Merge branch 'sh-backport-10-3-4-security-fixes' into 'master'

Backport 10.3.4 security fixes into master See merge request gitlab-org/gitlab-ce!16509
author: Oswaldo Ferreira <oswaldo@gitlab.com> 2018-01-17 20:26:59 +0000
committer: Oswaldo Ferreira <oswaldo@gitlab.com> 2018-01-17 20:26:59 +0000
commit: f351cc28c2c878bf491bb0886be65bf35b58b261 (patch)
tree: 987d0a33d93dce35b4b25c401ae2c772760299d6 /spec/features
parent: 3b13159d9c83e8ce679663ce264854ea94bee8a2 (diff)
parent: d1eb3ff594b42d6e9625724119f52d3356045870 (diff)
download: gitlab-ce-f351cc28c2c878bf491bb0886be65bf35b58b261.tar.gz
6 files changed, 24 insertions, 11 deletions
diff --git a/spec/features/admin/admin_deploy_keys_spec.rb b/spec/features/admin/admin_deploy_keys_spec.rb
index 241c7cbc34e..cb96830cb7c 100644
--- a/spec/features/admin/admin_deploy_keys_spec.rb
+++ b/spec/features/admin/admin_deploy_keys_spec.rb
@@ -17,6 +17,16 @@ RSpec.describe 'admin deploy keys' do
     end
   end
 
+  it 'shows all the projects the deploy key has write access' do
+    write_key = create(:deploy_keys_project, :write_access, deploy_key: deploy_key)
+
+    visit admin_deploy_keys_path
+
+    page.within(find('.deploy-keys-list', match: :first)) do
+      expect(page).to have_content(write_key.project.full_name)
+    end
+  end
+
   describe 'create a new deploy key' do
     let(:new_ssh_key) { attributes_for(:key)[:key] }
 
@@ -28,14 +38,12 @@ RSpec.describe 'admin deploy keys' do
     it 'creates a new deploy key' do
       fill_in 'deploy_key_title', with: 'laptop'
       fill_in 'deploy_key_key', with: new_ssh_key
-      check 'deploy_key_can_push'
       click_button 'Create'
 
       expect(current_path).to eq admin_deploy_keys_path
 
       page.within(find('.deploy-keys-list', match: :first)) do
         expect(page).to have_content('laptop')
-        expect(page).to have_content('Yes')
       end
     end
   end
@@ -48,14 +56,12 @@ RSpec.describe 'admin deploy keys' do
 
     it 'updates an existing deploy key' do
       fill_in 'deploy_key_title', with: 'new-title'
-      check 'deploy_key_can_push'
       click_button 'Save changes'
 
       expect(current_path).to eq admin_deploy_keys_path
 
       page.within(find('.deploy-keys-list', match: :first)) do
         expect(page).to have_content('new-title')
-        expect(page).to have_content('Yes')
       end
     end
   end
diff --git a/spec/features/cycle_analytics_spec.rb b/spec/features/cycle_analytics_spec.rb
index d36954954b6..510677ecf56 100644
--- a/spec/features/cycle_analytics_spec.rb
+++ b/spec/features/cycle_analytics_spec.rb
@@ -113,6 +113,7 @@ feature 'Cycle Analytics', :js do
 
   context "as a guest" do
     before do
+      project.add_developer(user)
       project.add_guest(guest)
 
       allow_any_instance_of(Gitlab::ReferenceExtractor).to receive(:issues).and_return([issue])
diff --git a/spec/features/issues/issue_sidebar_spec.rb b/spec/features/issues/issue_sidebar_spec.rb
index a5c9d0bde5d..64b4f9e7e67 100644
--- a/spec/features/issues/issue_sidebar_spec.rb
+++ b/spec/features/issues/issue_sidebar_spec.rb
@@ -8,6 +8,7 @@ feature 'Issue Sidebar' do
   let(:issue) { create(:issue, project: project) }
   let!(:user) { create(:user)}
   let!(:label) { create(:label, project: project, title: 'bug') }
+  let!(:xss_label) { create(:label, project: project, title: '&lt;script&gt;alert("xss");&lt;&#x2F;script&gt;') }
 
   before do
     sign_in(user)
@@ -99,6 +100,14 @@ feature 'Issue Sidebar' do
         restore_window_size
         open_issue_sidebar
       end
+
+      it 'escapes XSS when viewing issue labels' do
+        page.within('.block.labels') do
+          find('.edit-link').click
+
+          expect(page).to have_content '<script>alert("xss");</script>'
+        end
+      end
     end
 
     context 'editing issue labels', :js do
diff --git a/spec/features/oauth_login_spec.rb b/spec/features/oauth_login_spec.rb
index 49d8e52f861..a5e325ee2e3 100644
--- a/spec/features/oauth_login_spec.rb
+++ b/spec/features/oauth_login_spec.rb
@@ -10,8 +10,7 @@ feature 'OAuth Login', :js, :allow_forgery_protection do
 
   def stub_omniauth_config(provider)
     OmniAuth.config.add_mock(provider, OmniAuth::AuthHash.new(provider: provider.to_s, uid: "12345"))
-    set_devise_mapping(context: Rails.application)
-    Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
+    stub_omniauth_provider(provider)
   end
 
   providers = [:github, :twitter, :bitbucket, :gitlab, :google_oauth2,
diff --git a/spec/features/projects/import_export/import_file_spec.rb b/spec/features/projects/import_export/import_file_spec.rb
index af125e1b9d3..e8bb9c6a86c 100644
--- a/spec/features/projects/import_export/import_file_spec.rb
+++ b/spec/features/projects/import_export/import_file_spec.rb
@@ -32,7 +32,7 @@ feature 'Import/Export - project import integration test', :js do
 
         expect(page).to have_content('Import an exported GitLab project')
         expect(URI.parse(current_url).query).to eq("namespace_id=#{namespace.id}&path=#{project_path}")
-        expect(Gitlab::ImportExport).to receive(:import_upload_path).with(filename: /\A\h{32}_test-project-path\h*\z/).and_call_original
+        expect(Gitlab::ImportExport).to receive(:import_upload_path).with(filename: /\A\h{32}\z/).and_call_original
 
         attach_file('file', file)
         click_on 'Import project'
diff --git a/spec/features/projects/settings/repository_settings_spec.rb b/spec/features/projects/settings/repository_settings_spec.rb
index 81b282502fc..14670e91006 100644
--- a/spec/features/projects/settings/repository_settings_spec.rb
+++ b/spec/features/projects/settings/repository_settings_spec.rb
@@ -43,7 +43,7 @@ feature 'Repository settings' do
 
         fill_in 'deploy_key_title', with: 'new_deploy_key'
         fill_in 'deploy_key_key', with: new_ssh_key
-        check 'deploy_key_can_push'
+        check 'deploy_key_deploy_keys_projects_attributes_0_can_push'
         click_button 'Add key'
 
         expect(page).to have_content('new_deploy_key')
@@ -57,7 +57,7 @@ feature 'Repository settings' do
         find('li', text: private_deploy_key.title).click_link('Edit')
 
         fill_in 'deploy_key_title', with: 'updated_deploy_key'
-        check 'deploy_key_can_push'
+        check 'deploy_key_deploy_keys_projects_attributes_0_can_push'
         click_button 'Save changes'
 
         expect(page).to have_content('updated_deploy_key')
@@ -74,11 +74,9 @@ feature 'Repository settings' do
         find('li', text: private_deploy_key.title).click_link('Edit')
 
         fill_in 'deploy_key_title', with: 'updated_deploy_key'
-        check 'deploy_key_can_push'
         click_button 'Save changes'
 
         expect(page).to have_content('updated_deploy_key')
-        expect(page).to have_content('Write access allowed')
       end
 
       scenario 'remove an existing deploy key' do
author	Oswaldo Ferreira <oswaldo@gitlab.com>	2018-01-17 20:26:59 +0000
committer	Oswaldo Ferreira <oswaldo@gitlab.com>	2018-01-17 20:26:59 +0000
commit	f351cc28c2c878bf491bb0886be65bf35b58b261 (patch)
tree	987d0a33d93dce35b4b25c401ae2c772760299d6 /spec/features
parent	3b13159d9c83e8ce679663ce264854ea94bee8a2 (diff)
parent	d1eb3ff594b42d6e9625724119f52d3356045870 (diff)
download	gitlab-ce-f351cc28c2c878bf491bb0886be65bf35b58b261.tar.gz