Add latest changes from gitlab-org/gitlab@13-3-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-08-20 18:42:06 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-08-20 18:42:06 +0000
commit: 6e4e1050d9dba2b7b2523fdd1768823ab85feef4 (patch)
tree: 78be5963ec075d80116a932011d695dd33910b4e /spec/requests/api/files_spec.rb
parent: 1ce776de4ae122aba3f349c02c17cebeaa8ecf07 (diff)
download: gitlab-ce-6e4e1050d9dba2b7b2523fdd1768823ab85feef4.tar.gz
1 files changed, 50 insertions, 0 deletions
diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb
index b50f63ed67c..d7571ad4bff 100644
--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -10,12 +10,14 @@ RSpec.describe API::Files do
   let(:guest) { create(:user) { |u| project.add_guest(u) } }
   let(:file_path) { "files%2Fruby%2Fpopen%2Erb" }
   let(:rouge_file_path) { "%2e%2e%2f" }
+  let(:absolute_path) { "%2Fetc%2Fpasswd.rb" }
   let(:invalid_file_message) { 'file_path should be a valid file path' }
   let(:params) do
     {
       ref: 'master'
     }
   end
+
   let(:author_email) { 'user@example.org' }
   let(:author_name) { 'John Doe' }
 
@@ -57,6 +59,18 @@ RSpec.describe API::Files do
     end
   end
 
+  shared_examples 'when path is absolute' do
+    it 'returns 400 when file path is absolute' do
+      subject
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+
+      if response.body.present?
+        expect(json_response['error']).to eq(invalid_file_message)
+      end
+    end
+  end
+
   describe "HEAD /projects/:id/repository/files/:file_path" do
     shared_examples_for 'repository files' do
       it 'returns 400 when file path is invalid' do
@@ -65,6 +79,10 @@ RSpec.describe API::Files do
         expect(response).to have_gitlab_http_status(:bad_request)
       end
 
+      it_behaves_like 'when path is absolute' do
+        subject { head api(route(absolute_path), current_user), params: params }
+      end
+
       it 'returns file attributes in headers' do
         head api(route(file_path), current_user), params: params
 
@@ -165,6 +183,10 @@ RSpec.describe API::Files do
         expect(json_response['error']).to eq(invalid_file_message)
       end
 
+      it_behaves_like 'when path is absolute' do
+        subject { get api(route(absolute_path), api_user), params: params }
+      end
+
       it 'returns file attributes as json' do
         get api(route(file_path), api_user), params: params
 
@@ -350,6 +372,10 @@ RSpec.describe API::Files do
         expect(json_response['error']).to eq(invalid_file_message)
       end
 
+      it_behaves_like 'when path is absolute' do
+        subject { get api(route(absolute_path) + '/blame', current_user), params: params }
+      end
+
       it 'returns blame file attributes as json' do
         get api(route(file_path) + '/blame', current_user), params: params
 
@@ -473,6 +499,10 @@ RSpec.describe API::Files do
         expect(json_response['error']).to eq(invalid_file_message)
       end
 
+      it_behaves_like 'when path is absolute' do
+        subject { get api(route(absolute_path) + '/raw', current_user), params: params }
+      end
+
       it 'returns raw file info' do
         url = route(file_path) + "/raw"
         expect(Gitlab::Workhorse).to receive(:send_git_blob)
@@ -597,6 +627,10 @@ RSpec.describe API::Files do
       expect(json_response['error']).to eq(invalid_file_message)
     end
 
+    it_behaves_like 'when path is absolute' do
+      subject { post api(route(absolute_path), user), params: params }
+    end
+
     it "creates a new file in project repo" do
       post api(route(file_path), user), params: params
 
@@ -735,6 +769,17 @@ RSpec.describe API::Files do
       expect(json_response['error']).to eq(invalid_file_message)
     end
 
+    it_behaves_like 'when path is absolute' do
+      let(:last_commit) do
+        Gitlab::Git::Commit
+        .last_for_path(project.repository, 'master', URI.unescape(file_path))
+      end
+
+      let(:params_with_correct_id) { params.merge(last_commit_id: last_commit.id) }
+
+      subject { put api(route(absolute_path), user), params: params_with_correct_id }
+    end
+
     it "returns a 400 bad request if no params given" do
       put api(route(file_path), user)
 
@@ -770,6 +815,10 @@ RSpec.describe API::Files do
       expect(json_response['error']).to eq(invalid_file_message)
     end
 
+    it_behaves_like 'when path is absolute' do
+      subject { delete api(route(absolute_path), user), params: params }
+    end
+
     it "deletes existing file in project repo" do
       delete api(route(file_path), user), params: params
 
@@ -821,6 +870,7 @@ RSpec.describe API::Files do
         encoding: 'base64'
       }
     end
+
     let(:get_params) do
       {
         ref: 'master'
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-08-20 18:42:06 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-08-20 18:42:06 +0000
commit	6e4e1050d9dba2b7b2523fdd1768823ab85feef4 (patch)
tree	78be5963ec075d80116a932011d695dd33910b4e /spec/requests/api/files_spec.rb
parent	1ce776de4ae122aba3f349c02c17cebeaa8ecf07 (diff)
download	gitlab-ce-6e4e1050d9dba2b7b2523fdd1768823ab85feef4.tar.gz