Resolve "Avatar Content type does not match file extension"

What does this MR do?

Replace file type check with content whitelist. E.g old "file type" check asks if dog.jpg is really a jpeg.

This MR removes that from avatar and favicon uploaders and replaces with a content whitelist. E.g. regardless of filename, we're only letting through jpeg's.

Created a ContentTypeWhitelist to bring forward the whitelist feature available in Carrierwave 2 but not in the current 1.3.1 version.

DesignV432x230Uploader assumed we were running with CarrierWave 2 behavior. Specs added to confirm patch improvements function as assumed.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers
• Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team

Closes #200107 (closed)

changed milestone to %12.9

added devopscreate label

Setting ~"group::editor" based on @alexpooley's group.

added groupeditor [DEPRECATED] label

added 1 commit

• c17984df - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 06f2e770 - Replace file type check with content whitelist

Compare with previous version

assigned to @alexpooley

added backstage [DEPRECATED] label

added 178 commits

• 06f2e770...e078065e - 177 commits from branch master
• d4a001ff - Replace file type check with content whitelist

Compare with previous version

added 568 commits

• 30afc522 - Separate service entities into own class files
• 27e004c8 - Refactor Apollo cache updates to be immutable in Design Management
• 0ad10d5d - Exclude merge commit from multi-line commit selection in Danger
• 429780c1 - Rename `spammable` to `target`
• 3bc8fb7d - Automatically detect Gitaly feature flags
• 2e971ad0 - Geo: Fix GeoNode name in geo:update_primary_node_url rake task
• ed9b3a45 - Add view tests for no-project messages
• dd32eddf - Remove deprecated Rebase RPC
• a503cbe4 - Fix URL params breaking flow recognition
• 6ceb5294 - Correct licenses with invalid spdx identifier
• e583608e - Add changelog entry
• b6568b32 - Add clusters_regex to metric urls file
• 88e97563 - Use 'rules' in '.gitlab/ci/releases.gitlab-ci.yml'
• 22b5d187 - Re-add template column to services table
• c6c1b659 - Quarantine a flaky end-to-end test
• e933861f - Update cache key to properly build the 'pg' gem
• 82f4f00d - Added missing links for version upgrade steps
• b995218b - Updated the link versions
• 06d24fc4 - Replace set with let_it_be in spec/models
• f6f79adb - Add more accurate way of counting background migrations
• 63f70443 - Check user permissions correctly
• 15c16229 - Set SSL certificates path env when calling ES indexer
• b7b58b6c - Escape ref part of ide_edit_path
• 9edf4698 - Switch viewer switcher to v-model
• 872e404a - Use 'rules' in '.gitlab/ci/setup.gitlab-ci.yml'
• e63fb7a2 - Use 'rules' in '.gitlab/ci/test-metadata.gitlab-ci.yml'
• 0a385199 - Silence rack-timeout INFO messages
• 91027573 - Code Nav PoC: Extend LSIF API with definition urls
• 726ac301 - Improve performance of the Container Registry delete tags API
• 03ed8f03 - Move the Generic Alerts endpoint to the Core
• f4c36339 - Migrate repository charts
• a0fcbf2d - Use 'rules' in '.gitlab/ci/review.gitlab-ci.yml'
• 47cd1cb5 - RA: Increase memory and CPU request/limits for Unicorn & Sidekiq
• 665672ec - Update proofreader.md
• 2fa11ebb - Update parallelization for pg10 jobs accordingly to pg9 jobs
• 0220e5cc - Fix an ID-dependent test
• 5cda6798 - Attribute ProjectExportWorker to group::import
• 0ef848ea - Update feature category yml
• 731da105 - Add test to transfer avatar with mount_point=nil
• 2cec6b29 - Ensure valid mount_point is used by AvatarUploader
• 2d141615 - Fix bug rendering BlobType markdown data
• 9868282a - Add Selective Sync Shards to Geo Node Form in Vue
• 761b98c2 - Remove destroy_user_associations_in_batches flag
• ebc3e940 - Add changelog to MR
• d09c2d1f - Quarantine project template spec
• 956551a1 - Swap Repository#merged_branch_names to hash cache
• b29924f2 - Enhance QueryRecorder to support finding queries by source + memoizing of read only attributes
• 19eb5b49 - Enable merged branch names flag by default
• e77f2bd1 - Add changelog entry
• bef89db2 - Create a table in Pod logs full-text search doc
• b639c938 - Update Feature percentage rollout strategy
• 20f6f73d - BulkInsertSafe mixin guards against bulk-unsafe calls
• 6bd22c33 - Remove smoke meta from create basic mr spec
• 7f9bd795 - Update package file size in the after_save callback
• 8cbf2fd9 - Fix UI on Project Audit Events when the feature not available
• 1c0dcbb0 - Use CTE search optimization for board issues
• c0e08cba - Chore: replace underscore with lodash for in /app/assets/javascripts/helpers
• ac3f1cba - Add label entities into own class files
• c2471cd5 - Separate entities into own class and module files
• e7254274 - Separate job entities into own class files
• 7a6b658f - Always return the existing files when loading batched diffs
• 0bc86d1c - Fix backup restoration whith pre-existing wiki
• 559f8731 - Add token, template entities into own class files
• 42c931dd - Update handlebars to fix security issue
• f4729478 - Add percentile support to single stat panel types
• 68f32843 - Seed Vulnerability and IssueLink in development
• 27ff6250 - Set related fields when setting different states
• 512297f9 - Use FactoryBot to create objects
• 2ca20f0e - Load EE factories when seeding Vulnerabilities
• 8505cb68 - Change find_sec_bugs sequence on Scanner factory
• 06c2e748 - Handle PrometheusService update in UpdateService
• b9413cda - Document access request for the Review Apps cluster
• 4399d14d - Added note per issue #205160 (closed)
• ad789135 - Codeblock language updates
• 38745ade - Wordsmithing for Secure intro
• 91ad474b - Call .dup in test to fix broken master
• d747c089 - Updated cluster-applications to v0.7.0
• 3f61cff3 - Added docs for JupyterHub CI installation
• 4675613a - Remove leftover from earlier iteration
• 197ae66a - Removed unneccesary symbols
• 7da6c76e - Add documentation for Compliance Dashboard
• 366eced4 - Fix broken master by updating expected params
• 84e9c5e2 - Update ci links
• a40ca575 - Link to tooling.md from Heading
• f2fae481 - Quarantine failing test while investigating
• d59aa3c3 - Add version in which events are made available
• 0bd8ce49 - Badged single-level Epics as PREMIUM
• 6e1a878d - Moved environments_folder_view_spec to jest test
• f770c9d1 - Cleanup duplicate mock_data variables
• e7ea88d8 - Trial select form to remember posted form fields
• 3d39d014 - Add introduced line for parent/child pipelines
• 4f2c0a5e - Add Board Lists to Group Export
• c6943ec9 - Fixup operations feature flag scope validation specs
• 33aa5370 - Adjust sign up page design
• 1d08a9b9 - Remove some dead code
• c4e75547 - Fix k8s logs alert display state
• 3664dc6a - Fix avatar rendering in projects and groups navigation
• 2c28f6a5 - Refactoring package installation instructions
• 6622bc12 - Request test_reports.json on demand
• 2af33c6c - Add negative lookahead to avoid matching incorrect commands
• ed38d2ff - Add bug changelog entry
• 375fe0f1 - Migrate merge request spinners
• 3a952323 - Remove error flash message from code navigation
• 7e4d8ca8 - Use 0.15s transition duration for flash close
• 35f46b28 - Update AWS diagram and remove second Gitaly
• ada11fde - Remove feature flag :stage_all_by_default
• 9ccf093c - Replace an end-to-end test by an API test
• 041fa253 - Add content to details and list page
• 8fe2a8ab - Moved package tags component inside div
• d00738be - Update Docs increasing unicorn memory limit after 12.7
• 1f7bc6e5 - Fix code example for GraphQL usage outside of Vue
• 79203bed - Move reliable tag to specific test
• 1d3cbba4 - [UPDATE] Replace underscore.first with lodash.head
• 21ee974b - Limit length of wiki file/directory names
• 3411fdfc - Split PodLogsService per backend
• 7509eb83 - Fix merge request child pipelines
• b23fd639 - Reverted immer changes
• e65afe0d - Refactor deprecated named slots in Vue
• 39d2d9a9 - Recreate feature flags for merge trains
• fbb6d000 - Adds regex to match alerts endpoint
• 963df553 - Add snippet repository model
• 96bdf395 - Add runner, release and tag entities into own class files
• 0bbca902 - Use 'rules' for '.gitlab/ci/reports.gitlab-ci.yml' jobs
• d7680eae - Create SelfMonitoringDashboardService and add specs
• da4c3b57 - Display y-axis range matching data
• 392ec912 - Migrate fa-spinner to spinner in views dashboard.
• 64eea5bc - Pass logs url from backend to frontend
• d386620d - Add rubocop cop for .keys.first and .values.first
• d34d1caa - Remove EBS from instance storage
• 6232ba59 - Render today indicator in timeline cell
• a1d6dcc3 - Add list, board, broadcast message, contributor and compare into own class files
• a82643f7 - Improve UX of snippets form
• bdacb86b - Add collapsible description to Snippet form
• 113a301e - Update content_class for snippets form pages
• a2d4e398 - Fix autocomplete limitation bug
• fb8826a1 - Fix hot module reload for error tracking pages
• df371cd9 - Introduce new service to block user
• c5009e6d - ContainerExpirationPolicies run without user
• 5e0a31e7 - Allow Boards::ListService to find a single board
• 4b81ae0e - Speed up expanding/collapsing diff files
• 962a866d - Un-skip web terminal spec
• bd041ed0 - Stop caching WebIDE terminal pipeline status
• 4ec36620 - Add changelog for MR 24443
• 676ff497 - Refactor Ci::PipelineEnums for readability
• 8bc4fb49 - Hide duplicate company/individual question
• 5b5321f7 - Refactor CiBadgeLink and project show page
• e524fc7c - Update naming validation for Conan recipes
• a93c2d73 - Add documentation for logs times ranges
• 5b87b67e - Added section about targeting elements in FE tests
• f43dd706 - Treat registry as SSOT for LFS
• b4f70ad9 - Add break clause to log cursor event processing
• 64e25531 - Separate access classes into own class files
• 7b6a6ecd - Separate JobRequest entities into own class files
• 0fe39120 - Separate page domain entities into own class files
• f7262e5d - Separate environment entities in class files
• e317c5db - Revert "Merge branch 'leipert-fix-user-label-bug' into 'master'"
• f33b4020 - Separate badge entities into own class files
• 463e4271 - Separate cluster entities into own class files
• d0bf3403 - Refactor WebIDE error message to use GlAlert
• a85d45d6 - Only show Progress Bar for new users
• 2d652a43 - Load 10mb of a diff instead of 100kb
• 05958278 - Replace underscore with lodash for ./app/assets/javascripts/serverless
• f1333462 - Fix ProjectAuthorization calculation for shared groups
• 7708b7e8 - Add mention of closing issues after error resolve
• a9f4e74c - Refactor merge requests api requests specs
• 78eaca98 - Update CHANGELOG-EE.md for 12.6.7-ee
• e5e43388 - Update CHANGELOG.md for 12.6.7
• 2f422638 - Replace underscore with lodash in app/assets/javascripts/pipeline
• 741a8fda - Avoid double encoding of import url credentials
• 802c876a - Add tooltip when dates are too long
• 6ac72e26 - API: Support list repository commits with order
• 8734cc83 - Add spec for order parameter
• ab1707cc - Quarantine create snippet test
• 1c207725 - Clear host memoization for feature test
• 70c64996 - Better rendering of version text
• 07d2c3b8 - Fix: [Geo]Replicating objects in object storage schedules removal
• 537943c7 - Adding a basic fix and a resulting spec
• c65eaeb7 - Making the spec look for the correct case instead
• 578b880a - Updating the string methods used
• 1de33a02 - Adding a changelog that I forgot
• 98b3a61a - Compare diff against HEAD if diff_head is passed
• 1bba8938 - Create operations_strategies and operations_scopes tables
• 08a6fb31 - Add feature gate filters for users
• 84a00784 - Add docs on the self-service framework
• a5562855 - Add environment auto stop worker
• a845ac39 - Store mentions in after_save callback
• 60b8f29e - Add migration and spec
• 9cb431cc - Update broken links to Cloud Run for Anthos documentation
• 2594ee48 - Increase paid signup experimentation ratio
• 55f3338b - Fix broken note block
• 52562080 - docs/ci: fix typesetting of "Node.js"
• cd692178 - Change flag to docker-services
• c4727bf5 - Switched Auto-DevOps Test from only/except to rules
• 0029f8f3 - Fix typos in AutoDevOps Docs
• 51597587 - Fix typo in Migrating from Jenkins docs
• 8e072378 - Fix typos in Contributor and Development Docs
• 40ebd97e - Fix typos in Web Application Firewall Docs
• 119ca499 - Remove unnecessary milestone join tables
• 91fdb6f8 - Add group identification headers to epic emails
• 1902e208 - Fix a typo
• 146369cf - Record audit event when user is created
• 5f1c0a7a - Remove design management spec from quarantine
• d53a6a69 - Docs update note for external id and kube-ctl
• c74aa0c6 - Add vuln projs widget to instance sec dashboard
• 732785ff - Use new spinner in admin/application_settings
• 9584b049 - Fix vertical alignment of spinner inside buttons
• bb2f6a7e - Updated file for jest testing
• 391be8d4 - Cleanup mock_data file after rebase with master
• 7768f148 - Migrate underscore in the contributors folder
• 7e6e018a - Update ajax_variable_list.js to use lodash escape
• 743c6aec - Capture design note movements from design_overlay
• 624aff55 - [UPDATE] updated underscore to lodash in spec/javascripts/badges
• a9d30a1c - Update dependency @gitlab/ui to ^9.8.0
• 042ed1ad - Update Jest snapshots
• c2dbddb8 - Change description of minutes quota
• c8ae83bd - Show Kubernetes namespace on job show page
• bb315a7a - Allow config of sidekiq-cluster with query
• b03ea7cb - Get sidekiq-cluster queue selectors working in specs
• d01fe73c - Add integration test for --queue-query-syntax
• 25a4afc1 - Fix and document --queue-query-syntax
• 842c7f55 - Allow querying queues by name
• 642c0c16 - Rename queue-query-syntax to queue-selector
• ffa9a3e8 - Rework queue selector operators
• 31fa55bb - Rename queue-selector to experimental-queue-selector
• ca785221 - Separate platform provider and post receive entities into own class files
• 080dd0be - Fix autocomplete limitation bug
• 117b6ae2 - Moves the standalone vulnerabilities
• b6570e94 - Migrate fa-spinner to spinner in milestones directory
• ae68eecb - Display target branch in rules of project settings
• 2d45380c - Add delete identity API endpoint to users API
• 702531b0 - Add GET endpoint to LDAP group link API
• 9df902bb - [UPDATE] Migrating `fa-spinner` from `app/views/shared/notifications`
• 834fbcb8 - Add subepics license check to services
• 745bb353 - Increase pipeline email notification from 10 to 30 lines
• 548982ea - Implement allowing empty needs for DAG pipeline jobs
• b0f0d62b - Bump graphql to 1.9.12
• dd3b9129 - Avoid autolinking YouTrack issue numbers followed by letters
• 02e7df67 - Add a changelog entry for avoiding autolinking YouTrack issues
• 8c9e2f2a - Enabling nuget_package_registry feature flag by default
• abb0ce3f - Add package dependencies cleanup migration
• 08bd3fc4 - Danger: Remove single code base analysis
• 475ce626 - Add migration and feature in licence
• 7c2b5195 - Add settings form
• 1ea2be43 - Add new methods to project and specs
• edca28e9 - Add policies and specs
• 3f15212c - Add disabling checkboxes
• 7e32ee79 - Update policies regarding of setting
• 4ac5a5d5 - Update form in view
• 73fafdae - Add setting filtering to api endpoint
• 9d4c54c0 - Add cr remarks
• 2b83dfcb - Swap metrics_dashboard to use metric_id and env_id
• 62a955a3 - Add more group attrs to list of excluded attributes for Group Import
• ab7e5ece - Code Nav Poc: Extend LSIF info with hover data
• ad05ed01 - Separate application and blob entities into own class files
• 8a345185 - Add QA test of fork creation after storage change
• d5105f63 - Add a Go code format guideline
• df251bda - When a namespace GitLab Subscription expires, disable SSO
• 9fede6b3 - Remove self monitoring feature flag
• 2e647419 - Separate user agent, custom attribute and page domain cert into own entities file
• 36a2ede5 - Use closest visibility level for groups creation on Group Import
• bbd463bf - Replace method to ignore array result order
• 853f3f38 - Show Web IDE button even if MRs are not available
• 99d42430 - Request gql user permissions in IDE
• 487f7e8c - Fix IDE when MRs are not available
• 89644424 - Rename ide-radio-label to ide-option-label
• 3eff5ccd - Added documentation for Enable Review Apps
• 36c4268d - Include EnvironmentsHelper into MetricsDashboard
• 2e6da531 - Forward the `approvals_required` method
• 7417aa0d - Apply suggestion to...
• eab2fa5b - Added a query to fetch blob content for a snippet
• 0ba4f1ed - Pass logs api URL to frontend
• 6b4607a8 - Add badge tooltips for hidden approvers
• 5ca51bc7 - Prepare epics in premium for FE integration
• 36f9d453 - Hide EEU features for Epics in EEP
• 44e1db85 - Add changelog entry
• aa777bfa - Allow users on premium to delete subepics
• ee5cac1b - Move insights charts to echarts
• 4872e243 - Migrate fa-spinner in cycle analytics
• 98ecb2e9 - Add changelog for loading in cycle analytics
• 7b3f106c - Don't log wait_for_requests use of wait_until
• 4d8e322f - Reset line numbers and file lines to a base-linked height
• 01f941c1 - Add change log
• 37cc160e - Update cluster-applications to v0.8.0
• dacf43c1 - Prevent DAG builds to run after skipped need build
• 4ab987a1 - Update spec description with new scoped routing
• 3118a170 - Convert empty strings to nil in ImportExport::BaseObjectBuilder
• 531921dc - Enable cop CodeReuse/Worker
• 4fab9644 - Show View logs in embed
• 6767eca4 - Toggle analytics navbar feature flags default on
• f6567c98 - Fix PostgreSQL images failing to start in CI
• bc1a2643 - Update y axis range documentation
• 2b221586 - Backfill LfsObjectsProject records of forks
• 7914ea10 - Reorganize releases/** code in preparation for "show" page
• 4a90f3af - Load js app data in controller
• 9b8c7727 - add avatar_url in job webhook, and email in pipeline webhook
• 4155919c - Limit size of params array in JSON logs to 10 KiB
• 38f87352 - Revert "Merge branch 'akismet-spammable-rename' into 'master'"
• c94e4325 - Upgrade omniauth-github gem to 1.4
• e433a224 - Move body of /post_receive handler into service
• 4159eafd - Add API call to confirm vulnerability
• fa52f65c - Top labels endpoint for type of work chart
• 98889c24 - Fix gl-dropdown components caret alignment
• 27388d12 - Add changelog for dropdown caret fix
• 5c88d94b - Render a solution in a standalone vulnerability
• 4c17c0b6 - Fix flaky spec stop_environments_service_spec
• a950c5f3 - Add the rails runner command as a known runtime
• fd5c858c - Separate token into own class files
• 1d4f9216 - Update section on NPM dist tags
• 612a4e89 - Separate entities into own class files
• 347e9d12 - Add changelog
• 2c3f7223 - Implement Policy tab for License Compliance
• 8a4ac54e - Add "Prohibit outer forks" setting for Group SAML
• 8d8337ae - Make follow up fixes for enable error tracking api
• feae26f1 - Move Operations->ErrorTracking->Incidents to CE
• 1bac42bf - Add dark theme support in Web IDE
• f623a2c0 - Follow up changes to adding cluster Reg-ex
• 2b044051 - Move Operations->ErrorTracking->Incidents to CE
• e3ad47e1 - Revert "Merge branch 'drop-bridge-on-any-pipeline-errors' into 'master'"
• 1ee37dba - Revert "Merge branch 'fix-upstream-bridge-stuck-when-non-pending-pipelines' into 'master'"
• bb7de9bd - Revert "Merge branch 'mc/bug/fail-upstream-on-invalid-yaml' into 'master'"
• 3925768b - Dequarantine previously failing pipeline spec
• c26fe00f - Fix blobs search API degradation
• 626a5a69 - Revert "Merge branch '14061-license-app-data' into 'master'"
• 9d766d4d - Pin Auto DevOps dind version to fix pull timeout
• 00a1d620 - Auto-require all cops
• 23c57bc0 - Add docs subheading for unarchiving projects
• 942c4f3b - Document deploymentApiVersion for 1.16+ clusters
• a6c70308 - Omit previous error from Sidekiq JSON logs
• 7456657e - Replace set to let_it_be in spec/controllers
• 2509c10f - Replace set to let_it_be in spec/presenters
• 0aed1db3 - Replace set to let_it_be in spec/services
• a97dfab4 - Replace set to let_it_be in spec/finders
• 1761087a - Add yarn integrity check to vendor DLL
• eb576b7d - Make yarn integrity check plugin a devDependency
• 6a7b72e1 - Resurrect the ending newline of package.json
• cabd3d2b - Remove usage of underscore; replace with native JS
• cd7f2cc1 - Migrate fa-spinner to spinner in single file diff js.
• dcd58b2e - Tie stage events height to stage nav height
• 8a62e33a - Corrected layout of admonitions
• 821f60cf - Revert "Merge branch 'license-compliance-policy-tab' into 'master'"
• c2cf3c84 - Switch key to snake_case
• b1824148 - Add changelog file
• 7dd1be11 - Add keyboard shortcuts item from help menu
• cc78fe4f - Added has_valid_deployment? to Ci::Build
• 00575c85 - Delete description change history - Frontend
• 10b11b4a - Delete description change history
• 6eac7b57 - Delete description diff in notes
• 911e7c38 - Delete description diff in notes
• b3ebb3a1 - Migrate fa-spinner to spinner in search filter dropdown js.
• 639d5dd7 - Correctly render mermaid diagrams in details
• 34d05cd6 - Disable LinkLfsObjects background migration
• 605f3a29 - Update app/assets/javascripts/blob/pdf/index.js
• 46182876 - Update app/assets/javascripts/blob/pdf/index.js
• e96404ff - updated icon span with GlLoadingIcon component
• 585adb4a - updated
• b17a933a - Update index.js
• b8b447ba - updated loading icon
• aa189a8e - updated loading icon
• b9e7504b - Count users in nested projects on Gitlab.com
• 98b98302 - Use new endpoint test counter badge
• 8db6af23 - Include resource type in `KubernetesClient#raw_resource_names`
• dc738382 - Mark xUnit test errors as errors, not failures
• 9527f366 - Format test report mock data
• 249c9680 - Make test reports frontend handle separated errors
• 02af4110 - Add errored test case cases to test comparer specs
• 13e48b4a - Updated new/edit wiki page to equal ui elements
• 2f059d37 - Fix `blocked` status for board issues
• 14a661fd - Create repository when snippet is created
• e564cfb3 - Remove ElasticIndexerWorker changed_fields
• f47045d3 - Add updateImageDiffNote mutation
• f21a2d60 - Verify no audit event is logged when not licensed
• e475d0b8 - Pin PostgreSQL CI images to the latest versions
• c0eeb088 - Remove expiration_policy feature flag
• a4ccb319 - Updated custom stage form specs
• 4dfa637f - Correctly display form field errors
• 104a08d1 - Replace callback tests with promises
• 3d8457f7 - Display form errors on relevant fields
• 7b12a2a8 - Added missing createCustomStage action specs
• 49e1e31f - Minor review feedback
• ed41d458 - Replace hardcoded status codes
• 2abf8e65 - Fix wrong MR link in pipeline failure email
• d83e1d0e - Add ref path from the api for issuables list
• c307b045 - Add the nuget search service
• c3c78131 - Document Container Scanning Remediation
• 34905b77 - Add license_scanning feature
• 7e4f61e6 - Add ability to move design note pin
• 33163a46 - Move productivity analytics to the group level
• 9c52bd65 - Add project entity into own class file
• 1d58d4ad - Add changelog
• b0fb9dda - Delete entities.rb and move prepend to respective entities
• 33dc79d7 - Count threads all that run in multithreaded env
• 080dcfda - Allow custom bot types
• fa37d6c3 - Set container_expiration_policy for project first
• 55ed2772 - Replace set with let_it_be in spec/requests
• f3d2df32 - Make 'review-deploy' depend on 'review-build-cng' with 'needs'
• 3cea7950 - Update pipelines documentation
• a5e3f732 - Remove Name & Path from excluded params on Group Import
• 07e19fa5 - Add specs for components
• cdc4a1e6 - Internationalize messages for group audit events
• 2ec1f70a - Documentation: external_url and internal_api_url configuration
• 25c3acec - Update icons documentation
• 84d5592b - Migrate queues names to avoid skipped jobs
• b294b79d - Add frontend code for suggesting a pipeline widget
• a7f809cc - fix(right-sidebar-css): update main javascript file to only apply right...
• 592d6a97 - Assert user domain restrictions not vulnerable
• 38d9b2a7 - Updated file for jest testing
• c2e23dcc - Destroy the OAuth application when secondary becomes a primary
• 163576d7 - Resolve "Migrate '.fa-spinner' to '.spinner' for 'app/assets/javascripts/gfm_auto_complete.js'"
• c6974f2b - Remove reliable tag from test
• 0f443dcb - Predicate methods should return booleans, not strings
• 9350634b - Ensure diff notes on designs are coherent
• 3a68cb7d - Pass diff_refs through from design
• e98cf756 - Update filebeat config to parse modsec logs as JSON
• 219ad3c1 - Bump auto-deploy-image to 0.9.3
• e70538c9 - Add http status cop to subfolders of api specs
• dd62664b - Fix encrypted application settings not working with pending migrations
• a277175a - Fix usage ping timeouts with batch counters
• f729883a - Fix rspec_profiling not working
• 288fb3bf - Replace underscore with lodash for ./app/assets/javascripts/error_tracking
• c38ad9a9 - Remove FE :issue_link_types feature flag code
• 3131cc0f - Fixes the default branch link under pipeline subscriptions in CI/CD settings
• 5aae035d - Do not remove spaces from project name
• 12bd63f9 - Prioritize full project name instead of the path
• 885e2bb9 - Add spec for project name with spaces
• c0b15de4 - Change prefix for js-incident-management-settings
• d1c4e39b - Replace underscore with lodash for ./app/assets/javascripts/mirrors
• 8d35ace7 - Refactor sprintf to gl-sprints
• 51ab0062 - Restyle file tree:
• 42c87291 - Prevent creation of popovers for group mentions
• 7ae1129d - Removed epic_new_issue feature flag references
• ef511611 - Fixed rspec to account for new split button
• 0fe72021 - Alter if condition when create API is called
• 3ad2fee5 - Fix invalid DB checks
• 6c5821c0 - Add path to edit custom metrics
• 56b5a2b8 - Fix bug snippet creation
• 649194fd - Documentation for auto stop environments
• 38393348 - Fix orphaned promoted issues
• 1d97b44e - Apply license to selected group
• d434e48f - Add object storage for Mattermost details
• e8268909 - Enable diff batch loading feature flag by default
• 389c3785 - Remove stale updated_at field
• 174d0e88 - Adds elastic stack ci docs
• 7cbfa984 - Create serverless domains controller
• c893a391 - Update #database-lab docs
• 98ecb108 - API: List repository commits in order with default
• c82b7529 - Add blocking issues feature documentation
• 80014baf - Address missing colors on the monitoring dashboards
• 59e6585d - Add a link to the variable priority override section.
• 165c398a - Remove extra '--request GET' from cURL examples
• 9a891627 - Specify '--request PUT' in cURL call example
• cb41e16d - Fix Geo::Fdw::GeoNode#job_artifacts guard clause
• e1b3ae81 - Fix GeoNode#job_artifacts guard clause
• 2505e114 - Add CHANGELOG entry
• ff42ad18 - Use reload on let_it_be and remove unused after callbacks
• 8ff4667a - Make create_environment method idempotent
• a7c284a8 - Update sample webhook URL
• be94777d - Upgrade doorkeeper to 5.0.2
• dba8f8f8 - Remove monkey patch for doorkeeper 4.x versions
• e483dfe1 - Skip admin authentication for user oauth apps
• 9f35baa9 - Add changelog for doorkeeper 5.0.2 update
• 471918f8 - Add scopes and expires_in_seconds to token info
• 611bf304 - Update the docs to include /oauth/token/info
• 4775409a - Add comment with reason for skipping admin auth
• 9224cf5e - Upgrade Gitaly to v1.87.0
• c82ae27d - Refactor conan api helpers
• 56dd0431 - Preload job artifacts archive in pipeline details
• eec628df - Fix spec to expect correct query count in FOSS only
• 4a6ea71e - Remove CI status from Projects Dashboard
• 2b1f9639 - Fixes nil error in cluster app feature specs
• 0e0b9b8f - Refactor constant activityBarViews to leftSidebarViews
• 4a86106a - Update new snippet elements
• 2363c5bc - Define counter for #truncated?
• d203014a - Document adding custom collapsible sections to job logs. For #31481 (closed)
• c500f648 - Apply suggestion to doc/ci/pipelines.md
• 19254b4a - Changes based on code review feedback.
• d8c4c39e - Additional detail on the collapsible section output markers.
• 588a2f12 - Apply suggestion to doc/ci/pipelines.md
• 6aa69d92 - Issue a gitlab-ctl stop before replicating DB
• 50a158ad - Add vulnerability management state dropdown
• 3c20beee - Allow to update issuable health status on GraphQL
• ba67716b - Time series extends axis options correctly
• 27494b34 - Adding directions on how to connect to gdk db with vscode
• a506ca3b - Add vue powered breadcrumb
• 88f56c4b - Update to eslint 6
• ad511633 - Describe resource_group can use env variables
• 2c7418db - Replace underscore with lodash in the jobs components
• 372dbcdb - Added recover hidden stages dropdown
• 546c5fa7 - Clarify usage for event tracking and instrumentation
• f7d51613 - Drop signatures in email replies
• 1c604d09 - Upgrade pages to 1.16.0
• f59d1cf3 - Fix approvals filtering
• 284a940b - Make merge_request_diff to return an empty MergeRequestDiff if nil
• 69f12729 - Improve reference pattern with word boundary
• 22192664 - Extract regex into a common method
• ce3e5825 - Wait for image to be lazy-loaded in tests
• db1ad6e6 - Store lsif ci artifact as gzip
• f57d9cc1 - Add epic changed status email missing specs
• e26503da - Fix a log schema inconsistency
• 9ccf0463 - Initial a11y scanning CI template
• 7cc3acc3 - File-specific exclusions for CI templates
• 8aad1656 - Specify that disabled templates are not valid in FOSS
• 3a77e343 - Fix links to gitlab-foss
• 2ec61d29 - Add license_scanning report key
• dd299d68 - Require a logged in user to accept or decline a term
• ef492e1a - Update GitLab version for duplicating dashboards
• b6567244 - Convert request specs into units for PostReceiveService
• 315abe02 - Add Secure Sidekiq namespace changelog
• 070e55b6 - Fixed list styles for notes
• fd6a50ae - Add limit-container-width class to registry
• 1087e3d2 - Migrate mentions for design notes to DB table
• 5d023f5d - Consolidate conditions and rules under .gitlab/ci/rules.gitlab-ci.yml
• fbd71da7 - Update the pipelines documentation with the latest changes
• 7c352162 - Drop etag cache on logs API
• f80962ee - Replace set with let_it_be in spec/graphql
• 5fbfdf02 - Replace set with let_it_be in spec/helpers
• 225bc2f3 - Replace set with let_it_be in spec/mailers
• 972cffd7 - Replace set with let_it_be in spec/policies
• 616b56bc - Add documentation for single stat percentile value support
• bfa0b0a5 - Revert "Merge branch '27142-divider-in-readme-is-overlaying-with-image' into 'master'"
• 419ec153 - Add pipeline architectures overview
• 882e873f - Version pin postgres service
• 49c15a0b - Ignore not found when deleting k8s resource by name
• 56d81ad7 - Pass group data to frontend subscriptions app
• 36570ddd - Allocate some unowned workers to categories
• 2912d182 - Doc update monitoring dashboard
• 1c9f4866 - Update code block style docs
• 1a00a65d - Remove pin comment from Auto DevOps templates
• ebb9de51 - Add Vuex store for ci variables
• d303a4b5 - Apply code review suggestions
• c63113b8 - Update server hooks documentation to current behavior
• 605f8d4b - Set width property to tokens container
• e1f68f32 - Define histogram for tracking blob size
• f4c7271c - Documentation for Pages configuration file
• 1755e313 - Simplify colors in the Web IDE
• 023b2568 - Automatically create DLL when it does not exist
• 141e228f - Add webpack vendor dlls to CI cache
• 21362ed8 - Ensure the build fails on DLL error
• 0f18d99a - Comment out migration helper include in migration template
• 3418b146 - Update GitLab Packages
• 48a344ea - Improve UX of SAML Settings
• 09a6e8b7 - Fix Release edit page
• 0c958bf9 - Adds sorting to group level package api
• 3ff7ab8b - Fix markdown layout of incident issues
• ae9f09a9 - Refactors metric embeds to ease adding embed types
• bf8cd5e3 - Connect BoardType into the group / project query
• 94bd82ec - Remove stub_const as it’s in master now
• 66a12bfe - Add request spec for Board gaphql query
• c827553c - Revert "Revert "Merge branch 'license-compliance-policy-tab' into 'master'""
• 35748d04 - Revert "Revert "Merge branch '14061-license-app-data' into 'master'""
• 3f2a7573 - Fix broken license policy page
• 9b493245 - Implement backend code review changes
• 9056b15b - Fix the link for pipeline yaml in arch docs
• b7bca43d - Add clarity for admin requirement and curl example
• 91a6d1e0 - Update rouge to v3.16.0
• a6fd024c - Add group specific email headers documentation
• 7f2a5753 - Add unicorn memory limit for 12.6 and older
• b06ea8b7 - Fix link typo
• 4db57c87 - Update OAuth2 token info API docs to be clearer
• 1a3a8754 - Refactor npm instructions
• 3a469b8a - Fix a log schema inconsistency
• 8a338934 - Replace underscore with lodash for ./app/assets/javascripts/badges
• 9bbb4083 - Add Sentry messages to the monitoring dashboard
• 83f8006c - Revert "Merge branch 'auto_devops_test_rules' into 'master'"
• da8cf02b - Remove use of hard-coded ID in spec
• bd351910 - Modified environments_app_spec for jest
• 8bee3fdf - Migrate '.fa-spinner' to '.spinner' for...
• 7b942088 - Add internal YARD doc for public interface
• be83cbe8 - Replace file type check with content whitelist

Compare with previous version

added database databasereview pending labels

added 1108 commits

• be83cbe8...447affba - 1107 commits from branch master
• e2df652d - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• f1602bd6 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 99a0fd04 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• d8b4287a - Replace file type check with content whitelist

Compare with previous version

added 478 commits

• d8b4287a...5694be23 - 477 commits from branch master
• e728960c - Replace file type check with content whitelist

Compare with previous version

added 3 commits

• e728960c...5f0c2438 - 2 commits from branch master
• e5bd9223 - Replace file type check with content whitelist

Compare with previous version

added 157 commits

• e5bd9223...a5606156 - 156 commits from branch master
• 98ddf9e1 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 04cb5432 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 176dee74 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 2a4cb321 - Replace file type check with content whitelist

Compare with previous version

removed database databasereview pending labels

added 1 commit

• d5a5acdb - mend

Compare with previous version

added 1 commit

• db22863c - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 13533160 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• 9133db66 - Replace file type check with content whitelist

Compare with previous version

@lulalala Can you please review? :)

assigned to @lulalala

unmarked as a Work In Progress

mentioned in merge request !26055 (closed)

Hi @alexpooley I've got two questions. Thanks!

added 1 commit

• 1740a6ba - Replace file type check with content whitelist

Compare with previous version

added database databasereview pending labels

added 1 commit

• b61e22c5 - Replace file type check with content whitelist

Compare with previous version

added 1 commit

• efbff5f5 - Replace file type check with content whitelist

Compare with previous version

unassigned @lulalala

removed databasereview pending label

@mkozono Can you please perform final backend review? Please note that I think I rebased incorrectly previously (???) and GitLab made all kinds of incorrect suggestions. You will be final review on this MR :)

resolved all threads

@alexpooley Nice work! I agree 100% with the change in approach. I just have a few minor comments for you.

marked the checklist item Changelog entry as completed

marked the checklist item Documentation (if required) as completed

marked the checklist item Code review guidelines as completed

marked the checklist item Merge request performance guidelines as completed

marked the checklist item Style guides as completed

marked the checklist item Database guides as completed

marked the checklist item Separation of EE specific content as completed

marked the checklist item Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. as completed

approved this merge request

added 1 commit

• 4a66acc0 - Apply suggestion to app/uploaders/content_type_whitelist.rb

Compare with previous version

added databasereview pending label

mentioned in issue #208852 (closed)

assigned to @mkozono and unassigned @alexpooley

resolved all threads

assigned to @alexpooley and unassigned @mkozono

added 1 commit

• 90843086 - Replace file type check with content whitelist

Compare with previous version

added 1247 commits

• 90843086...11cfef67 - 1246 commits from branch master
• bda9ee5d - Replace file type check with content whitelist

Compare with previous version

added 5 commits

• bda9ee5d...2e08c928 - 4 commits from branch master
• b00087d2 - Replace file type check with content whitelist

Compare with previous version

added 5 commits

• b00087d2...3d9aa2fd - 4 commits from branch master
• 5fe0cf7e - Replace file type check with content whitelist

Compare with previous version

Reviewer roulette

Changes that require review have been detected! A merge request is normally reviewed by both a reviewer and a maintainer in its primary category (e.g. frontend or backend), and by a maintainer in all other categories.

To spread load more evenly across eligible reviewers, Danger has randomly picked a candidate for each review slot. Feel free to override this selection if you think someone else would be better-suited, or the chosen person is unavailable.

To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines.

Once you've decided who will review this merge request, mention them as you normally would! Danger does not (yet?) automatically notify them for you.

Category	Reviewer	Maintainer
backend	Kerri Miller (@kerrizor)	Mayra Cabrera (@mayra-cabrera)

Generated by Danger

mentioned in merge request !26427 (merged)

added 1 commit

• ec6358f9 - Replace file type check with content whitelist

Compare with previous version

added 513 commits

• ec6358f9...fb67968c - 512 commits from branch master
• e6cadf4d - Replace file type check with content whitelist

Compare with previous version

changed the description

added 222 commits

• e6cadf4d...34376c50 - 221 commits from branch master
• 75938d63 - Replace file type check with content whitelist

Compare with previous version

resolved all threads

@alexpooley Thanks! I added a few comments on the specs.

mentioned in issue #207740 (closed)

added 1 commit

• 3ce4257d - Replace file type check with content whitelist

Compare with previous version

@mkozono thanks again for the review, again. I've left some comments, and made some changes around what you have suggested.

assigned to @mkozono

mentioned in issue #200107 (closed)

resolved all threads

removed database databasereview pending labels

merged

mentioned in commit ac2e2c6a

Oops. I clicked Run a pipeline, went away, came back, clicked Overview, and clicked Merge before realizing it wasn't a MWPS button.

Anyway, thanks for the great work @alexpooley!

added workflowstaging label

added workflowcanary label and removed workflowstaging label

added workflowproduction label and removed workflowcanary label

mentioned in issue #212264 (closed)

1. At a glance, yes I believe we would be fine with your changes.

2. Yes, sure.

Thanks. It makes me wonder why job.log is detected as invalid/invalid. I guess MimeMagic really is confused because job.log contains all sorts of escape characters to mark timestamps etc.:

[13] pry(main)> File.open('/tmp/job.log') { |file| MimeMagic.by_magic(file).try(:type) }
=> nil

Yes I've found it not very reliable. It's really only useful if we can be assured of the headers going in. Images are a good example, and as far as I know the only place this code should run?

I'm still unsure how the log Content-Type would have been tagged incorrectly ...

mentioned in issue gitlab-com/www-gitlab-com#5061 (closed)