Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee

5 files changed, 76 insertions, 9 deletions

diff --git a/spec/helpers/submodule_helper_spec.rb b/spec/helpers/submodule_helper_spec.rb
index a419b6b9c84..2e8304e8b49 100644
--- a/spec/helpers/submodule_helper_spec.rb
+++ b/spec/helpers/submodule_helper_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe SubmoduleHelper do
+RSpec.describe SubmoduleHelper, feature_category: :source_code_management do
   include RepoHelpers
 
   let(:submodule_item) { double(id: 'hash', path: 'rack') }
diff --git a/spec/lib/gitlab/safe_device_detector_spec.rb b/spec/lib/gitlab/safe_device_detector_spec.rb
new file mode 100644
index 00000000000..c37dc1e1c7e
--- /dev/null
+++ b/spec/lib/gitlab/safe_device_detector_spec.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'device_detector'
+require_relative '../../../lib/gitlab/safe_device_detector'
+
+RSpec.describe Gitlab::SafeDeviceDetector, feature_category: :authentication_and_authorization do
+  it 'retains the behavior for normal user agents' do
+    chrome_user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 \
+    (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
+
+    expect(described_class.new(chrome_user_agent).user_agent).to be_eql(chrome_user_agent)
+    expect(described_class.new(chrome_user_agent).name).to be_eql('Chrome')
+  end
+
+  it 'truncates big user agents' do
+    big_user_agent = "chrome #{'abc' * 1024}"
+    expect(described_class.new(big_user_agent).user_agent).not_to be_eql(big_user_agent)
+  end
+end
diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb
index 994d5688808..75ff917c036 100644
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe WebHook do
+RSpec.describe WebHook, feature_category: :integrations do
   include AfterNextHelpers
 
   let_it_be(:project) { create(:project) }
@@ -225,6 +225,32 @@ RSpec.describe WebHook do
       end
     end
 
+    describe 'before_validation :reset_url_variables' do
+      subject(:hook) { build_stubbed(:project_hook, :url_variables, project: project, url: 'http://example.com/{abc}') }
+
+      it 'resets url variables if url changed' do
+        hook.url = 'http://example.com/new-hook'
+
+        expect(hook).to be_valid
+        expect(hook.url_variables).to eq({})
+      end
+
+      it 'resets url variables if url is changed but url variables stayed the same' do
+        hook.url = 'http://test.example.com/{abc}'
+
+        expect(hook).not_to be_valid
+        expect(hook.url_variables).to eq({})
+      end
+
+      it 'does not reset url variables if both url and url variables are changed' do
+        hook.url = 'http://example.com/{one}/{two}'
+        hook.url_variables = { 'one' => 'foo', 'two' => 'bar' }
+
+        expect(hook).to be_valid
+        expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' })
+      end
+    end
+
     it "only consider these branch filter strategies are valid" do
       expected_valid_types = %w[all_branches regex wildcard]
       expect(described_class.branch_filter_strategies.keys).to contain_exactly(*expected_valid_types)
diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb
index ce391bd1ca0..8408adcc21d 100644
--- a/spec/services/error_tracking/list_projects_service_spec.rb
+++ b/spec/services/error_tracking/list_projects_service_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ErrorTracking::ListProjectsService do
+RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integrations do
   let_it_be(:user) { create(:user) }
   let_it_be(:project, reload: true) { create(:project) }
 
@@ -51,15 +51,33 @@ RSpec.describe ErrorTracking::ListProjectsService do
       end
 
       context 'masked param token' do
-        let(:params) { ActionController::Parameters.new(token: "*********", api_host: new_api_host) }
+        let(:params) { ActionController::Parameters.new(token: "*********", api_host: api_host) }
 
-        before do
-          expect(error_tracking_setting).to receive(:list_sentry_projects)
+        context 'with the current api host' do
+          let(:api_host) { 'https://sentrytest.gitlab.com' }
+
+          before do
+            expect(error_tracking_setting).to receive(:list_sentry_projects)
             .and_return({ projects: [] })
+          end
+
+          it 'uses database token' do
+            expect { subject.execute }.not_to change { error_tracking_setting.token }
+          end
         end
 
-        it 'uses database token' do
-          expect { subject.execute }.not_to change { error_tracking_setting.token }
+        context 'with a new api host' do
+          let(:api_host) { new_api_host }
+
+          it 'returns an error' do
+            expect(result[:message]).to start_with('Token is a required field')
+            expect(error_tracking_setting).not_to be_valid
+            expect(error_tracking_setting).not_to receive(:list_sentry_projects)
+          end
+
+          it 'resets the token' do
+            expect { subject.execute }.to change { error_tracking_setting.token }.from(token).to(nil)
+          end
         end
       end
 
diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb
index c081b20d95f..4b925a058e7 100644
--- a/spec/services/web_hook_service_spec.rb
+++ b/spec/services/web_hook_service_spec.rb
@@ -129,7 +129,10 @@ RSpec.describe WebHookService, :request_store, :clean_gitlab_redis_shared_state
 
       context 'there is userinfo' do
         before do
-          project_hook.update!(url: 'http://{one}:{two}@example.com')
+          project_hook.update!(
+            url: 'http://{one}:{two}@example.com',
+            url_variables: { 'one' => 'a', 'two' => 'b' }
+          )
           stub_full_request('http://example.com', method: :post)
         end