these values attackers may attempt to identify if the target software is vulnerable to known
 vulnerabilities, or catalog known sites running particular versions to exploit in the future when a
 vulnerability is identified in the particular version.

doc/user/application_security/dast/checks/16.6.md

@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 ## Description
 
-The target website returns AspNet headers along with version information of this website. By
+The target website returns AspNet header(s) along with version information of this website. By
 exposing these values attackers may attempt to identify if the target software is vulnerable to known
 vulnerabilities. Or catalog known sites running particular versions to exploit in the future when a
 vulnerability is identified in the particular version.

doc/user/application_security/dast/checks/16.7.md

@@ -0,0 +1,42 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Strict-Transport-Security header missing or invalid
+
+## Description
+
+The `Strict-Transport-Security` header was found to be missing or invalid. The `Strict-Transport-Security`
+header allows web site operators to force communications to occur over a TLS connection. By enabling this
+header, websites can protect their users from various forms of network eavesdropping or interception attacks.
+While most browsers prevent mixed-content (loading resources from HTTP when navigating from an HTTPS site),
+this header also ensures that all resource requests are only ever initiated over a secure transport.
+
+## Remediation
+
+Only three directives are applicable for the `Strict-Transport-Security` header.
+
+1. `max-age`: This required directive specifies how long (in seconds) after receiving the response it should communicate only over a secure transport.
+1. `includeSubDomains`: This optional, valueless directive signals that the policy applies to this host as well as any subdomains found under this host's domain.
+1. `preload`: While not part of the specification, setting this optional value allows major browser organizations to add this site into the browser's preloaded set of HTTPS sites. This requires further action on behalf of the website operator to submit their domain to the browser's HSTS preload list. See [hstspreload.org](https://hstspreload.org/) for more information.
+
+Note that invalid directives, or the `Strict-Transport-Security` header appearing more than once (if the values are
+different) is considered invalid.
+
+Prior to adding to this security configuration to your website, it is recommended you review the hstspreload.org [Deployment
+Recommendations](https://hstspreload.org/#deployment-recommendations).
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 16.7 | true | 16 | Passive | Low |
+
+## Links
+
+- [CWE](https://cwe.mitre.org/data/definitions/16.html)
+- [Deployment Recommendations](https://hstspreload.org/#deployment-recommendations)
+- [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html)
+- [RFC](https://datatracker.ietf.org/doc/html/rfc6797)

doc/user/application_security/dast/checks/200.1.md

@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 ## Description
 
-A private RFC 1918 was identified in the target application. Public facing websites should not be issuing
+A private RFC 1918/RFC 4193 address was identified in the target application. Public facing websites should not be issuing
 requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side
 Request Forgery (SSRF), may be able to use this information to identify additional internal targets.
 
@@ -27,3 +27,4 @@ facing version, or remove the reference from the target application.
 
 - [CWE](https://cwe.mitre.org/data/definitions/200.html)
 - [RFC](https://datatracker.ietf.org/doc/html/rfc1918)
+- [RFC](https://datatracker.ietf.org/doc/html/rfc4193)

doc/user/application_security/dast/checks/352.1.md

@@ -0,0 +1,41 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Absence of anti-CSRF tokens
+
+## Description
+
+The application failed to protect against Cross-Site Request Forgery (CSRF) by using
+secure application tokens or `SameSite` cookie directives.
+
+The vulnerability can be exploited by an attacker creating a link or form on a third
+party site and tricking an authenticated victim to access them.
+
+## Remediation
+
+Consider setting all session cookies to have the `SameSite=Strict` attribute. However,
+it should be noted that this may impact usability when sharing links across other mediums.
+It is recommended that a two cookie based approach is taken, as outlined in the
+[Top level navigations](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08#section-8.8.2) section
+of the RFC.
+
+If the application is using a common framework, there is a chance that Anti-CSRF protection
+is built in but needs to be enabled. Consult your application framework documentation for
+details.
+
+If neither of the above are applicable, it is **strongly** recommended that a third party library is used.
+Implementing a secure Anti-CSRF system is a significant investment and difficult to do correctly.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 352.1 | true | 352 | Passive | Medium |
+
+## Links
+
+- [OWASP](https://owasp.org/www-community/attacks/csrf)
+- [CWE](https://cwe.mitre.org/data/definitions/352.html)

doc/user/application_security/dast/checks/548.1.md

@@ -39,7 +39,7 @@ indexing.
 
 ## Links
 
-- [CWE](https://cwe.mitre.org/data/definitions/598.html)
+- [CWE](https://cwe.mitre.org/data/definitions/548.html)
 - [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options)
 - [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html)
 - [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)

doc/user/application_security/dast/checks/598.2.md

@@ -16,7 +16,7 @@ be able to gain access to the target account.
 ## Remediation
 
 Passwords should never be sent in GET requests. When authenticating users or requesting users
-reset their passwords, always use POST requests to transmit sensitive data.
+reset their passwords, always use `POST` requests to transmit sensitive data.
 
 ## Details
 

doc/user/application_security/dast/checks/598.3.md

@@ -17,7 +17,7 @@ target account.
 ## Remediation
 
 Authorization header details should never be sent in GET requests. When transmitting sensitive information
-such as JWT tokens, always use POST requests or headers to transmit the sensitive data.
+such as JWT tokens, always use `POST` requests or headers to transmit the sensitive data.
 
 ## Details
 

doc/user/application_security/dast/checks/index.md

@@ -17,7 +17,9 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne
 | [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive |
 | [16.5](16.5.md) | AspNet header exposes version information | Low | Passive |
 | [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive |
+| [16.7](16.7.md) | Strict-Transport-Security header missing or invalid | Low | Passive |
 | [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
+| [352.1](352.1.md) | Absence of anti-CSRF tokens | Medium | Passive |
 | [359.1](359.1.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive |
 | [359.2](359.2.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive |
 | [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive |