Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/lib/utils/confirm_via_gl_modal/confirm_modal.vue

@@ -39,7 +39,13 @@ export default {
   },
   computed: {
     primaryAction() {
-      return { text: this.primaryText, attributes: { variant: this.primaryVariant } };
+      return {
+        text: this.primaryText,
+        attributes: {
+          variant: this.primaryVariant,
+          'data-qa-selector': 'confirm_ok_button',
+        },
+      };
     },
     cancelAction() {
       return this.hideCancel ? null : this.$options.cancelAction;

data/deprecations/14-8-ci-build-variables.yml

@@ -1,12 +1,12 @@
 - name: "`CI_BUILD_*` predefined variables"
   announcement_milestone: "14.8"
   announcement_date: "2021-02-22"
-  removal_milestone: "15.0"
-  removal_date: "2022-05-22"
+  removal_milestone: "16.0"
+  removal_date: "2023-04-22"
   breaking_change: true
   reporter: dhershkovitch
   body: |
-    The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the replacement [predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are functionally identical:
+    The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 16.0. If you still use these variables, be sure to change to the replacement [predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are functionally identical:
 
     | Removed variable      | Replacement variable    |
     | --------------------- |------------------------ |

doc/api/graphql/reference/index.md

@@ -4305,7 +4305,7 @@ Input type: `SavedReplyUpdateInput`
 
 ### `Mutation.scanExecutionPolicyCommit`
 
-Commits the `policy_yaml` content to the assigned security policy project for the given project(`project_path`).
+Commits the `policy_yaml` content to the assigned security policy project for the given project (`full_path`).
 
 Input type: `ScanExecutionPolicyCommitInput`
 
@@ -4314,10 +4314,11 @@ Input type: `ScanExecutionPolicyCommitInput`
 | Name | Type | Description |
 | ---- | ---- | ----------- |
 | <a id="mutationscanexecutionpolicycommitclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
+| <a id="mutationscanexecutionpolicycommitfullpath"></a>`fullPath` | [`String`](#string) | Full path of the project. |
 | <a id="mutationscanexecutionpolicycommitname"></a>`name` | [`String`](#string) | Name of the policy. If the name is null, the `name` field from `policy_yaml` is used. |
 | <a id="mutationscanexecutionpolicycommitoperationmode"></a>`operationMode` | [`MutationOperationMode!`](#mutationoperationmode) | Changes the operation mode. |
 | <a id="mutationscanexecutionpolicycommitpolicyyaml"></a>`policyYaml` | [`String!`](#string) | YAML snippet of the policy. |
-| <a id="mutationscanexecutionpolicycommitprojectpath"></a>`projectPath` | [`ID!`](#id) | Full path of the project. |
+| <a id="mutationscanexecutionpolicycommitprojectpath"></a>`projectPath` **{warning-solid}** | [`ID`](#id) | **Deprecated:** Use `fullPath`. Deprecated in 14.10. |
 
 #### Fields
 

doc/update/deprecations.md

@@ -779,12 +779,12 @@ The new security approvals feature is similar to vulnerability check. For exampl
 ### `CI_BUILD_*` predefined variables
 
 WARNING:
-This feature will be changed or removed in 15.0
+This feature will be changed or removed in 16.0
 as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
 Before updating GitLab, review the details carefully to determine if you need to make any
 changes to your code, settings, or workflow.
 
-The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 15.0. If you still use these variables, be sure to change to the replacement [predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are functionally identical:
+The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in GitLab 9.0, and will be removed in GitLab 16.0. If you still use these variables, be sure to change to the replacement [predefined variables](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) which are functionally identical:
 
 | Removed variable      | Replacement variable    |
 | --------------------- |------------------------ |
@@ -801,7 +801,7 @@ The predefined CI/CD variables that start with `CI_BUILD_*` were deprecated in G
 | `CI_BUILD_TOKEN`      | `CI_JOB_TOKEN`          |
 | `CI_BUILD_TRIGGERED`  | `CI_PIPELINE_TRIGGERED` |
 
-**Planned removal milestone: 15.0 (2022-05-22)**
+**Planned removal milestone: 16.0 (2023-04-22)**
 
 ### `fixup!` commit messages setting draft status of associated Merge Request
 

doc/user/application_security/dast/checks/598.2.md

@@ -0,0 +1,30 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Use of GET request method with sensitive query strings (password)
+
+## Description
+
+The user's password was identified in the request URL. Passwords should never be sent in GET
+requests as they maybe captured by proxy systems, stored in browser history, or stored in
+log files. If an attacker were to get access to these logs or logging systems, they would
+be able to gain access to the target account.
+
+## Remediation
+
+Passwords should never be sent in GET requests. When authenticating users or requesting users
+reset their passwords, always use POST requests to transmit sensitive data.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 598.2 | false | 598 | Passive | Medium |
+
+## Links
+
+- [OWASP](https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url)
+- [CWE](https://cwe.mitre.org/data/definitions/598.html)

doc/user/application_security/dast/checks/index.md

@@ -20,5 +20,6 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne
 | [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive |
 | [548.1](548.1.md) | Exposure of information through directory listing | Low | Passive |
 | [598.1](598.1.md) | Use of GET request method with sensitive query strings (session ID) | Medium | Passive |
+| [598.2](598.2.md) | Use of GET request method with sensitive query strings (password) | Medium | Passive |
 | [614.1](614.1.md) | Sensitive cookie without Secure attribute | Low | Passive |
 | [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive |

qa/qa/page/component/confirm_modal.rb

@@ -8,10 +8,14 @@ module QA
 
         def self.included(base)
           super
+
+          base.view 'app/assets/javascripts/lib/utils/confirm_via_gl_modal/confirm_modal.vue' do
+            element :confirm_ok_button
+          end
         end
 
         def fill_confirmation_text(text)
-          fill_element :confirm_input, text
+          fill_element(:confirm_input, text)
         end
 
         def wait_for_confirm_button_enabled
@@ -22,7 +26,11 @@ module QA
 
         def confirm_transfer
           wait_for_confirm_button_enabled
-          click_element :confirm_button
+          click_element(:confirm_button)
+        end
+
+        def click_confirmation_ok_button
+          click_element(:confirm_ok_button)
         end
       end
     end