diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:52:27 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:52:27 +0000 |
| commit | 52dd3cdae10174cc35af6698b280acd1431cc4f8 (patch) | |
| tree | 5dd5616b71029c5c4315961d8663b3a3c80714a5 | |
| parent | 38dadcee569adfbbb1c9dc99634bba4e9a9128bc (diff) | |
| download | gitlab-ce-52dd3cdae10174cc35af6698b280acd1431cc4f8.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
| -rw-r--r-- | app/models/hooks/web_hook.rb | 18 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
| -rw-r--r-- | glfm_specification/output_example_snapshots/snapshot_spec.html | 16 | ||||
| -rw-r--r-- | lib/api/repositories.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/unicode.rb | 6 | ||||
| -rw-r--r-- | lib/rouge/formatters/html_gitlab.rb | 9 | ||||
| -rw-r--r-- | spec/controllers/admin/hooks_controller_spec.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/projects/clusters_controller_spec.rb | 23 | ||||
| -rw-r--r-- | spec/controllers/projects/environments/prometheus_api_controller_spec.rb | 23 | ||||
| -rw-r--r-- | spec/factories/project_hooks.rb | 2 | ||||
| -rw-r--r-- | spec/helpers/hooks_helper_spec.rb | 2 | ||||
| -rw-r--r-- | spec/lib/rouge/formatters/html_gitlab_spec.rb | 21 | ||||
| -rw-r--r-- | spec/models/hooks/web_hook_spec.rb | 28 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 46 | ||||
| -rw-r--r-- | spec/requests/api/repositories_spec.rb | 16 | ||||
| -rw-r--r-- | spec/services/web_hook_service_spec.rb | 4 |
16 files changed, 198 insertions, 24 deletions
diff --git a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb index 819152a38c8..7202a530feb 100644 --- a/app/models/hooks/web_hook.rb +++ b/app/models/hooks/web_hook.rb @@ -41,7 +41,7 @@ class WebHook < ApplicationRecord after_initialize :initialize_url_variables before_validation :reset_token - before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) } + before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }, on: :update before_validation :set_branch_filter_nil, if: :branch_filter_strategy_all_branches? validates :push_events_branch_filter, untrusted_regexp: true, if: :branch_filter_strategy_regex? validates :push_events_branch_filter, "web_hooks/wildcard_branch_filter": true, if: :branch_filter_strategy_wildcard? @@ -150,7 +150,7 @@ class WebHook < ApplicationRecord # See app/validators/json_schemas/web_hooks_url_variables.json VARIABLE_REFERENCE_RE = /\{([A-Za-z]+[0-9]*(?:[._-][A-Za-z0-9]+)*)\}/.freeze - def interpolated_url + def interpolated_url(url = self.url, url_variables = self.url_variables) return url unless url.include?('{') vars = url_variables @@ -176,7 +176,19 @@ class WebHook < ApplicationRecord end def reset_url_variables - self.url_variables = {} if url_changed? && !encrypted_url_variables_changed? + interpolated_url_was = interpolated_url(decrypt_url_was, url_variables_were) + + return if url_variables_were.empty? || interpolated_url_was == interpolated_url + + self.url_variables = {} if url_changed? && url_variables_were.to_a.intersection(url_variables.to_a).any? + end + + def decrypt_url_was + self.class.decrypt_url(encrypted_url_was, iv: Base64.decode64(encrypted_url_iv_was)) + end + + def url_variables_were + self.class.decrypt_url_variables(encrypted_url_variables_was, iv: encrypted_url_variables_iv_was) end def next_failure_count diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 875520d24be..3d22002e828 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -412,7 +412,6 @@ class ProjectPolicy < BasePolicy end rule { can?(:metrics_dashboard) }.policy do - enable :read_prometheus enable :read_deployment end diff --git a/glfm_specification/output_example_snapshots/snapshot_spec.html b/glfm_specification/output_example_snapshots/snapshot_spec.html index 96131037648..e1ef404ed03 100644 --- a/glfm_specification/output_example_snapshots/snapshot_spec.html +++ b/glfm_specification/output_example_snapshots/snapshot_spec.html @@ -7028,7 +7028,7 @@ references and their corresponding code points.</p> <copy-code></copy-code> </div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="7591:1-7595:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p> &amp; © Æ Ď</span> +<pre data-sourcepos="7591:1-7595:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p> &amp; © Æ Ď</span> <span id="LC2" class="line" lang="plaintext">¾ ℋ ⅆ</span> <span id="LC3" class="line" lang="plaintext">∲ ≧̸</p></span></code></pre> <copy-code></copy-code> @@ -7344,11 +7344,11 @@ stripped in this way:</p> <div> <div><a href="#example-343">Example 343</a></div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="7960:1-7962:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` b `</span></code></pre> +<pre data-sourcepos="7960:1-7962:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` b `</span></code></pre> <copy-code></copy-code> </div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="7964:1-7966:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p><code> b </code></p></span></code></pre> +<pre data-sourcepos="7964:1-7966:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p><code> b </code></p></span></code></pre> <copy-code></copy-code> </div> </div> @@ -7356,12 +7356,12 @@ stripped in this way:</p> <div> <div><a href="#example-344">Example 344</a></div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="7974:1-7977:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` `</span> +<pre data-sourcepos="7974:1-7977:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">` `</span> <span id="LC2" class="line" lang="plaintext">` `</span></code></pre> <copy-code></copy-code> </div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="7979:1-7982:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p><code> </code></span> +<pre data-sourcepos="7979:1-7982:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p><code> </code></span> <span id="LC2" class="line" lang="plaintext"><code> </code></p></span></code></pre> <copy-code></copy-code> </div> @@ -7832,11 +7832,11 @@ not part of a [left-flanking delimiter run]:</p> <div> <div><a href="#example-363">Example 363</a></div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="8485:1-8487:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">* a *</span></code></pre> +<pre data-sourcepos="8485:1-8487:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">* a *</span></code></pre> <copy-code></copy-code> </div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="8489:1-8491:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p>* a *</p></span></code></pre> +<pre data-sourcepos="8489:1-8491:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true"><code><span id="LC1" class="line" lang="plaintext"><p>* a *</p></span></code></pre> <copy-code></copy-code> </div> </div> @@ -9790,7 +9790,7 @@ Other [Unicode whitespace] like non-breaking space doesn't work.</p> <div> <div><a href="#example-515">Example 515</a></div> <div class="gl-relative markdown-code-block js-markdown-code"> -<pre data-sourcepos="10823:1-10825:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">[link](/url "title")</span></code></pre> +<pre data-sourcepos="10823:1-10825:32" lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="example" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">[link](/url "title")</span></code></pre> <copy-code></copy-code> </div> <div class="gl-relative markdown-code-block js-markdown-code"> diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb index 70535496b12..6f8d34ea387 100644 --- a/lib/api/repositories.rb +++ b/lib/api/repositories.rb @@ -203,6 +203,10 @@ module API render_api_error!("Target project id:#{params[:from_project_id]} is not a fork of project id:#{params[:id]}", 400) end + unless can?(current_user, :read_code, target_project) + forbidden!("You don't have access to this fork's parent project") + end + cache_key = compare_cache_key(current_user, user_project, target_project, declared_params) cache_action(cache_key, expires_in: 1.minute) do diff --git a/lib/gitlab/unicode.rb b/lib/gitlab/unicode.rb index b49c5647dab..f291ea1b4ee 100644 --- a/lib/gitlab/unicode.rb +++ b/lib/gitlab/unicode.rb @@ -9,6 +9,12 @@ module Gitlab # https://idiosyncratic-ruby.com/41-proper-unicoding.html BIDI_REGEXP = /\p{Bidi Control}/.freeze + # Regular expression for identifying space characters + # + # In web browsers space characters can be confused with simple + # spaces which may be misleading + SPACE_REGEXP = /\p{Space_Separator}/.freeze + class << self # Warning message used to highlight bidi characters in the GUI def bidi_warning diff --git a/lib/rouge/formatters/html_gitlab.rb b/lib/rouge/formatters/html_gitlab.rb index 436739bed12..a7e95a96b8b 100644 --- a/lib/rouge/formatters/html_gitlab.rb +++ b/lib/rouge/formatters/html_gitlab.rb @@ -25,7 +25,10 @@ module Rouge yield %(<span id="LC#{@line_number}" class="line" lang="#{@tag}">) line.each do |token, value| - yield highlight_unicode_control_characters(span(token, value.chomp! || value)) + value = value.chomp! || value + value = replace_space_characters(value) + + yield highlight_unicode_control_characters(span(token, value)) end yield ellipsis if @ellipsis_indexes.include?(@line_number - 1) && @ellipsis_svg.present? @@ -42,6 +45,10 @@ module Rouge %(<span class="gl-px-2 gl-rounded-base gl-mx-2 gl-bg-gray-100 gl-cursor-help has-tooltip" title="Content has been trimmed">#{@ellipsis_svg}</span>) end + def replace_space_characters(text) + text.gsub(Gitlab::Unicode::SPACE_REGEXP, ' ') + end + def highlight_unicode_control_characters(text) text.gsub(Gitlab::Unicode::BIDI_REGEXP) do |char| %(<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{Gitlab::Unicode.bidi_warning}">#{char}</span>) diff --git a/spec/controllers/admin/hooks_controller_spec.rb b/spec/controllers/admin/hooks_controller_spec.rb index 4101bd7f658..4e68ffdda2a 100644 --- a/spec/controllers/admin/hooks_controller_spec.rb +++ b/spec/controllers/admin/hooks_controller_spec.rb @@ -59,6 +59,7 @@ RSpec.describe Admin::HooksController do enable_ssl_verification: false, url_variables: [ { key: 'token', value: 'some secret value' }, + { key: 'baz', value: 'qux' }, { key: 'foo', value: nil } ] } @@ -71,7 +72,7 @@ RSpec.describe Admin::HooksController do expect(flash[:notice]).to include('was updated') expect(hook).to have_attributes(hook_params.except(:url_variables)) expect(hook).to have_attributes( - url_variables: { 'token' => 'some secret value', 'baz' => 'woo' } + url_variables: { 'token' => 'some secret value', 'baz' => 'qux' } ) end end diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb index a4f7c92f5cd..c7d2b1fa3af 100644 --- a/spec/controllers/projects/clusters_controller_spec.rb +++ b/spec/controllers/projects/clusters_controller_spec.rb @@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag include GoogleApi::CloudPlatformHelpers include KubernetesHelpers - let_it_be(:project) { create(:project) } + let_it_be_with_reload(:project) { create(:project) } let(:user) { create(:user) } @@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag expect(response).to redirect_to(new_user_session_path) end end + + context 'with a public project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with guest user' do + let(:prometheus_body) { nil } + + before do + project.add_guest(user) + end + + it 'returns 404' do + get :prometheus_proxy, params: prometheus_proxy_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end end diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb index 68d50cf19f0..6b0c164e432 100644 --- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb +++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb @@ -4,7 +4,7 @@ require 'spec_helper' RSpec.describe Projects::Environments::PrometheusApiController do let_it_be(:user) { create(:user) } - let_it_be(:project) { create(:project) } + let_it_be_with_reload(:project) { create(:project) } let_it_be(:proxyable) { create(:environment, project: project) } before do @@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do expect(response).to redirect_to(new_user_session_path) end end + + context 'with a public project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with guest user' do + let(:prometheus_body) { nil } + + before do + project.add_guest(user) + end + + it 'returns 404' do + get :prometheus_proxy, params: prometheus_proxy_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end end end diff --git a/spec/factories/project_hooks.rb b/spec/factories/project_hooks.rb index 946b3925ee9..d84e287d765 100644 --- a/spec/factories/project_hooks.rb +++ b/spec/factories/project_hooks.rb @@ -7,7 +7,7 @@ FactoryBot.define do project trait :url_variables do - url_variables { { 'abc' => 'supers3cret' } } + url_variables { { 'abc' => 'supers3cret', 'def' => 'foobar' } } end trait :token do diff --git a/spec/helpers/hooks_helper_spec.rb b/spec/helpers/hooks_helper_spec.rb index a6cfbfe86ca..d8fa64e099a 100644 --- a/spec/helpers/hooks_helper_spec.rb +++ b/spec/helpers/hooks_helper_spec.rb @@ -26,7 +26,7 @@ RSpec.describe HooksHelper do it 'returns proper data' do expect(subject).to match( url: project_hook.url, - url_variables: Gitlab::Json.dump([{ key: 'abc' }]) + url_variables: Gitlab::Json.dump([{ key: 'abc' }, { key: 'def' }]) ) end end diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb index 79bfdb262c0..6fc1b395fc8 100644 --- a/spec/lib/rouge/formatters/html_gitlab_spec.rb +++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Rouge::Formatters::HTMLGitlab do +RSpec.describe Rouge::Formatters::HTMLGitlab, feature_category: :source_code_management do describe '#format' do subject { described_class.format(tokens, **options) } @@ -67,5 +67,24 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do is_expected.to include(%{<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{message}">}).exactly(4).times end end + + context 'when space characters and zero-width spaces are used' do + let(:lang) { 'ruby' } + let(:tokens) { lexer.lex(code, continue: false) } + + let(:code) do + <<~JS + def\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u202f\u205f\u3000hello + JS + end + + it 'replaces the space characters with spaces' do + is_expected.to eq( + "<span id=\"LC1\" class=\"line\" lang=\"ruby\">" \ + "<span class=\"k\">def</span><span class=\"err\"> </span><span class=\"n\">hello</span>" \ + "</span>" + ) + end + end end end diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb index 72958a54e10..ad5f01fe056 100644 --- a/spec/models/hooks/web_hook_spec.rb +++ b/spec/models/hooks/web_hook_spec.rb @@ -242,6 +242,22 @@ RSpec.describe WebHook, feature_category: :integrations do expect(hook.url_variables).to eq({}) end + it 'resets url variables if url is changed and url variables are appended' do + hook.url = 'http://suspicious.example.com/{abc}/{foo}' + hook.url_variables = hook.url_variables.merge('foo' => 'bar') + + expect(hook).not_to be_valid + expect(hook.url_variables).to eq({}) + end + + it 'resets url variables if url is changed and url variables are removed' do + hook.url = 'http://suspicious.example.com/{abc}' + hook.url_variables = hook.url_variables.except("def") + + expect(hook).not_to be_valid + expect(hook.url_variables).to eq({}) + end + it 'does not reset url variables if both url and url variables are changed' do hook.url = 'http://example.com/{one}/{two}' hook.url_variables = { 'one' => 'foo', 'two' => 'bar' } @@ -249,6 +265,18 @@ RSpec.describe WebHook, feature_category: :integrations do expect(hook).to be_valid expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' }) end + + context 'without url variables' do + subject(:hook) { build_stubbed(:project_hook, project: project, url: 'http://example.com') } + + it 'does not reset url variables' do + hook.url = 'http://example.com/{one}/{two}' + hook.url_variables = { 'one' => 'foo', 'two' => 'bar' } + + expect(hook).to be_valid + expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' }) + end + end end it "only consider these branch filter strategies are valid" do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index c29446c1f38..0c359b80fb5 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + describe 'read_prometheus', feature_category: :metrics do + using RSpec::Parameterized::TableSyntax + + before do + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + let(:policy) { :read_prometheus } + + where(:project_visibility, :role, :allowed) do + :public | :anonymous | false + :public | :guest | false + :public | :reporter | true + :internal | :anonymous | false + :internal | :guest | false + :internal | :reporter | true + :private | :anonymous | false + :private | :guest | false + :private | :reporter | true + end + + with_them do + let(:current_user) { public_send(role) } + let(:project) { public_send("#{project_visibility}_project") } + + if params[:allowed] + it { is_expected.to be_allowed(policy) } + else + it { is_expected.not_to be_allowed(policy) } + end + end + end + describe 'update_max_artifacts_size' do context 'when no user' do let(:current_user) { anonymous } @@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } @@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { anonymous } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) } @@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end @@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } @@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end end @@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end @@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end end diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 555ba2bc978..be26fe24061 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -573,6 +573,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do context 'when authenticated', 'as a developer' do it_behaves_like 'repository compare' do let(:current_user) { user } + + context 'when user does not have read access to the parent project' do + let_it_be(:group) { create(:group) } + let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) } + + before do + forked_project.add_guest(current_user) + end + + it 'returns 403 error' do + get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id } + + expect(response).to have_gitlab_http_status(:forbidden) + expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project") + end + end end end diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb index 5736bf885be..b4250fcf04d 100644 --- a/spec/services/web_hook_service_spec.rb +++ b/spec/services/web_hook_service_spec.rb @@ -130,8 +130,8 @@ RSpec.describe WebHookService, :request_store, :clean_gitlab_redis_shared_state, context 'there is userinfo' do before do project_hook.update!( - url: 'http://{one}:{two}@example.com', - url_variables: { 'one' => 'a', 'two' => 'b' } + url: 'http://{foo}:{bar}@example.com', + url_variables: { 'foo' => 'a', 'bar' => 'b' } ) stub_full_request('http://example.com', method: :post) end |