Introduce latest security changes to `master`
Picks:
- Server Side Request Forgery in Services and Web Hooks: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2337
- Gitlab Auth0 integration signs in the wrong user: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2354