Add defense-in-depth against mass assignment in authn/z controllers

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149029



Merged-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Approved-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Reviewed-by: Nick Malcolm <nmalcolm@gitlab.com>
Co-authored-by: Nick Malcolm <nmalcolm@gitlab.com>

In the future, we might make a change to how we handle user request
parameters in a way that has unexpected and undesired consequence;
specifically mass assignment vulnerabilities. (There are currently
none known). These additional unit tests and/or explicit type-casts are
intended to defend against that future scenario.

For example: attempting to brute force a password by sending many
passwords in a single request for a single user should never work. Nor
should sending multiple OTP codes. The reason they _might_
inadvertently work is because Ruby / Rails often doesn't mind if you
send a string or an array of strings. For example:

```ruby
# POST /vulnerable?email=fake@attacker.com
> User.find_by(email: params[:email])
# User Load (3.4ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'fake@attacker.com' LIMIT 1
=> nil

# We expect email to be a string, but what if it's not?
# POST /vulnerable?email[]=fake@attacker.com&email[]=admin@example.com
> User.find_by(email: params[:email])
# User Load (1.6ms)  SELECT "users".* FROM "users" WHERE "users"."email" IN ('fake@attacker.com', 'admin@example.com')
=> #<User id:1 @root>
```

This work resolves https://gitlab.com/gitlab-org/gitlab/-/issues/442831+

The methodology was to look at authentication & authorization-related
controllers, and down into any Helpers/Services/etc that are called
or included.

Show import container registry vars only on gitlab.com

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149168



Merged-by: David Fernandez <dfernandez@gitlab.com>
Approved-by: Adie (she/her) <avpfestin@gitlab.com>
Approved-by: David Fernandez <dfernandez@gitlab.com>
Reviewed-by: David Fernandez <dfernandez@gitlab.com>
Co-authored-by: Kevin-Damian Gosa <mail@kevingosa.de>

Add missing path traversal check

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149717



Merged-by: Terri Chu <tchu@gitlab.com>
Approved-by: Terri Chu <tchu@gitlab.com>
Co-authored-by: Tiger <twatson@gitlab.com>
Co-authored-by: Joern Schneeweisz <jschneeweisz@gitlab.com>

Simplifying feature flag guidance

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149602



Merged-by: Ashraf Khamis <akhamis@gitlab.com>
Approved-by: Ashraf Khamis <akhamis@gitlab.com>
Co-authored-by: Suzanne Selhorn <sselhorn@gitlab.com>

Co-authored-by: Ashraf Khamis <akhamis@gitlab.com>

Filter dependencies by project membership

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146522



Merged-by: Gavin Hinfey <ghinfey@gitlab.com>
Approved-by: Alex Buijs <abuijs@gitlab.com>
Approved-by: Tiger Watson <twatson@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Reviewed-by: Michał Zając <mzajac@gitlab.com>
Reviewed-by: Alex Buijs <abuijs@gitlab.com>
Reviewed-by: Gavin Hinfey <ghinfey@gitlab.com>
Reviewed-by: mo khan <mo@mokhan.ca>
Co-authored-by: mo khan <mo@mokhan.ca>

Fix minor grammatical issue

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150035



Merged-by: Lysanne Pinto <lpinto@gitlab.com>
Approved-by: Lysanne Pinto <lpinto@gitlab.com>
Co-authored-by: Kerri Miller <kerrizor@kerrizor.com>

Fix LFS token check & add test for specific case

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149474



Merged-by: Halil Coban <hcoban@gitlab.com>
Approved-by: Raimund Hook <rhook@gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Approved-by: Halil Coban <hcoban@gitlab.com>
Reviewed-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Kevin-Damian Gosa <mail@kevingosa.de>

User mapping - Placeholder User Type

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147488



Merged-by: Prabakaran Murugesan <pmurugesan@gitlab.com>
Approved-by: James Nutt <jnutt@gitlab.com>
Approved-by: Prabakaran Murugesan <pmurugesan@gitlab.com>
Reviewed-by: Rodrigo Tomonari <rtomonari@gitlab.com>
Reviewed-by: Prabakaran Murugesan <pmurugesan@gitlab.com>
Reviewed-by: James Nutt <jnutt@gitlab.com>
Co-authored-by: Sam Word <sword@gitlab.com>
Co-authored-by: James Nutt <jnutt@gitlab.com>

Added new placeholder user_type, added Imports::SourceUser, and service
to create them from imported user attributes.

Add Tailwind CSS Dangerfile

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149188



Merged-by: Lin Jen-Shin <jen-shin@gitlab.com>
Approved-by: Lin Jen-Shin <jen-shin@gitlab.com>
Reviewed-by: Paul Gascou-Vaillancourt <pgascouvaillancourt@gitlab.com>
Reviewed-by: Lin Jen-Shin <jen-shin@gitlab.com>
Co-authored-by: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>

This adds a new Dangerfile to do some Tailwind-related reporting.
Currently, we check whether the diff potentially contains interpolated
CSS utils. We might extend this rule to report additional info about CSS
utils usages.

Add missing handler for protected branches Deploy key

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149863



Merged-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Approved-by: Paulina Sedlak-Jakubowska <psedlak-jakubowska@gitlab.com>

Custom role description character length must not exceed 255 characters

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149849



Merged-by: Suzanne Selhorn <sselhorn@gitlab.com>
Reviewed-by: Julius Kvedaras <jkvedaras@gitlab.com>
Co-authored-by: Julius Kvedaras <jkvedaras@gitlab.com>

Clean up duo_pro_trials_for_free_plans feature flag

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149743



Merged-by: Felipe Artur <fcardozo@gitlab.com>
Approved-by: Minahil Nichols <minahilnichols@gitlab.com>
Approved-by: Felipe Artur <fcardozo@gitlab.com>
Co-authored-by: Serhii Yarynovskyi <syarynovskyi@gitlab.com>

Remove legacy replication details routes redirection

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149330



Merged-by: Michael Kozono <mkozono@gitlab.com>
Approved-by: Ian Baum <ibaum@gitlab.com>
Approved-by: Michael Kozono <mkozono@gitlab.com>
Co-authored-by: Douglas Barbosa Alexandre <dbalexandre@gmail.com>

Refactor Pages Deployment Update

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149763



Merged-by: Vladimir Shushlin <vshushlin@gitlab.com>
Approved-by: Vladimir Shushlin <vshushlin@gitlab.com>
Reviewed-by: Vladimir Shushlin <vshushlin@gitlab.com>
Co-authored-by: Kassio Borges <kassioborgesm@gmail.com>
Co-authored-by: Kassio Borges <kborges@gitlab.com>

- Rename `Gitlab::Pages::DeploymentUpdate` to `Gitlab::Pages::DeploymentValidations`
- Use `with_option` to avoid duplication
- Remove some rubocop Todos
- Refactor specs for clarity

Remove extra line from AI Network docs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149980



Merged-by: Suzanne Selhorn <sselhorn@gitlab.com>
Co-authored-by: David O'Regan <doregan@gitlab.com>

Update product analytics onboarding test to match new behaviour

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149715



Merged-by: Mikołaj Wawrzyniak <mwawrzyniak@gitlab.com>
Approved-by: Briley Sandlin <bsandlin@gitlab.com>
Approved-by: Radamanthus Batnag <rbatnag@gitlab.com>
Approved-by: Andrejs Cunskis <acunskis@gitlab.com>
Approved-by: Mikołaj Wawrzyniak <mwawrzyniak@gitlab.com>
Reviewed-by: Nivetha Prabakaran <nprabakaran@gitlab.com>
Co-authored-by: ichernikov <ichernikov@gitlab.com>

Add create service for push mirrors

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149700



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Javiera Tapia <jtapia@gitlab.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Reviewed-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Reviewed-by: Javiera Tapia <jtapia@gitlab.com>
Co-authored-by: Vasilii Iakliushin <viakliushin@gitlab.com>

Update DuoChat docs for GA

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/146628



Merged-by: Suzanne Selhorn <sselhorn@gitlab.com>
Approved-by: Tiffany Chen <tichen@gitlab.com>
Reviewed-by: Jannik Lehmann <jlehmann@gitlab.com>
Reviewed-by: Hillary Benson <hbenson@gitlab.com>
Reviewed-by: Torsten Linz <tlinz@gitlab.com>

Add font families to Tailwind config

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149883



Merged-by: Payton Burdette <pburdette@gitlab.com>
Approved-by: Payton Burdette <pburdette@gitlab.com>
Reviewed-by: Paul Gascou-Vaillancourt <pgascouvaillancourt@gitlab.com>
Co-authored-by: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>

The monospace font needs to be defined via a plugin so that we can
disable ligatures. This in turn requires that we slightly adjust the
CSS-in-Js generator so that it takes this plugin into account when
creating and purging the config.

Record time in suggestions api

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148733



Merged-by: Bob Van Landuyt <bob@gitlab.com>
Approved-by: Jan Provaznik <jprovaznik@gitlab.com>
Reviewed-by: Bob Van Landuyt <bob@gitlab.com>
Reviewed-by: Jan Provaznik <jprovaznik@gitlab.com>
Co-authored-by: tgao3701908 <tgao@gitlab.com>

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/452117

**Problem**

We don't provide an ID of the modified deploy key. Because of that
backend tries to create a deploy key, but fails due to uniqueness check.

**Solution**

Return id for deploy key elements

Changelog: fixed

Add importer design link to development guidelines

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149966



Merged-by: George Koltsov <gkoltsov@gitlab.com>
Approved-by: George Koltsov <gkoltsov@gitlab.com>
Co-authored-by: James Nutt <jnutt@gitlab.com>

Create and delete apis for group event type filters

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149691



Merged-by: Huzaifa Iftikhar <hiftikhar@gitlab.com>
Approved-by: Sam Figueroa <sfigueroa@gitlab.com>
Approved-by: Huzaifa Iftikhar <hiftikhar@gitlab.com>
Reviewed-by: Huzaifa Iftikhar <hiftikhar@gitlab.com>
Co-authored-by: Hitesh Raghuvanshi <hraghuvanshi@gitlab.com>

Remove OpenAI workhorse and API key references

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149727



Merged-by: Vitali Tatarintev <vtatarintev@gitlab.com>
Approved-by: Aishwarya Subramanian <asubramanian@gitlab.com>
Approved-by: Vitali Tatarintev <vtatarintev@gitlab.com>
Co-authored-by: Michael Thomas <micthomas@gitlab.com>