summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-09-29 12:52:24 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-09-29 12:52:24 +0000
commitb56d907a1d9065c3df354007fa00daf30626a478 (patch)
tree0868c35228207eece8e012bdc47a8829556d7758 /spec
parentaee004311cd93409176ea4f6e2bdcd0601487e4b (diff)
downloadgitlab-ce-b56d907a1d9065c3df354007fa00daf30626a478.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'spec')
-rw-r--r--spec/graphql/types/group_invitation_type_spec.rb2
-rw-r--r--spec/graphql/types/project_invitation_type_spec.rb2
-rw-r--r--spec/lib/banzai/filter/spaced_link_filter_spec.rb10
-rw-r--r--spec/lib/gitlab/fogbugz_import/importer_spec.rb80
-rw-r--r--spec/lib/gitlab/string_regex_marker_spec.rb12
-rw-r--r--spec/requests/api/invitations_spec.rb40
6 files changed, 106 insertions, 40 deletions
diff --git a/spec/graphql/types/group_invitation_type_spec.rb b/spec/graphql/types/group_invitation_type_spec.rb
index dab2d43fc90..9eedc2db81d 100644
--- a/spec/graphql/types/group_invitation_type_spec.rb
+++ b/spec/graphql/types/group_invitation_type_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Types::GroupInvitationType do
specify { expect(described_class.graphql_name).to eq('GroupInvitation') }
- specify { expect(described_class).to require_graphql_authorizations(:read_group) }
+ specify { expect(described_class).to require_graphql_authorizations(:admin_group) }
it 'has the expected fields' do
expected_fields = %w[
diff --git a/spec/graphql/types/project_invitation_type_spec.rb b/spec/graphql/types/project_invitation_type_spec.rb
index 148a763a5fa..5c0b03c2505 100644
--- a/spec/graphql/types/project_invitation_type_spec.rb
+++ b/spec/graphql/types/project_invitation_type_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Types::ProjectInvitationType do
specify { expect(described_class.graphql_name).to eq('ProjectInvitation') }
- specify { expect(described_class).to require_graphql_authorizations(:read_project) }
+ specify { expect(described_class).to require_graphql_authorizations(:admin_project) }
it 'has the expected fields' do
expected_fields = %w[
diff --git a/spec/lib/banzai/filter/spaced_link_filter_spec.rb b/spec/lib/banzai/filter/spaced_link_filter_spec.rb
index 2c64657d69d..820ebeb6945 100644
--- a/spec/lib/banzai/filter/spaced_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/spaced_link_filter_spec.rb
@@ -63,6 +63,16 @@ RSpec.describe Banzai::Filter::SpacedLinkFilter do
end
end
+ it 'does not process malicious input' do
+ Timeout.timeout(10) do
+ doc = filter('[ (](' * 60_000)
+
+ found_links = doc.css('a')
+
+ expect(found_links.size).to eq(0)
+ end
+ end
+
it 'converts multiple URLs' do
link1 = '[first](slug one)'
link2 = '[second](http://example.com/slug two)'
diff --git a/spec/lib/gitlab/fogbugz_import/importer_spec.rb b/spec/lib/gitlab/fogbugz_import/importer_spec.rb
index eb0c4da6ce3..9b58b772d1a 100644
--- a/spec/lib/gitlab/fogbugz_import/importer_spec.rb
+++ b/spec/lib/gitlab/fogbugz_import/importer_spec.rb
@@ -4,23 +4,11 @@ require 'spec_helper'
RSpec.describe Gitlab::FogbugzImport::Importer do
let(:project) { create(:project_empty_repo) }
- let(:importer) { described_class.new(project) }
- let(:repo) do
- instance_double(Gitlab::FogbugzImport::Repository,
- safe_name: 'vim',
- path: 'vim',
- raw_data: '')
- end
-
- let(:import_data) { { 'repo' => repo } }
- let(:credentials) do
- {
- 'fb_session' => {
- 'uri' => 'https://testing.fogbugz.com',
- 'token' => 'token'
- }
- }
- end
+ let(:fogbugz_project) { { 'ixProject' => project.id, 'sProject' => 'vim' } }
+ let(:import_data) { { 'repo' => fogbugz_project } }
+ let(:base_url) { 'https://testing.fogbugz.com' }
+ let(:token) { 'token' }
+ let(:credentials) { { 'fb_session' => { 'uri' => base_url, 'token' => token } } }
let(:closed_bug) do
{
@@ -46,18 +34,22 @@ RSpec.describe Gitlab::FogbugzImport::Importer do
let(:fogbugz_bugs) { [opened_bug, closed_bug] }
+ subject(:importer) { described_class.new(project) }
+
before do
project.create_import_data(data: import_data, credentials: credentials)
- allow_any_instance_of(::Fogbugz::Interface).to receive(:command).with(:listCategories).and_return([])
- allow_any_instance_of(Gitlab::FogbugzImport::Client).to receive(:cases).and_return(fogbugz_bugs)
+
+ stub_fogbugz('listProjects', projects: { project: [fogbugz_project], count: 1 })
+ stub_fogbugz('listCategories', categories: { category: [], count: 0 })
+ stub_fogbugz('search', cases: { case: fogbugz_bugs, count: fogbugz_bugs.size })
end
it 'imports bugs' do
- expect { importer.execute }.to change { Issue.count }.by(2)
+ expect { subject.execute }.to change { Issue.count }.by(2)
end
it 'imports opened bugs' do
- importer.execute
+ subject.execute
issue = Issue.where(project_id: project.id).find_by_title(opened_bug[:sTitle])
@@ -65,10 +57,54 @@ RSpec.describe Gitlab::FogbugzImport::Importer do
end
it 'imports closed bugs' do
- importer.execute
+ subject.execute
issue = Issue.where(project_id: project.id).find_by_title(closed_bug[:sTitle])
expect(issue.state_id).to eq(Issue.available_states[:closed])
end
+
+ context 'verify url' do
+ context 'when host is localhost' do
+ let(:base_url) { 'https://localhost:3000' }
+
+ it 'does not allow localhost requests' do
+ expect { subject.execute }
+ .to raise_error(
+ ::Gitlab::HTTP::BlockedUrlError,
+ "URL 'https://localhost:3000/api.asp' is blocked: Requests to localhost are not allowed"
+ )
+ end
+ end
+
+ context 'when host is on local network' do
+ let(:base_url) { 'http://192.168.0.1' }
+
+ it 'does not allow localhost requests' do
+ expect { subject.execute }
+ .to raise_error(
+ ::Gitlab::HTTP::BlockedUrlError,
+ "URL 'http://192.168.0.1/api.asp' is blocked: Requests to the local network are not allowed"
+ )
+ end
+ end
+
+ context 'when host is ftp protocol' do
+ let(:base_url) { 'ftp://testing' }
+
+ it 'only accept http and https requests' do
+ expect { subject.execute }
+ .to raise_error(
+ HTTParty::UnsupportedURIScheme,
+ "'ftp://testing/api.asp' Must be HTTP, HTTPS or Generic"
+ )
+ end
+ end
+ end
+
+ def stub_fogbugz(command, response)
+ stub_request(:post, "#{base_url}/api.asp")
+ .with(body: hash_including({ 'cmd' => command, 'token' => token }))
+ .to_return(status: 200, body: response.to_xml(root: :response))
+ end
end
diff --git a/spec/lib/gitlab/string_regex_marker_spec.rb b/spec/lib/gitlab/string_regex_marker_spec.rb
index a02be83558c..0cbe44eacf4 100644
--- a/spec/lib/gitlab/string_regex_marker_spec.rb
+++ b/spec/lib/gitlab/string_regex_marker_spec.rb
@@ -23,9 +23,10 @@ RSpec.describe Gitlab::StringRegexMarker do
context 'with multiple occurrences' do
let(:raw) { %{a <b> <c> d} }
let(:rich) { %{a &lt;b&gt; &lt;c&gt; d}.html_safe }
+ let(:regexp) { /<[a-z]>/ }
subject do
- described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:, mode:|
+ described_class.new(raw, rich).mark(regexp) do |text, left:, right:, mode:|
%{<strong>#{text}</strong>}.html_safe
end
end
@@ -34,6 +35,15 @@ RSpec.describe Gitlab::StringRegexMarker do
expect(subject).to eq(%{a <strong>&lt;b&gt;</strong> <strong>&lt;c&gt;</strong> d})
expect(subject).to be_html_safe
end
+
+ context 'with a Gitlab::UntrustedRegexp' do
+ let(:regexp) { Gitlab::UntrustedRegexp.new('<[a-z]>') }
+
+ it 'marks the matches' do
+ expect(subject).to eq(%{a <strong>&lt;b&gt;</strong> <strong>&lt;c&gt;</strong> d})
+ expect(subject).to be_html_safe
+ end
+ end
end
end
end
diff --git a/spec/requests/api/invitations_spec.rb b/spec/requests/api/invitations_spec.rb
index 76a4548df8a..b23ba0021e0 100644
--- a/spec/requests/api/invitations_spec.rb
+++ b/spec/requests/api/invitations_spec.rb
@@ -259,22 +259,32 @@ RSpec.describe API::Invitations do
let(:route) { get invitations_url(source, stranger) }
end
- %i[maintainer developer access_requester stranger].each do |type|
+ context "when authenticated as a maintainer" do
+ it 'returns 200' do
+ get invitations_url(source, maintainer)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to include_pagination_headers
+ expect(json_response).to be_an Array
+ expect(json_response.size).to eq(0)
+ end
+ end
+
+ %i[developer access_requester stranger].each do |type|
context "when authenticated as a #{type}" do
- it 'returns 200' do
+ it 'returns 403' do
user = public_send(type)
get invitations_url(source, user)
- expect(response).to have_gitlab_http_status(:ok)
- expect(response).to include_pagination_headers
- expect(json_response).to be_an Array
- expect(json_response.size).to eq(0)
+ expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
it 'avoids N+1 queries' do
+ invite_member_by_email(source, source_type, email, maintainer)
+
# Establish baseline
get invitations_url(source, maintainer)
@@ -282,7 +292,7 @@ RSpec.describe API::Invitations do
get invitations_url(source, maintainer)
end
- invite_member_by_email(source, source_type, email, maintainer)
+ invite_member_by_email(source, source_type, email2, maintainer)
expect do
get invitations_url(source, maintainer)
@@ -290,7 +300,7 @@ RSpec.describe API::Invitations do
end
it 'does not find confirmed members' do
- get invitations_url(source, developer)
+ get invitations_url(source, maintainer)
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
@@ -300,10 +310,10 @@ RSpec.describe API::Invitations do
end
it 'finds all members with no query string specified' do
- invite_member_by_email(source, source_type, email, developer)
- invite_member_by_email(source, source_type, email2, developer)
+ invite_member_by_email(source, source_type, email, maintainer)
+ invite_member_by_email(source, source_type, email2, maintainer)
- get invitations_url(source, developer), params: { query: '' }
+ get invitations_url(source, maintainer), params: { query: '' }
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
@@ -314,17 +324,17 @@ RSpec.describe API::Invitations do
end
it 'finds the invitation by invite_email with query string' do
- invite_member_by_email(source, source_type, email, developer)
- invite_member_by_email(source, source_type, email2, developer)
+ invite_member_by_email(source, source_type, email, maintainer)
+ invite_member_by_email(source, source_type, email2, maintainer)
- get invitations_url(source, developer), params: { query: email }
+ get invitations_url(source, maintainer), params: { query: email }
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.count).to eq(1)
expect(json_response.first['invite_email']).to eq(email)
- expect(json_response.first['created_by_name']).to eq(developer.name)
+ expect(json_response.first['created_by_name']).to eq(maintainer.name)
expect(json_response.first['user_name']).to eq(nil)
end
end