Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee

8 files changed, 393 insertions, 9 deletions

diff --git a/spec/controllers/profiles/two_factor_auths_controller_spec.rb b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
index 59eb33f4bc6..2fbc529037c 100644
--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -10,6 +10,27 @@ RSpec.describe Profiles::TwoFactorAuthsController do
     allow(subject).to receive(:current_user).and_return(user)
   end
 
+  shared_examples 'user must enter a valid current password' do
+    let(:current_password) { '123' }
+
+    it 'requires the current password', :aggregate_failures do
+      go
+
+      expect(response).to redirect_to(profile_two_factor_auth_path)
+      expect(flash[:alert]).to eq(_('You must provide a valid current password'))
+    end
+
+    context 'when the user is on the last sign in attempt' do
+      it do
+        user.update!(failed_attempts: User.maximum_attempts.pred)
+
+        go
+
+        expect(user.reload).to be_access_locked
+      end
+    end
+  end
+
   describe 'GET show' do
     let(:user) { create(:user) }
 
@@ -39,9 +60,10 @@ RSpec.describe Profiles::TwoFactorAuthsController do
   describe 'POST create' do
     let(:user) { create(:user) }
     let(:pin)  { 'pin-code' }
+    let(:current_password) { user.password }
 
     def go
-      post :create, params: { pin_code: pin }
+      post :create, params: { pin_code: pin, current_password: current_password }
     end
 
     context 'with valid pin' do
@@ -99,28 +121,38 @@ RSpec.describe Profiles::TwoFactorAuthsController do
         expect(response).to render_template(:show)
       end
     end
+
+    it_behaves_like 'user must enter a valid current password'
   end
 
   describe 'POST codes' do
     let(:user) { create(:user, :two_factor) }
 
+    let(:current_password) { user.password }
+
     it 'presents plaintext codes for the user to save' do
       expect(user).to receive(:generate_otp_backup_codes!).and_return(%w(a b c))
 
-      post :codes
+      post :codes, params: { current_password: current_password }
       expect(assigns[:codes]).to match_array %w(a b c)
     end
 
     it 'persists the generated codes' do
-      post :codes
+      post :codes, params: { current_password: current_password }
 
       user.reload
       expect(user.otp_backup_codes).not_to be_empty
     end
+
+    it_behaves_like 'user must enter a valid current password' do
+      let(:go) { post :codes, params: { current_password: current_password } }
+    end
   end
 
   describe 'DELETE destroy' do
-    subject { delete :destroy }
+    subject { delete :destroy, params: { current_password: current_password } }
+
+    let(:current_password) { user.password }
 
     context 'for a user that has 2FA enabled' do
       let(:user) { create(:user, :two_factor) }
@@ -143,6 +175,10 @@ RSpec.describe Profiles::TwoFactorAuthsController do
         expect(flash[:notice])
           .to eq _('Two-factor authentication has been disabled successfully!')
       end
+
+      it_behaves_like 'user must enter a valid current password' do
+        let(:go) { delete :destroy, params: { current_password: current_password } }
+      end
     end
 
     context 'for a user that does not have 2FA enabled' do
diff --git a/spec/features/profiles/two_factor_auths_spec.rb b/spec/features/profiles/two_factor_auths_spec.rb
new file mode 100644
index 00000000000..e1feca5031a
--- /dev/null
+++ b/spec/features/profiles/two_factor_auths_spec.rb
@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Two factor auths' do
+  context 'when signed in' do
+    before do
+      allow(Gitlab).to receive(:com?) { true }
+    end
+
+    context 'when user has two-factor authentication disabled' do
+      let(:user) { create(:user ) }
+
+      before do
+        sign_in(user)
+      end
+
+      it 'requires the current password to set up two factor authentication', :js do
+        visit profile_two_factor_auth_path
+
+        register_2fa(user.reload.current_otp, '123')
+
+        expect(page).to have_content('You must provide a valid current password')
+
+        register_2fa(user.reload.current_otp, user.password)
+
+        expect(page).to have_content('Please copy, download, or print your recovery codes before proceeding.')
+
+        click_button 'Copy codes'
+        click_link 'Proceed'
+
+        expect(page).to have_content('Status: Enabled')
+      end
+    end
+
+    context 'when user has two-factor authentication enabled' do
+      let(:user) { create(:user, :two_factor) }
+
+      before do
+        sign_in(user)
+      end
+
+      it 'requires the current_password to disable two-factor authentication', :js do
+        visit profile_two_factor_auth_path
+
+        fill_in 'current_password', with: '123'
+
+        click_button 'Disable two-factor authentication'
+
+        page.accept_alert
+
+        expect(page).to have_content('You must provide a valid current password')
+
+        fill_in 'current_password', with: user.password
+
+        click_button 'Disable two-factor authentication'
+
+        page.accept_alert
+
+        expect(page).to have_content('Two-factor authentication has been disabled successfully!')
+        expect(page).to have_content('Enable two-factor authentication')
+      end
+
+      it 'requires the current_password to regernate recovery codes', :js do
+        visit profile_two_factor_auth_path
+
+        fill_in 'current_password', with: '123'
+
+        click_button 'Regenerate recovery codes'
+
+        expect(page).to have_content('You must provide a valid current password')
+
+        fill_in 'current_password', with: user.password
+
+        click_button 'Regenerate recovery codes'
+
+        expect(page).to have_content('Please copy, download, or print your recovery codes before proceeding.')
+      end
+    end
+
+    def register_2fa(pin, password)
+      fill_in 'pin_code', with: pin
+      fill_in 'current_password', with: password
+
+      click_button 'Register with two-factor app'
+    end
+  end
+end
diff --git a/spec/features/users/login_spec.rb b/spec/features/users/login_spec.rb
index 6c38d5d8b24..5597bc82309 100644
--- a/spec/features/users/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -796,6 +796,7 @@ RSpec.describe 'Login' do
           expect(current_path).to eq(profile_two_factor_auth_path)
 
           fill_in 'pin_code', with: user.reload.current_otp
+          fill_in 'current_password', with: user.password
 
           click_button 'Register with two-factor app'
           click_button 'Copy codes'
diff --git a/spec/frontend/authentication/two_factor_auth/components/__snapshots__/manage_two_factor_form_spec.js.snap b/spec/frontend/authentication/two_factor_auth/components/__snapshots__/manage_two_factor_form_spec.js.snap
new file mode 100644
index 00000000000..3fe0e570a54
--- /dev/null
+++ b/spec/frontend/authentication/two_factor_auth/components/__snapshots__/manage_two_factor_form_spec.js.snap
@@ -0,0 +1,99 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`ManageTwoFactorForm Disable button renders the component correctly 1`] = `
+VueWrapper {
+  "_emitted": Object {},
+  "_emittedByOrder": Array [],
+  "isFunctionalComponent": undefined,
+}
+`;
+
+exports[`ManageTwoFactorForm Disable button renders the component correctly 2`] = `
+<form
+  action="#"
+  class="gl-display-inline-block"
+  method="post"
+>
+  <input
+    data-testid="test-2fa-method-field"
+    name="_method"
+    type="hidden"
+  />
+   
+  <input
+    name="authenticity_token"
+    type="hidden"
+  />
+   
+  <div
+    class="form-group gl-form-group"
+    id="__BVID__15"
+    role="group"
+  >
+    <label
+      class="d-block col-form-label"
+      for="current-password"
+      id="__BVID__15__BV_label_"
+    >
+      Current password
+    </label>
+    <div
+      class="bv-no-focus-ring"
+    >
+      <input
+        aria-required="true"
+        class="gl-form-input form-control"
+        data-qa-selector="current_password_field"
+        id="current-password"
+        name="current_password"
+        required="required"
+        type="password"
+      />
+      <!---->
+      <!---->
+      <!---->
+    </div>
+  </div>
+   
+  <button
+    class="btn btn-danger gl-mr-3 gl-display-inline-block btn-danger btn-md gl-button"
+    data-confirm="Are you sure? This will invalidate your registered applications and U2F devices."
+    data-form-action="2fa_auth_path"
+    data-form-method="2fa_auth_method"
+    data-testid="test-2fa-disable-button"
+    type="submit"
+  >
+    <!---->
+     
+    <!---->
+      
+    <span
+      class="gl-button-text"
+    >
+      
+    Disable two-factor authentication
+  
+    </span>
+  </button>
+   
+  <button
+    class="btn gl-display-inline-block btn-default btn-md gl-button"
+    data-form-action="2fa_codes_path"
+    data-form-method="2fa_codes_method"
+    data-testid="test-2fa-regenerate-codes-button"
+    type="submit"
+  >
+    <!---->
+     
+    <!---->
+      
+    <span
+      class="gl-button-text"
+    >
+      
+    Regenerate recovery codes
+  
+    </span>
+  </button>
+</form>
+`;
diff --git a/spec/frontend/authentication/two_factor_auth/components/manage_two_factor_form_spec.js b/spec/frontend/authentication/two_factor_auth/components/manage_two_factor_form_spec.js
new file mode 100644
index 00000000000..384579c6876
--- /dev/null
+++ b/spec/frontend/authentication/two_factor_auth/components/manage_two_factor_form_spec.js
@@ -0,0 +1,98 @@
+import { within } from '@testing-library/dom';
+import { mount } from '@vue/test-utils';
+import { extendedWrapper } from 'helpers/vue_test_utils_helper';
+import ManageTwoFactorForm, {
+  i18n,
+} from '~/authentication/two_factor_auth/components/manage_two_factor_form.vue';
+
+describe('ManageTwoFactorForm', () => {
+  let wrapper;
+
+  const createComponent = (options = {}) => {
+    wrapper = extendedWrapper(
+      mount(ManageTwoFactorForm, {
+        provide: {
+          webauthnEnabled: options?.webauthnEnabled || false,
+          profileTwoFactorAuthPath: '2fa_auth_path',
+          profileTwoFactorAuthMethod: '2fa_auth_method',
+          codesProfileTwoFactorAuthPath: '2fa_codes_path',
+          codesProfileTwoFactorAuthMethod: '2fa_codes_method',
+        },
+      }),
+    );
+  };
+
+  const queryByText = (text, options) => within(wrapper.element).queryByText(text, options);
+  const queryByLabelText = (text, options) =>
+    within(wrapper.element).queryByLabelText(text, options);
+
+  beforeEach(() => {
+    createComponent();
+  });
+
+  describe('Current password field', () => {
+    it('renders the current password field', () => {
+      expect(queryByLabelText(i18n.currentPassword).tagName).toEqual('INPUT');
+    });
+  });
+
+  describe('Disable button', () => {
+    it('renders the component correctly', () => {
+      expect(wrapper).toMatchSnapshot();
+      expect(wrapper.element).toMatchSnapshot();
+    });
+
+    it('has the right confirm text', () => {
+      expect(wrapper.findByTestId('test-2fa-disable-button').element.dataset.confirm).toEqual(
+        i18n.confirm,
+      );
+    });
+
+    describe('when webauthnEnabled', () => {
+      beforeEach(() => {
+        createComponent({
+          webauthnEnabled: true,
+        });
+      });
+
+      it('has the right confirm text', () => {
+        expect(wrapper.findByTestId('test-2fa-disable-button').element.dataset.confirm).toEqual(
+          i18n.confirmWebAuthn,
+        );
+      });
+    });
+
+    it('modifies the form action and method when submitted through the button', async () => {
+      const form = wrapper.find('form');
+      const disableButton = wrapper.findByTestId('test-2fa-disable-button').element;
+      const methodInput = wrapper.findByTestId('test-2fa-method-field').element;
+
+      form.trigger('submit', { submitter: disableButton });
+
+      await wrapper.vm.$nextTick();
+
+      expect(form.element.getAttribute('action')).toEqual('2fa_auth_path');
+      expect(methodInput.getAttribute('value')).toEqual('2fa_auth_method');
+    });
+  });
+
+  describe('Regenerate recovery codes button', () => {
+    it('renders the button', () => {
+      expect(queryByText(i18n.regenerateRecoveryCodes)).toEqual(expect.any(HTMLElement));
+    });
+
+    it('modifies the form action and method when submitted through the button', async () => {
+      const form = wrapper.find('form');
+      const regenerateCodesButton = wrapper.findByTestId('test-2fa-regenerate-codes-button')
+        .element;
+      const methodInput = wrapper.findByTestId('test-2fa-method-field').element;
+
+      form.trigger('submit', { submitter: regenerateCodesButton });
+
+      await wrapper.vm.$nextTick();
+
+      expect(form.element.getAttribute('action')).toEqual('2fa_codes_path');
+      expect(methodInput.getAttribute('value')).toEqual('2fa_codes_method');
+    });
+  });
+});
diff --git a/spec/helpers/external_link_helper_spec.rb b/spec/helpers/external_link_helper_spec.rb
index f5bb0568824..b746cb04ab3 100644
--- a/spec/helpers/external_link_helper_spec.rb
+++ b/spec/helpers/external_link_helper_spec.rb
@@ -13,8 +13,14 @@ RSpec.describe ExternalLinkHelper do
 
   it 'allows options when creating external link with icon' do
     link = external_link('https://gitlab.com', 'https://gitlab.com', { "data-foo": "bar", class: "externalLink" }).to_s
-
     expect(link).to start_with('<a target="_blank" rel="noopener noreferrer" data-foo="bar" class="externalLink" href="https://gitlab.com">https://gitlab.com')
     expect(link).to include('data-testid="external-link-icon"')
   end
+
+  it 'sanitizes and returns external link with icon' do
+    link = external_link('sanitized link content', 'javascript:alert()').to_s
+    expect(link).not_to include('href="javascript:alert()"')
+    expect(link).to start_with('<a target="_blank" rel="noopener noreferrer">sanitized link content')
+    expect(link).to include('data-testid="external-link-icon"')
+  end
 end
diff --git a/spec/helpers/icons_helper_spec.rb b/spec/helpers/icons_helper_spec.rb
index 4784d0aff26..af2957d72c7 100644
--- a/spec/helpers/icons_helper_spec.rb
+++ b/spec/helpers/icons_helper_spec.rb
@@ -35,22 +35,22 @@ RSpec.describe IconsHelper do
 
     it 'returns svg icon html with DEFAULT_ICON_SIZE' do
       expect(sprite_icon(icon_name).to_s)
-        .to eq "<svg class=\"s#{IconsHelper::DEFAULT_ICON_SIZE}\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>"
+        .to eq "<svg class=\"s#{IconsHelper::DEFAULT_ICON_SIZE}\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>"
     end
 
     it 'returns svg icon html without size class' do
       expect(sprite_icon(icon_name, size: nil).to_s)
-        .to eq "<svg data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>"
+        .to eq "<svg data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>"
     end
 
     it 'returns svg icon html + size classes' do
       expect(sprite_icon(icon_name, size: 72).to_s)
-        .to eq "<svg class=\"s72\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>"
+        .to eq "<svg class=\"s72\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>"
     end
 
     it 'returns svg icon html + size classes + additional class' do
       expect(sprite_icon(icon_name, size: 72, css_class: 'icon-danger').to_s)
-        .to eq "<svg class=\"s72 icon-danger\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>"
+        .to eq "<svg class=\"s72 icon-danger\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>"
     end
 
     describe 'non existing icon' do
diff --git a/spec/initializers/100_patch_omniauth_oauth2_spec.rb b/spec/initializers/100_patch_omniauth_oauth2_spec.rb
new file mode 100644
index 00000000000..0c436e4ef45
--- /dev/null
+++ b/spec/initializers/100_patch_omniauth_oauth2_spec.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'OmniAuth::Strategies::OAuth2', type: :strategy do
+  let(:strategy) { [OmniAuth::Strategies::OAuth2] }
+
+  it 'verifies the gem version' do
+    current_version = OmniAuth::OAuth2::VERSION
+    expected_version = '1.7.1'
+
+    expect(current_version).to eq(expected_version), <<~EOF
+      New version #{current_version} of the `omniauth-oauth2` gem detected!
+
+      Please check if the monkey patches in `config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb`
+      are still needed, and either update/remove them, or bump the version in this spec.
+
+    EOF
+  end
+
+  context 'when a custom error message is passed from an OAuth2 provider' do
+    let(:message) { 'Please go to https://evil.com' }
+    let(:state) { 'secret' }
+    let(:callback_path) { '/users/auth/oauth2/callback' }
+    let(:params) { { state: state, error: 'evil_key', error_description: message } }
+    let(:error) { last_request.env['omniauth.error'] }
+
+    before do
+      env('rack.session', { 'omniauth.state' => state })
+    end
+
+    it 'returns the custom error message if the state is valid' do
+      get callback_path, **params
+
+      expect(error.message).to eq("evil_key | #{message}")
+    end
+
+    it 'returns the custom `error_reason` message if the `error_description` is blank' do
+      get callback_path, **params.merge(error_description: ' ', error_reason: 'custom reason')
+
+      expect(error.message).to eq('evil_key | custom reason')
+    end
+
+    it 'returns a CSRF error if the state is invalid' do
+      get callback_path, **params.merge(state: 'invalid')
+
+      expect(error.message).to eq('csrf_detected | CSRF detected')
+    end
+
+    it 'returns a CSRF error if the state is missing' do
+      get callback_path, **params.without(:state)
+
+      expect(error.message).to eq('csrf_detected | CSRF detected')
+    end
+  end
+end