Add latest changes from gitlab-org/security/gitlab@12-9-stable-ee

app/controllers/oauth/authorized_applications_controller.rb

@@ -5,6 +5,13 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
 
   layout 'profile'
 
+  def index
+    respond_to do |format|
+      format.html { render "errors/not_found", layout: "errors", status: :not_found }
+      format.json { render json: "", status: :not_found }
+    end
+  end
+
   def destroy
     if params[:token_id].present?
       current_resource_owner.oauth_authorized_tokens.find(params[:token_id]).revoke

changelogs/unreleased/security-file-template-project-12-9.yml

+---
+title: Do not return private project ID without permission
+merge_request:
+author:
+type: security

changelogs/unreleased/security-fix-CVE-2020-10187.yml

+---
+title: Fix doorkeeper CVE-2020-10187
+merge_request:
+author:
+type: security

changelogs/unreleased/security-fix-es-credentials-leak.yml

+---
+title: Prevent ES credentials leak
+merge_request:
+author:
+type: security

config/application.rb

@@ -130,6 +130,7 @@ module Gitlab
       encrypted_key
       hook
       import_url
+      elasticsearch_url
       otp_attempt
       sentry_dsn
       trace

spec/controllers/oauth/authorized_applications_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Oauth::AuthorizedApplicationsController do
+  let(:user) { create(:user) }
+  let(:guest) { create(:user) }
+  let(:application) { create(:oauth_application, owner: guest) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'GET #index' do
+    it 'responds with 404' do
+      get :index
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end