diff options
author | Brett Walker <brett@digitalmoksha.com> | 2017-11-02 12:50:04 +0000 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2017-11-02 12:50:04 +0000 |
commit | 2fd5cc2bff81ddcbce8381bb0c835d1d1717c0ed (patch) | |
tree | 3c96c95832a424316dd76d3fef36774d6fbe5b5a /spec/lib/gitlab/middleware | |
parent | 506a4e7530854ec4f4775b8df96a272509a553ba (diff) | |
download | gitlab-ce-2fd5cc2bff81ddcbce8381bb0c835d1d1717c0ed.tar.gz |
Geo route whitelisting is too optimistic
Diffstat (limited to 'spec/lib/gitlab/middleware')
-rw-r--r-- | spec/lib/gitlab/middleware/read_only_spec.rb | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb index 742a792a1af..86be06ff595 100644 --- a/spec/lib/gitlab/middleware/read_only_spec.rb +++ b/spec/lib/gitlab/middleware/read_only_spec.rb @@ -83,6 +83,13 @@ describe Gitlab::Middleware::ReadOnly do expect(subject).to disallow_request end + it 'expects POST of new file that looks like an LFS batch url to be disallowed' do + response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch') + + expect(response).to be_a_redirect + expect(subject).to disallow_request + end + context 'whitelisted requests' do it 'expects DELETE request to logout to be allowed' do response = request.delete('/users/sign_out') @@ -104,6 +111,25 @@ describe Gitlab::Middleware::ReadOnly do expect(response).not_to be_a_redirect expect(subject).not_to disallow_request end + + it 'expects a POST request to git-upload-pack URL to be allowed' do + response = request.post('/root/rouge.git/git-upload-pack') + + expect(response).not_to be_a_redirect + expect(subject).not_to disallow_request + end + + it 'expects requests to sidekiq admin to be allowed' do + response = request.post('/admin/sidekiq') + + expect(response).not_to be_a_redirect + expect(subject).not_to disallow_request + + response = request.get('/admin/sidekiq') + + expect(response).not_to be_a_redirect + expect(subject).not_to disallow_request + end end end |