diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 15:16:56 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 15:16:56 +0000 |
commit | fa2fec1d18330e4cd9803ff164db19e7367e3838 (patch) | |
tree | 91a9bf1c74eeff29690f33e3faf2b8ca87051af3 /spec/features | |
parent | 8ee0746f54c19fcb8fe81058594aa8d373c5b7d7 (diff) | |
download | gitlab-ce-fa2fec1d18330e4cd9803ff164db19e7367e3838.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee
Diffstat (limited to 'spec/features')
-rw-r--r-- | spec/features/file_uploads/multipart_invalid_uploads_spec.rb | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/spec/features/file_uploads/multipart_invalid_uploads_spec.rb b/spec/features/file_uploads/multipart_invalid_uploads_spec.rb new file mode 100644 index 00000000000..e9e24c12af1 --- /dev/null +++ b/spec/features/file_uploads/multipart_invalid_uploads_spec.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'Invalid uploads that must be rejected', :api, :js do + include_context 'file upload requests helpers' + + let_it_be(:project) { create(:project) } + let_it_be(:user) { create(:user, :admin) } + let_it_be(:personal_access_token) { create(:personal_access_token, user: user) } + + context 'invalid upload key', :capybara_ignore_server_errors do + let(:api_path) { "/projects/#{project.id}/packages/nuget/" } + let(:url) { capybara_url(api(api_path)) } + let(:file) { fixture_file_upload('spec/fixtures/dk.png') } + + subject do + HTTParty.put( + url, + basic_auth: { user: user.username, password: personal_access_token.token }, + body: body + ) + end + + RSpec.shared_examples 'rejecting invalid keys' do |key_name:, message: nil| + context "with invalid key #{key_name}" do + let(:body) { { key_name => file, 'package[test][name]' => 'test' } } + + it { expect { subject }.not_to change { Packages::Package.nuget.count } } + + it { expect(subject.code).to eq(500) } + + it { expect(subject.body).to include(message.presence || "invalid field: \"#{key_name}\"") } + end + end + + RSpec.shared_examples 'by rejecting uploads with an invalid key' do + it_behaves_like 'rejecting invalid keys', key_name: 'package[test' + it_behaves_like 'rejecting invalid keys', key_name: '[]' + it_behaves_like 'rejecting invalid keys', key_name: '[package]test' + it_behaves_like 'rejecting invalid keys', key_name: 'package][test]]' + it_behaves_like 'rejecting invalid keys', key_name: 'package[test[nested]]' + end + + # These keys are rejected directly by rack itself. + # The request will not be received by multipart.rb (can't use the 'handling file uploads' shared example) + it_behaves_like 'rejecting invalid keys', key_name: 'x' * 11000, message: 'Puma caught this error: exceeded available parameter key space (RangeError)' + it_behaves_like 'rejecting invalid keys', key_name: 'package[]test', message: 'Puma caught this error: expected Hash (got Array)' + + it_behaves_like 'handling file uploads', 'by rejecting uploads with an invalid key' + end +end |