diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 18:08:03 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 18:08:03 +0000 |
commit | dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch) | |
tree | 5e77ce228c33619201ac6706b9789d4a2eed2a3b /spec/requests/api | |
parent | e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff) | |
download | gitlab-ce-dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/requests/api')
-rw-r--r-- | spec/requests/api/deploy_tokens_spec.rb | 19 | ||||
-rw-r--r-- | spec/requests/api/groups_spec.rb | 28 | ||||
-rw-r--r-- | spec/requests/api/internal/base_spec.rb | 9 | ||||
-rw-r--r-- | spec/requests/api/project_snippets_spec.rb | 24 | ||||
-rw-r--r-- | spec/requests/api/repositories_spec.rb | 12 | ||||
-rw-r--r-- | spec/requests/api/snippets_spec.rb | 10 | ||||
-rw-r--r-- | spec/requests/api/triggers_spec.rb | 44 |
7 files changed, 129 insertions, 17 deletions
diff --git a/spec/requests/api/deploy_tokens_spec.rb b/spec/requests/api/deploy_tokens_spec.rb index fa20635056f..a885e80fd55 100644 --- a/spec/requests/api/deploy_tokens_spec.rb +++ b/spec/requests/api/deploy_tokens_spec.rb @@ -234,6 +234,25 @@ describe API::DeployTokens do expect(response).to match_response_schema('public_api/v4/deploy_token') end + context 'with no optional params given' do + let(:params) do + { + name: 'Foo', + scopes: [ + 'read_repository' + ] + } + end + + it 'creates the deploy token with default values' do + subject + + expect(response).to have_gitlab_http_status(:created) + expect(json_response['username']).to match(/gitlab\+deploy-token-\d+/) + expect(json_response['expires_at']).to eq(nil) + end + end + context 'with an invalid scope' do before do params[:scopes] = %w[read_repository all_access] diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index ea60f783b48..30c1f99569b 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -642,6 +642,20 @@ describe API::Groups do expect(json_response['default_branch_protection']).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS) end + context 'malicious group name' do + subject { put api("/groups/#{group1.id}", user1), params: { name: "<SCRIPT>alert('DOUBLE-ATTACK!')</SCRIPT>" } } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it 'does not update group name' do + expect { subject }.not_to change { group1.reload.name } + end + end + it 'returns 404 for a non existing group' do put api('/groups/1328', user1), params: { name: new_group_name } @@ -1083,6 +1097,20 @@ describe API::Groups do expect(json_response["parent_id"]).to eq(parent.id) end + context 'malicious group name' do + subject { post api("/groups", user3), params: group_params } + + let(:group_params) { attributes_for_group_api name: "<SCRIPT>alert('ATTACKED!')</SCRIPT>", path: "unique-url" } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it { expect { subject }.not_to change { Group.count } } + end + it "does not create group, duplicate" do post api("/groups", user3), params: { name: 'Duplicate Test', path: group2.path } diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb index 426e15faaa6..77501c3a136 100644 --- a/spec/requests/api/internal/base_spec.rb +++ b/spec/requests/api/internal/base_spec.rb @@ -3,15 +3,14 @@ require 'spec_helper' describe API::Internal::Base do - set(:user) { create(:user) } + let_it_be(:user, reload: true) { create(:user) } + let_it_be(:project, reload: true) { create(:project, :repository, :wiki_repo) } + let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) } + let_it_be(:project_snippet) { create(:project_snippet, :repository, author: user, project: project) } let(:key) { create(:key, user: user) } - set(:project) { create(:project, :repository, :wiki_repo) } let(:secret_token) { Gitlab::Shell.secret_token } let(:gl_repository) { "project-#{project.id}" } let(:reference_counter) { double('ReferenceCounter') } - - let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) } - let_it_be(:project_snippet) { create(:project_snippet, :repository, author: user, project: project) } let(:snippet_changes) { "#{TestEnv::BRANCH_SHA['snippet/single-file']} #{TestEnv::BRANCH_SHA['snippet/edit-file']} refs/heads/snippet/edit-file" } describe "GET /internal/check" do diff --git a/spec/requests/api/project_snippets_spec.rb b/spec/requests/api/project_snippets_spec.rb index 8e2aed76913..1af5d553bf0 100644 --- a/spec/requests/api/project_snippets_spec.rb +++ b/spec/requests/api/project_snippets_spec.rb @@ -164,6 +164,30 @@ describe API::ProjectSnippets do end end + context 'with an external user' do + let(:user) { create(:user, :external) } + + context 'that belongs to the project' do + before do + project.add_developer(user) + end + + it 'creates a new snippet' do + post api("/projects/#{project.id}/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:created) + end + end + + context 'that does not belong to the project' do + it 'does not create a new snippet' do + post api("/projects/#{project.id}/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + end + context 'with a regular user' do let(:user) { create(:user) } diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 97dc3899d3f..b503c923037 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -275,6 +275,18 @@ describe API::Repositories do expect(response).to have_gitlab_http_status(:too_many_requests) end + + context "when hotlinking detection is enabled" do + before do + Feature.enable(:repository_archive_hotlinking_interception) + end + + it_behaves_like "hotlink interceptor" do + let(:http_request) do + get api(route, current_user), headers: headers + end + end + end end context 'when unauthenticated', 'and project is public' do diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb index 865b0534cb0..caa9d9251d8 100644 --- a/spec/requests/api/snippets_spec.rb +++ b/spec/requests/api/snippets_spec.rb @@ -266,6 +266,16 @@ describe API::Snippets do it_behaves_like 'snippet creation' + context 'with an external user' do + let(:user) { create(:user, :external) } + + it 'does not create a new snippet' do + post api("/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + it 'returns 400 for missing parameters' do params.delete(:title) diff --git a/spec/requests/api/triggers_spec.rb b/spec/requests/api/triggers_spec.rb index bcc1c6bc4d4..19b01cb7913 100644 --- a/spec/requests/api/triggers_spec.rb +++ b/spec/requests/api/triggers_spec.rb @@ -238,24 +238,44 @@ describe API::Triggers do end describe 'PUT /projects/:id/triggers/:trigger_id' do - context 'authenticated user with valid permissions' do - let(:new_description) { 'new description' } + context 'user is maintainer of the project' do + context 'the trigger belongs to user' do + let(:new_description) { 'new description' } - it 'updates description' do - put api("/projects/#{project.id}/triggers/#{trigger.id}", user), - params: { description: new_description } + it 'updates description' do + put api("/projects/#{project.id}/triggers/#{trigger.id}", user), + params: { description: new_description } - expect(response).to have_gitlab_http_status(:ok) - expect(json_response).to include('description' => new_description) - expect(trigger.reload.description).to eq(new_description) + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('description' => new_description) + expect(trigger.reload.description).to eq(new_description) + end + end + + context 'the trigger does not belong to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger2.id}", user) + + expect(response).to have_gitlab_http_status(:forbidden) + end end end - context 'authenticated user with invalid permissions' do - it 'does not update trigger' do - put api("/projects/#{project.id}/triggers/#{trigger.id}", user2) + context 'user is developer of the project' do + context 'the trigger belongs to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger2.id}", user2) - expect(response).to have_gitlab_http_status(:forbidden) + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'the trigger does not belong to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger.id}", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end end end |