Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

3 files changed, 76 insertions, 7 deletions

diff --git a/spec/initializers/rdoc_segfault_patch_spec.rb b/spec/initializers/rdoc_segfault_patch_spec.rb
new file mode 100644
index 00000000000..f9630295052
--- /dev/null
+++ b/spec/initializers/rdoc_segfault_patch_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+RSpec.describe 'RDoc segfault patch fix' do
+  describe 'RDoc::Markup::ToHtml' do
+    describe '#parseable?' do
+      it 'returns false' do
+        to_html = RDoc::Markup::ToHtml.new( nil)
+
+        expect(to_html.parseable?('"def foo; end"')).to eq(false)
+      end
+    end
+  end
+
+  describe 'RDoc::Markup::Verbatim' do
+    describe 'ruby?' do
+      it 'returns false' do
+        verbatim = RDoc::Markup::Verbatim.new('def foo; end')
+        verbatim.format = :ruby
+
+        expect(verbatim.ruby?).to eq(false)
+      end
+    end
+  end
+end
diff --git a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
index aee4bd93207..16c958ec10b 100644
--- a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
+++ b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
@@ -132,6 +132,12 @@ RSpec.describe Banzai::Filter::SyntaxHighlightFilter do
 
       expect(result.to_html.delete("\n")).to eq('<div class="gl-relative markdown-code-block js-markdown-code"><pre data-sourcepos="1:1-3:3" class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">This is a test</span></code></pre><copy-code></copy-code></div>')
     end
+
+    it "escape sourcepos metadata to prevent XSS" do
+      result = filter('<pre data-sourcepos="&#34;%22 href=&#34;x&#34;></pre><base href=http://unsafe-website.com/><pre x=&#34;"><code></code></pre>')
+
+      expect(result.to_html.delete("\n")).to eq('<div class="gl-relative markdown-code-block js-markdown-code"><pre data-sourcepos=\'"%22 href="x"&gt;&lt;/pre&gt;&lt;base href=http://unsafe-website.com/&gt;&lt;pre x="\' class="code highlight js-syntax-highlight language-plaintext" lang="plaintext" v-pre="true"><code></code></pre><copy-code></copy-code></div>')
+    end
   end
 
   context "when Rouge lexing fails" do
diff --git a/spec/lib/gitlab/import_export/members_mapper_spec.rb b/spec/lib/gitlab/import_export/members_mapper_spec.rb
index 8d9bff9c610..87ca899a87d 100644
--- a/spec/lib/gitlab/import_export/members_mapper_spec.rb
+++ b/spec/lib/gitlab/import_export/members_mapper_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
            "notification_level" => 3,
            "created_at" => "2016-03-11T10:21:44.822Z",
            "updated_at" => "2016-03-11T10:21:44.822Z",
-           "created_by_id" => nil,
+           "created_by_id" => 1,
            "invite_email" => nil,
            "invite_token" => nil,
            "invite_accepted_at" => nil,
@@ -38,10 +38,24 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
            "notification_level" => 3,
            "created_at" => "2016-03-11T10:21:44.822Z",
            "updated_at" => "2016-03-11T10:21:44.822Z",
-           "created_by_id" => 1,
+           "created_by_id" => 2,
            "invite_email" => 'invite@test.com',
            "invite_token" => 'token',
            "invite_accepted_at" => nil
+         },
+         {
+           "id" => 3,
+           "access_level" => 40,
+           "source_id" => 14,
+           "source_type" => source_type,
+           "user_id" => nil,
+           "notification_level" => 3,
+           "created_at" => "2016-03-11T10:21:44.822Z",
+           "updated_at" => "2016-03-11T10:21:44.822Z",
+           "created_by_id" => nil,
+           "invite_email" => 'invite2@test.com',
+           "invite_token" => 'token',
+           "invite_accepted_at" => nil
          }]
       end
 
@@ -68,12 +82,37 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
         expect(member_class.find_by_invite_email('invite@test.com')).not_to be_nil
       end
 
-      it 'removes old user_id from member_hash to avoid conflict with user key' do
+      it 'maps created_by_id to user on new instance' do
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('user_id' => user2.id, 'created_by_id' => nil))
+            .and_call_original
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('invite_email' => 'invite@test.com', 'created_by_id' => nil))
+            .and_call_original
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('invite_email' => 'invite2@test.com', 'created_by_id' => nil))
+            .and_call_original
+
+        members_mapper.map
+      end
+
+      it 'replaced user_id with user_id from new instance' do
+        expect(member_class)
+          .to receive(:create)
+            .once
+            .with(hash_including('user_id' => user2.id))
+            .and_call_original
         expect(member_class)
           .to receive(:create)
-                .twice
-                .with(hash_excluding('user_id'))
-                .and_call_original
+            .twice
+            .with(hash_excluding('user_id'))
+            .and_call_original
 
         members_mapper.map
       end
@@ -99,7 +138,7 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
           end
 
           expect(logger).to receive(:info).with(hash_including(expected_log_params.call(user2.id))).once
-          expect(logger).to receive(:info).with(hash_including(expected_log_params.call(nil))).once
+          expect(logger).to receive(:info).with(hash_including(expected_log_params.call(nil))).twice
 
           members_mapper.map
         end