Add latest changes from gitlab-org/gitlab@master

2 files changed, 172 insertions, 0 deletions

diff --git a/spec/controllers/concerns/page_limiter_spec.rb b/spec/controllers/concerns/page_limiter_spec.rb
new file mode 100644
index 00000000000..9ac94b7e740
--- /dev/null
+++ b/spec/controllers/concerns/page_limiter_spec.rb
@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+class PageLimiterSpecController < ApplicationController
+  include PageLimiter
+
+  before_action do
+    limit_pages 200
+  end
+
+  def index
+    head :ok
+  end
+end
+
+describe PageLimiter do
+  let(:controller_class) do
+    PageLimiterSpecController
+  end
+
+  let(:instance) do
+    controller_class.new
+  end
+
+  before do
+    allow(instance).to receive(:params) do
+      {
+        controller: "explore/projects",
+        action: "index"
+      }
+    end
+
+    allow(instance).to receive(:request) do
+      double(:request, user_agent: "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)")
+    end
+  end
+
+  describe "#limit_pages" do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:max_page, :actual_page, :result) do
+      2   | 1 | nil
+      2   | 2 | nil
+      2   | 3 | PageLimiter::PageOutOfBoundsError
+      nil | 1 | PageLimiter::PageLimitNotANumberError
+      0   | 1 | PageLimiter::PageLimitNotSensibleError
+      -1  | 1 | PageLimiter::PageLimitNotSensibleError
+    end
+
+    with_them do
+      subject { instance.limit_pages(max_page) }
+
+      before do
+        allow(instance).to receive(:params) { { page: actual_page.to_s } }
+      end
+
+      it "returns the expected result" do
+        if result == PageLimiter::PageOutOfBoundsError
+          expect(instance).to receive(:record_page_limit_interception)
+          expect { subject }.to raise_error(result)
+        elsif result&.superclass == PageLimiter::PageLimiterError
+          expect { subject }.to raise_error(result)
+        else
+          expect(subject).to eq(result)
+        end
+      end
+    end
+  end
+
+  describe "#default_page_out_of_bounds_response" do
+    subject { instance.send(:default_page_out_of_bounds_response) }
+
+    after do
+      subject
+    end
+
+    it "returns a bad_request header" do
+      expect(instance).to receive(:head).with(:bad_request)
+    end
+  end
+
+  describe "#record_page_limit_interception" do
+    subject { instance.send(:record_page_limit_interception) }
+
+    it "records a metric counter" do
+      expect(Gitlab::Metrics).to receive(:counter).with(
+        :gitlab_page_out_of_bounds,
+        controller: "explore/projects",
+        action: "index",
+        bot: true
+      )
+
+      subject
+    end
+  end
+end
diff --git a/spec/controllers/explore/projects_controller_spec.rb b/spec/controllers/explore/projects_controller_spec.rb
index 6752d2b8ebd..6f68de52845 100644
--- a/spec/controllers/explore/projects_controller_spec.rb
+++ b/spec/controllers/explore/projects_controller_spec.rb
@@ -59,6 +59,79 @@ describe Explore::ProjectsController do
     end
   end
 
+  shared_examples "blocks high page numbers" do
+    let(:page_limit) { 200 }
+
+    context "page number is too high" do
+      [:index, :trending, :starred].each do |endpoint|
+        describe "GET #{endpoint}" do
+          render_views
+
+          before do
+            get endpoint, params: { page: page_limit + 1 }
+          end
+
+          it { is_expected.to respond_with(:bad_request) }
+          it { is_expected.to render_template("explore/projects/page_out_of_bounds") }
+
+          it "assigns the page number" do
+            expect(assigns[:max_page_number]).to eq(page_limit.to_s)
+          end
+        end
+
+        describe "GET #{endpoint}.json" do
+          render_views
+
+          before do
+            get endpoint, params: { page: page_limit + 1 }, format: :json
+          end
+
+          it { is_expected.to respond_with(:bad_request) }
+        end
+
+        describe "metrics recording" do
+          after do
+            get endpoint, params: { page: page_limit + 1 }
+          end
+
+          it "records the interception" do
+            expect(Gitlab::Metrics).to receive(:counter).with(
+              :gitlab_page_out_of_bounds,
+              controller: "explore/projects",
+              action: endpoint.to_s,
+              bot: false
+            )
+          end
+        end
+      end
+    end
+
+    context "page number is acceptable" do
+      [:index, :trending, :starred].each do |endpoint|
+        describe "GET #{endpoint}" do
+          render_views
+
+          before do
+            get endpoint, params: { page: page_limit }
+          end
+
+          it { is_expected.to respond_with(:success) }
+          it { is_expected.to render_template("explore/projects/#{endpoint}") }
+        end
+
+        describe "GET #{endpoint}.json" do
+          render_views
+
+          before do
+            get endpoint, params: { page: page_limit }, format: :json
+          end
+
+          it { is_expected.to respond_with(:success) }
+        end
+      end
+    end
+  end
+
   context 'when user is signed in' do
     let(:user) { create(:user) }
 
@@ -67,6 +140,7 @@ describe Explore::ProjectsController do
     end
 
     include_examples 'explore projects'
+    include_examples "blocks high page numbers"
 
     context 'user preference sorting' do
       let(:project) { create(:project) }
@@ -79,6 +153,7 @@ describe Explore::ProjectsController do
 
   context 'when user is not signed in' do
     include_examples 'explore projects'
+    include_examples "blocks high page numbers"
 
     context 'user preference sorting' do
       let(:project) { create(:project) }