diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-30 04:47:13 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-30 04:47:32 +0000 |
commit | 1f6654659564013b8aa4f3572158cb63d3a519c1 (patch) | |
tree | 0db2ae38308cb4ce7c7f33bfc670e228ea2be1e7 /spec | |
parent | d7437af3f31f388bf59b23a06c9bff5c8c5fd157 (diff) | |
download | gitlab-ce-1f6654659564013b8aa4f3572158cb63d3a519c1.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/gitlab/hook_data/project_builder_spec.rb | 4 | ||||
-rw-r--r-- | spec/lib/gitlab/hook_data/project_member_builder_spec.rb | 2 | ||||
-rw-r--r-- | spec/models/ci/build_runner_session_spec.rb | 51 | ||||
-rw-r--r-- | spec/models/project_spec.rb | 4 | ||||
-rw-r--r-- | spec/requests/api/ci/runner/jobs_request_post_spec.rb | 35 |
5 files changed, 91 insertions, 5 deletions
diff --git a/spec/lib/gitlab/hook_data/project_builder_spec.rb b/spec/lib/gitlab/hook_data/project_builder_spec.rb index 729712510ea..f80faac563d 100644 --- a/spec/lib/gitlab/hook_data/project_builder_spec.rb +++ b/spec/lib/gitlab/hook_data/project_builder_spec.rb @@ -29,8 +29,8 @@ RSpec.describe Gitlab::HookData::ProjectBuilder do expect(data[:path_with_namespace]).to eq(project.full_path) expect(data[:project_id]).to eq(project.id) expect(data[:owner_name]).to eq('John') - expect(data[:owner_email]).to eq('john@example.com') - expect(data[:owners]).to contain_exactly({ name: 'John', email: 'john@example.com' }) + expect(data[:owner_email]).to eq(_('[REDACTED]')) + expect(data[:owners]).to contain_exactly({ name: 'John', email: _('[REDACTED]') }) expect(data[:project_visibility]).to eq('internal') end end diff --git a/spec/lib/gitlab/hook_data/project_member_builder_spec.rb b/spec/lib/gitlab/hook_data/project_member_builder_spec.rb index 76446adf7b7..ea71c5442f4 100644 --- a/spec/lib/gitlab/hook_data/project_member_builder_spec.rb +++ b/spec/lib/gitlab/hook_data/project_member_builder_spec.rb @@ -27,7 +27,7 @@ RSpec.describe Gitlab::HookData::ProjectMemberBuilder do expect(data[:user_username]).to eq('johndoe') expect(data[:user_name]).to eq('John Doe') expect(data[:user_id]).to eq(user.id) - expect(data[:user_email]).to eq('john@example.com') + expect(data[:user_email]).to eq(_('[REDACTED]')) expect(data[:access_level]).to eq('Developer') expect(data[:project_visibility]).to eq('internal') end diff --git a/spec/models/ci/build_runner_session_spec.rb b/spec/models/ci/build_runner_session_spec.rb index 9bb8a1bd626..8dfe854511c 100644 --- a/spec/models/ci/build_runner_session_spec.rb +++ b/spec/models/ci/build_runner_session_spec.rb @@ -13,6 +13,45 @@ RSpec.describe Ci::BuildRunnerSession, model: true do it { is_expected.to validate_presence_of(:build) } it { is_expected.to validate_presence_of(:url).with_message('must be a valid URL') } + context 'url validation of local web hook address' do + let(:url) { 'https://127.0.0.1:7777' } + + subject(:build_with_local_runner_session_url) do + create(:ci_build).tap { |b| b.update!(runner_session_attributes: { url: url }) } + end + + context 'with allow_local_requests_from_web_hooks_and_services? stubbed' do + before do + allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) + stub_application_setting(allow_local_requests_from_web_hooks_and_services: allow_local_requests) + end + + context 'as returning true' do + let(:allow_local_requests) { true } + + it 'creates a new session', :aggregate_failures do + session = build_with_local_runner_session_url.reload.runner_session + + expect(session.errors).to be_empty + expect(session).to be_a(Ci::BuildRunnerSession) + expect(session.url).to eq(url) + end + end + + context 'as returning false' do + let(:allow_local_requests) { false } + + it 'does not create a new session' do + expect { build_with_local_runner_session_url }.to raise_error(ActiveRecord::RecordInvalid) do |err| + expect(err.record.errors.full_messages).to include( + 'Runner session url is blocked: Requests to localhost are not allowed' + ) + end + end + end + end + end + context 'nested attribute assignment' do it 'creates a new session' do simple_build = create(:ci_build) @@ -49,6 +88,12 @@ RSpec.describe Ci::BuildRunnerSession, model: true do expect(specification).to be_empty end + it 'returns url with appended query if url has query' do + subject.url = 'https://new.example.com:7777/some_path?dummy=' + + expect(specification[:url]).to eq('wss://new.example.com:7777/some_path/exec?dummy=') + end + context 'when url is present' do it 'returns ca_pem nil if empty certificate' do subject.certificate = '' @@ -85,6 +130,12 @@ RSpec.describe Ci::BuildRunnerSession, model: true do expect(specification).to be_empty end + it 'returns url with appended query if url has query' do + subject.url = 'https://new.example.com:7777/some_path?dummy=' + + expect(specification[:url]).to eq("https://new.example.com:7777/some_path/proxy/#{service}/#{port}/#{path}?dummy=") + end + context 'when port is not present' do let(:port) { nil } diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 8cccc9ad83e..1cae03ae2ae 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -5512,8 +5512,8 @@ RSpec.describe Project, factory_default: :keep do let(:import_state) { create(:import_state, project: project) } it 'runs the correct hooks' do - expect(project.repository).to receive(:remove_prohibited_branches) - expect(project.repository).to receive(:expire_content_cache) + expect(project.repository).to receive(:expire_content_cache).ordered + expect(project.repository).to receive(:remove_prohibited_branches).ordered expect(project.wiki.repository).to receive(:expire_content_cache) expect(import_state).to receive(:finish) expect(project).to receive(:update_project_counter_caches) diff --git a/spec/requests/api/ci/runner/jobs_request_post_spec.rb b/spec/requests/api/ci/runner/jobs_request_post_spec.rb index 1cb4cc93ea5..d69a3f5a980 100644 --- a/spec/requests/api/ci/runner/jobs_request_post_spec.rb +++ b/spec/requests/api/ci/runner/jobs_request_post_spec.rb @@ -949,6 +949,41 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do end end + context 'with session url set to local URL' do + let(:job_params) { { session: { url: 'https://127.0.0.1:7777' } } } + + context 'with allow_local_requests_from_web_hooks_and_services? stubbed' do + before do + allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) + stub_application_setting(allow_local_requests_from_web_hooks_and_services: allow_local_requests) + ci_build + end + + let(:ci_build) { create(:ci_build, :pending, :queued, pipeline: pipeline) } + + context 'as returning true' do + let(:allow_local_requests) { true } + + it 'creates a new session' do + request_job(**job_params) + + expect(response).to have_gitlab_http_status(:created) + end + end + + context 'as returning false' do + let(:allow_local_requests) { false } + + it 'returns :unprocessable_entity status code', :aggregate_failures do + request_job(**job_params) + + expect(response).to have_gitlab_http_status(:conflict) + expect(response.body).to include('409 Conflict') + end + end + end + end + def request_job(token = runner.token, **params) new_params = params.merge(token: token, last_update: last_update) post api('/jobs/request'), params: new_params.to_json, headers: { 'User-Agent' => user_agent, 'Content-Type': 'application/json' } |