Fix permissions check in `RelativeLinkFilter`

See merge request gitlab-org/gitlab-ce!32448

Add helpers to exactly undo cleanup_concurrent_column_rename

See merge request gitlab-org/gitlab-ce!32183

(cherry picked from commit fc08d48c)

9b592a59 Add helper to exactly undo cleanup_concurrent_column_rename
61777843 Add spec for undo_rename_column_concurrently
d28ad870 Add spec for when default is false

Fix N+1 Gitaly calls in /api/v4/projects/:id/issues

See merge request gitlab-org/gitlab-ce!32171

(cherry picked from commit bbd39021)

44063501 Fix N+1 Gitaly calls in /api/v4/projects/:id/issues

When post-processing relative links to absolute links
RelativeLinkFilter didn't take into consideration that
internal repository data could be exposed for users
that do not have repository access to the project.

This commit solves that by checking whether the user
can `download_code` at this repository, avoiding any
processing of this filter if the user can't.

Additionally, if we're processing for a group (
no project was given), we check if the user can
read it in order to expand the href as an extra.
That doesn't seem necessarily a breach now,
but an extra check doesn't hurt as after all
the user needs to be able to `read_group`.

Add Gitlab::VisibilityLevelChecker that verifies
selected project visibility level (or overridden param)
is not restricted when creating or importing a project

Fix Gitaly N+1 calls with listing issues/MRs via API

Closes #66202

See merge request gitlab-org/gitlab-ce!31938

(cherry picked from commit 57ec78d5)

ba7c501f Fix Gitaly N+1 calls with listing issues/MRs via API

When we un-escape HTML text to find references in it, we should then
re-escape the whole text again, not only found matches.

Because we replace matches with milestone/label links (which contain
HTML tags we don't want to escape again), we re-escape HTML text
with placeholders instead of these links and then replace placeholders
in the escaped text.

Limiting the size of issuable description and comments to 1_000_000,
which is close to ~1MB of ASCII characters, which represents 99.9% of
all descriptions and comments we have in DB at the moment. This should
help prevent DoS attacks when comments contain refference strings.

Also this change updates regexp matching the namespaces paths by
limiting the namespaces paths to Namespace::NUMBER_OF_ANCESTORS_ALLOWED,
as we allow 20 levels deep groups.

see https://gitlab.com/gitlab-org/gitlab-ce/issues/61974#note_191274234

Add method to store session ids by ip

Add new specs for storing session ids

Add cleaning up records after login

Add retrieving anonymous sessions

Add login recaptcha setting

Add new setting to sessions controller

Add conditions for showing captcha

Add sessions controller specs

Add admin settings specs for login protection

Add new settings to api

Add stub to devise spec

Add new translation key

Add cr remarks

Rename class call

Add cr remarks

Change if-clause for consistency

Add cr remarks

Add code review remarks

Refactor AnonymousSession class

Add changelog entry

Move AnonymousSession class to lib

Move store unauthenticated sessions to sessions controller

Move link to recaptcha info

Regenerate text file

Improve copy on the spam page

Change action filter for storing anonymous sessions

Fix rubocop offences

Add code review remarks

This is a port from EE changes where
we introduce a new limit for Plan model.

https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/1182

User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.

Uses Gitlab::HTTP for JIRA requests instead of Net::Http.
Gitlab::Http comes with some built in SSRF protections.

Fix pipelines not always being created after a push

Closes #66196

See merge request gitlab-org/gitlab-ce!31927

(cherry picked from commit c7d12e60)

b46b9d5e Fix pipelines not always being created after a push

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31741 introduced
a regression where not all the right parameters would be passed into
`Ci::CreatePipelineService`. We fix this by breaking out the pipeline
parameters and reusing a method from `Gitlab::DataBuilder::Push`.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66196

Previously `ProjectCacheWorker` would be scheduled once per ref, which
would generate unnecessary I/O and load on Sidekiq, especially if many
tags or branches were pushed at once. `ProjectCacheWorker` would expire
three items:

1. Repository size: This only needs to be updated once per push.
2. Commit count: This only needs to be updated if the default branch
   is updated.
3. Project method caches: This only needs to be updated if the default
   branch changes, but only if certain files change (e.g. README,
   CHANGELOG, etc.).

Because the third item requires looking at the actual changes in the
commit deltas, we schedule one `ProjectCacheWorker` to handle the first
two cases, and schedule a separate `ProjectCacheWorker` for the third
case if it is needed. As a result, this brings down the number of
`ProjectCacheWorker` jobs from N to 2.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/52046

This removes the group_overview_security_dashboard feature flag

- move uploads created by AttachmentUploader
- handle also files created for legacy_diff_notes

https://gitlab.com/gitlab-org/gitlab-ce/issues/62971

Adds support for embedding specific charts from the
metrics dashboard. Expected parameters are dashboard,
title, group, and y_label.

As per https://gitlab.com/gitlab-org/gitlab-ce/issues/46043, project
templates should be squashed before updating, so that repositories
created from these templates don't include the full history of the
backing repository.

This will avoid Danger to suggest a database review for files inside
db/fixtures

- Adds UI to configure in group and project settings
- Removes notification configuration for users when
disabled at group or project level

Previously, the API to retrieve discussions from merge requests often
generated hundreds of Gitaly calls to determine whether a system note
should be shown to the user. It did this by:

1. Rendering the Markdown
2. Extracting cross-references from the Markdown
3. For cross-references that were commits, a Gitaly FindCommit RPC
   would be issued to validate that the commit exists.

The last step is unnecessary because we don't need to display a commit
if the user doesn't have access to the project in the first place.

`RendersNotes#prepare_notes_for_rendering` is already used in
`MergeRequestsController`, which is why we don't see N+1 Gitaly calls
there. We use it here to optimize the note redaction process.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/65957

This was added in
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31789

CE-specific changes for:
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/15129Co-Authored-By: NAlex Kalderimis <akalderimis@gitlab.com>
Co-Authored-By: NLuke Duncalfe <lduncalfe@eml.cc>

- refactor Knative and Prometheus

This introduces several changes, but these are all just ported from the
EE project.

This change adds a new counter 'cycle_analytics_views' to the usage data
metrics to count the page views for cycle analytics show page.

We don't use phase restarts, as we use `preload_app`:
https://github.com/puma/puma/blob/master/README.md#clustered-mode
`:puma_phase` values will always be zero.

This makes to limit `needs:` to 5 by default.
Allow to increase the limit to 50 with disable of FF.

Source Code Usage Ping for Create SMAU

This makes us to expand variables only when needed,
instead of requesting all variables each time.

This specifically helps in situation when explicit name
of `environment: production` is used.

Previously each tag in a push would invoke the Gitaly `FindAllTags` RPC
since the tag cache would be invalidated with every tag.

We can eliminate those extraneous calls by expiring the tag cache once
in `PostReceive` and taking advantage of the cached tags.

Relates to https://gitlab.com/gitlab-org/gitlab-ce/issues/65795

This changes the `needs:` logic to require
that all jobs to be present. Instead of skipping
do fail the pipeline creation if `needs:` dependency
is not found.

Since we are unsure what would be the behavior of `stage:`
when we work on DAG. Let's make `stage:` to be required
today with `needs:`.

This commit reduces I/O load and memory utilization during PostReceive
for the common case when no project hooks or services are set up.

We saw a Gitaly N+1 issue in `CommitDelta` when many tags or branches
are pushed. We can reduce this overhead in the common case because we
observe that most new projects do not have any Web hooks or services,
especially when they are first created. Previously, `BaseHooksService`
unconditionally iterated through the last 20 commits of each ref to
build the `push_data` structure. The `push_data` structured was used in
numerous places:

1. Building the push payload in `EventCreateService`
2. Creating a CI pipeline
3. Executing project Web or system hooks
4. Executing project services
5. As the return value of `BaseHooksService#execute`
6. `BranchHooksService#invalidated_file_types`

We only need to generate the full `push_data` for items 3, 4, and 6.

Item 1: `EventCreateService` only needs the last commit and doesn't
actually need the commit deltas.

Item 2: In addition, `Ci::CreatePipelineService` only needed a subset of
the parameters.

Item 5: The return value of `BaseHooksService#execute` also wasn't being
used anywhere.

Item 6: This is only used when pushing to the default branch, so if
many tags are pushed we can save significant I/O here.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/65878

Fic