Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

5 files changed, 84 insertions, 2 deletions

diff --git a/spec/lib/banzai/pipeline/post_process_pipeline_spec.rb b/spec/lib/banzai/pipeline/post_process_pipeline_spec.rb
index ebe1ca4d403..55038d58f22 100644
--- a/spec/lib/banzai/pipeline/post_process_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/post_process_pipeline_spec.rb
@@ -36,9 +36,11 @@ RSpec.describe Banzai::Pipeline::PostProcessPipeline do
     end
 
     let(:doc) { HTML::Pipeline.parse(html) }
+    let(:non_related_xpath_calls) { 2 }
 
     it 'searches for attributes only once' do
-      expect(doc).to receive(:search).once.and_call_original
+      expect(doc).to receive(:xpath).exactly(non_related_xpath_calls + 1).times
+        .and_call_original
 
       subject
     end
@@ -49,7 +51,8 @@ RSpec.describe Banzai::Pipeline::PostProcessPipeline do
       end
 
       it 'searches for attributes twice' do
-        expect(doc).to receive(:search).twice.and_call_original
+        expect(doc).to receive(:xpath).exactly(non_related_xpath_calls + 2).times
+          .and_call_original
 
         subject
       end
diff --git a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
index d3c6cde5590..102d6fba97f 100644
--- a/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
+++ b/spec/lib/gitlab/auth/user_access_denied_reason_spec.rb
@@ -57,5 +57,13 @@ RSpec.describe Gitlab::Auth::UserAccessDeniedReason do
 
       it { is_expected.to eq('Your account is pending approval from your administrator and hence blocked.') }
     end
+
+    context 'when the user has expired password' do
+      before do
+        user.update!(password_expires_at: 2.days.ago)
+      end
+
+      it { is_expected.to eq('Your password expired. Please access GitLab from a web browser to update your password.') }
+    end
   end
 end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index ae9c697e0b9..3d6c04fd484 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -433,6 +433,13 @@ RSpec.describe Gitlab::GitAccess do
       expect { pull_access_check }.to raise_forbidden("Your account has been deactivated by your administrator. Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}")
     end
 
+    it 'disallows users with expired password to pull' do
+      project.add_maintainer(user)
+      user.update!(password_expires_at: 2.minutes.ago)
+
+      expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
+    end
+
     context 'when the project repository does not exist' do
       before do
         project.add_guest(user)
@@ -969,6 +976,13 @@ RSpec.describe Gitlab::GitAccess do
         expect { push_access_check }.to raise_forbidden("Your account has been deactivated by your administrator. Please log back in from a web browser to reactivate your account at #{Gitlab.config.gitlab.url}")
       end
 
+      it 'disallows users with expired password to push' do
+        project.add_maintainer(user)
+        user.update!(password_expires_at: 2.minutes.ago)
+
+        expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
+      end
+
       it 'cleans up the files' do
         expect(project.repository).to receive(:clean_stale_repository_files).and_call_original
         expect { push_access_check }.not_to raise_error
diff --git a/spec/lib/gitlab/utils/nokogiri_spec.rb b/spec/lib/gitlab/utils/nokogiri_spec.rb
new file mode 100644
index 00000000000..90f137f53c8
--- /dev/null
+++ b/spec/lib/gitlab/utils/nokogiri_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Utils::Nokogiri do
+  describe '#css_to_xpath' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:css, :xpath) do
+      'img'                               | "descendant-or-self::img"
+      'a.gfm'                             | "descendant-or-self::a[contains(concat(' ',normalize-space(@class),' '),' gfm ')]"
+      'a:not(.gfm)'                       | "descendant-or-self::a[not(contains(concat(' ',normalize-space(@class),' '),' gfm '))]"
+      'video, audio'                      | "descendant-or-self::video|descendant-or-self::audio"
+      '[data-math-style]'                 | "descendant-or-self::*[@data-math-style]"
+      '[data-mermaid-style]'              | "descendant-or-self::*[@data-mermaid-style]"
+      '.js-render-metrics'                | "descendant-or-self::*[contains(concat(' ',normalize-space(@class),' '),' js-render-metrics ')]"
+      'h1, h2, h3, h4, h5, h6'            | "descendant-or-self::h1|descendant-or-self::h2|descendant-or-self::h3|descendant-or-self::h4|descendant-or-self::h5|descendant-or-self::h6"
+      'pre.code.language-math'            | "descendant-or-self::pre[contains(concat(' ',normalize-space(@class),' '),' code ') and contains(concat(' ',normalize-space(@class),' '),' language-math ')]"
+      'pre > code[lang="plantuml"]'       | "descendant-or-self::pre/code[@lang=\"plantuml\"]"
+      'pre[lang="mermaid"] > code'        | "descendant-or-self::pre[@lang=\"mermaid\"]/code"
+      'pre.language-suggestion'           | "descendant-or-self::pre[contains(concat(' ',normalize-space(@class),' '),' language-suggestion ')]"
+      'pre.language-suggestion > code'    | "descendant-or-self::pre[contains(concat(' ',normalize-space(@class),' '),' language-suggestion ')]/code"
+      'a.gfm[data-reference-type="user"]' | "descendant-or-self::a[contains(concat(' ',normalize-space(@class),' '),' gfm ') and @data-reference-type=\"user\"]"
+      'a:not(.gfm), img:not(.gfm), video:not(.gfm), audio:not(.gfm)'                        | "descendant-or-self::a[not(contains(concat(' ',normalize-space(@class),' '),' gfm '))]|descendant-or-self::img[not(contains(concat(' ',normalize-space(@class),' '),' gfm '))]|descendant-or-self::video[not(contains(concat(' ',normalize-space(@class),' '),' gfm '))]|descendant-or-self::audio[not(contains(concat(' ',normalize-space(@class),' '),' gfm '))]"
+      'pre:not([data-math-style]):not([data-mermaid-style]):not([data-kroki-style]) > code' | "descendant-or-self::pre[not(@data-math-style) and not(@data-mermaid-style) and not(@data-kroki-style)]/code"
+    end
+
+    with_them do
+      it 'generates the xpath' do
+        expect(described_class.css_to_xpath(css)).to eq xpath
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb
index 11dba610faf..a7ccce0aaab 100644
--- a/spec/lib/gitlab/utils_spec.rb
+++ b/spec/lib/gitlab/utils_spec.rb
@@ -417,6 +417,29 @@ RSpec.describe Gitlab::Utils do
     end
   end
 
+  describe '.removes_sensitive_data_from_url' do
+    it 'returns string object' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com')).to be_instance_of(String)
+    end
+
+    it 'returns nil when URI cannot be parsed' do
+      expect(described_class.removes_sensitive_data_from_url('://gitlab.com')).to be nil
+    end
+
+    it 'returns nil with invalid parameter' do
+      expect(described_class.removes_sensitive_data_from_url(1)).to be nil
+    end
+
+    it 'returns string with filtered access_token param' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com/auth.html#access_token=secret_token')).to eq('http://gitlab.com/auth.html#access_token=filtered')
+    end
+
+    it 'returns string with filtered access_token param but other params preserved' do
+      expect(described_class.removes_sensitive_data_from_url('http://gitlab.com/auth.html#access_token=secret_token&token_type=Bearer&state=test'))
+        .to include('&token_type=Bearer', '&state=test')
+    end
+  end
+
   describe 'multiple_key_invert' do
     it 'invert keys with array values' do
       hash = {