Add latest changes from gitlab-org/security/gitlab@15-3-stable-ee

6 files changed, 81 insertions, 15 deletions

diff --git a/spec/lib/banzai/filter/commit_trailers_filter_spec.rb b/spec/lib/banzai/filter/commit_trailers_filter_spec.rb
index 38f9bda57e6..c22517621c1 100644
--- a/spec/lib/banzai/filter/commit_trailers_filter_spec.rb
+++ b/spec/lib/banzai/filter/commit_trailers_filter_spec.rb
@@ -18,10 +18,20 @@ RSpec.describe Banzai::Filter::CommitTrailersFilter do
   context 'detects' do
     let(:email) { FFaker::Internet.email }
 
-    it 'trailers in the form of *-by and replace users with links' do
-      doc = filter(commit_message_html)
+    context 'trailers in the form of *-by' do
+      where(:commit_trailer) do
+        ["#{FFaker::Lorem.word}-by:", "#{FFaker::Lorem.word}-BY:", "#{FFaker::Lorem.word}-By:"]
+      end
 
-      expect_to_have_user_link_with_avatar(doc, user: user, trailer: trailer)
+      with_them do
+        let(:trailer) { commit_trailer }
+
+        it 'replaces users with links' do
+          doc = filter(commit_message_html)
+
+          expect_to_have_user_link_with_avatar(doc, user: user, trailer: trailer)
+        end
+      end
     end
 
     it 'trailers prefixed with whitespaces' do
@@ -121,7 +131,14 @@ RSpec.describe Banzai::Filter::CommitTrailersFilter do
 
   context "ignores" do
     it 'commit messages without trailers' do
-      exp = message = commit_html(FFaker::Lorem.sentence)
+      exp = message = commit_html(Array.new(5) { FFaker::Lorem.sentence }.join("\n"))
+      doc = filter(message)
+
+      expect(doc.to_html).to match Regexp.escape(exp)
+    end
+
+    it 'trailers without emails' do
+      exp = message = commit_html(Array.new(5) { 'Merged-By:' }.join("\n"))
       doc = filter(message)
 
       expect(doc.to_html).to match Regexp.escape(exp)
diff --git a/spec/lib/banzai/filter/pathological_markdown_filter_spec.rb b/spec/lib/banzai/filter/pathological_markdown_filter_spec.rb
new file mode 100644
index 00000000000..e0a07d1ea77
--- /dev/null
+++ b/spec/lib/banzai/filter/pathological_markdown_filter_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Banzai::Filter::PathologicalMarkdownFilter do
+  include FilterSpecHelper
+
+  let_it_be(:short_text) { '![a' * 5 }
+  let_it_be(:long_text) { ([short_text] * 10).join(' ') }
+  let_it_be(:with_images_text) { "![One ![one](one.jpg) #{'and\n' * 200} ![two ![two](two.jpg)" }
+
+  it 'detects a significat number of unclosed image links' do
+    msg = <<~TEXT
+      _Unable to render markdown - too many unclosed markdown image links detected._
+    TEXT
+
+    expect(filter(long_text)).to eq(msg.strip)
+  end
+
+  it 'does nothing when there are only a few unclosed image links' do
+    expect(filter(short_text)).to eq(short_text)
+  end
+
+  it 'does nothing when there are only a few unclosed image links and images' do
+    expect(filter(with_images_text)).to eq(with_images_text)
+  end
+end
diff --git a/spec/lib/banzai/pipeline/full_pipeline_spec.rb b/spec/lib/banzai/pipeline/full_pipeline_spec.rb
index 376edfb99fc..c07f99dc9fc 100644
--- a/spec/lib/banzai/pipeline/full_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/full_pipeline_spec.rb
@@ -167,4 +167,16 @@ RSpec.describe Banzai::Pipeline::FullPipeline do
       expect(output).to include('<em>@test_</em>')
     end
   end
+
+  describe 'unclosed image links' do
+    it 'detects a significat number of unclosed image links' do
+      markdown = '![a ' * 30
+      msg = <<~TEXT
+        Unable to render markdown - too many unclosed markdown image links detected.
+      TEXT
+      output = described_class.to_html(markdown, project: nil)
+
+      expect(output).to include(msg.strip)
+    end
+  end
 end
diff --git a/spec/lib/gitlab/git/tree_spec.rb b/spec/lib/gitlab/git/tree_spec.rb
index b520de03929..2e4520cd3a0 100644
--- a/spec/lib/gitlab/git/tree_spec.rb
+++ b/spec/lib/gitlab/git/tree_spec.rb
@@ -9,12 +9,13 @@ RSpec.describe Gitlab::Git::Tree do
   let(:repository) { project.repository.raw }
 
   shared_examples :repo do
-    subject(:tree) { Gitlab::Git::Tree.where(repository, sha, path, recursive, pagination_params) }
+    subject(:tree) { Gitlab::Git::Tree.where(repository, sha, path, recursive, skip_flat_paths, pagination_params) }
 
     let(:sha) { SeedRepo::Commit::ID }
     let(:path) { nil }
     let(:recursive) { false }
     let(:pagination_params) { nil }
+    let(:skip_flat_paths) { false }
 
     let(:entries) { tree.first }
     let(:cursor) { tree.second }
@@ -107,6 +108,12 @@ RSpec.describe Gitlab::Git::Tree do
         end
 
         it { expect(subdir_file.flat_path).to eq('files/flat/path/correct') }
+
+        context 'when skip_flat_paths is true' do
+          let(:skip_flat_paths) { true }
+
+          it { expect(subdir_file.flat_path).to be_blank }
+        end
       end
     end
 
@@ -162,7 +169,7 @@ RSpec.describe Gitlab::Git::Tree do
         allow(instance).to receive(:lookup).with(SeedRepo::Commit::ID)
       end
 
-      described_class.where(repository, SeedRepo::Commit::ID, 'files', false)
+      described_class.where(repository, SeedRepo::Commit::ID, 'files', false, false)
     end
 
     it_behaves_like :repo do
@@ -180,7 +187,7 @@ RSpec.describe Gitlab::Git::Tree do
           let(:entries_count) { entries.count }
 
           it 'returns all entries without a cursor' do
-            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, { limit: entries_count, page_token: nil })
+            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, skip_flat_paths, { limit: entries_count, page_token: nil })
 
             expect(cursor).to be_nil
             expect(result.entries.count).to eq(entries_count)
@@ -209,7 +216,7 @@ RSpec.describe Gitlab::Git::Tree do
           let(:entries_count) { entries.count }
 
           it 'returns all entries' do
-            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, { limit: -1, page_token: nil })
+            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, skip_flat_paths, { limit: -1, page_token: nil })
 
             expect(result.count).to eq(entries_count)
             expect(cursor).to be_nil
@@ -220,7 +227,7 @@ RSpec.describe Gitlab::Git::Tree do
             let(:token) { entries.second.id }
 
             it 'returns all entries after token' do
-              result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, { limit: -1, page_token: token })
+              result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, skip_flat_paths, { limit: -1, page_token: token })
 
               expect(result.count).to eq(entries.count - 2)
               expect(cursor).to be_nil
@@ -252,7 +259,7 @@ RSpec.describe Gitlab::Git::Tree do
           expected_entries = entries
 
           loop do
-            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, { limit: 5, page_token: token })
+            result, cursor = Gitlab::Git::Tree.where(repository, sha, path, recursive, skip_flat_paths, { limit: 5, page_token: token })
 
             collected_entries += result.entries
             token = cursor&.next_cursor
diff --git a/spec/lib/gitlab/gitaly_client/commit_service_spec.rb b/spec/lib/gitlab/gitaly_client/commit_service_spec.rb
index 0d591fe6c43..ed6a87cda6f 100644
--- a/spec/lib/gitlab/gitaly_client/commit_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/commit_service_spec.rb
@@ -150,16 +150,18 @@ RSpec.describe Gitlab::GitalyClient::CommitService do
   end
 
   describe '#tree_entries' do
-    subject { client.tree_entries(repository, revision, path, recursive, pagination_params) }
+    subject { client.tree_entries(repository, revision, path, recursive, skip_flat_paths, pagination_params) }
 
     let(:path) { '/' }
     let(:recursive) { false }
     let(:pagination_params) { nil }
+    let(:skip_flat_paths) { false }
 
-    it 'sends a get_tree_entries message' do
+    it 'sends a get_tree_entries message with default limit' do
+      expected_pagination_params = Gitaly::PaginationParameter.new(limit: Gitlab::GitalyClient::CommitService::TREE_ENTRIES_DEFAULT_LIMIT)
       expect_any_instance_of(Gitaly::CommitService::Stub)
         .to receive(:get_tree_entries)
-        .with(gitaly_request_with_path(storage_name, relative_path), kind_of(Hash))
+        .with(gitaly_request_with_params({ pagination_params: expected_pagination_params }), kind_of(Hash))
         .and_return([])
 
       is_expected.to eq([[], nil])
@@ -189,9 +191,10 @@ RSpec.describe Gitlab::GitalyClient::CommitService do
           pagination_cursor: pagination_cursor
         )
 
+        expected_pagination_params = Gitaly::PaginationParameter.new(limit: 3)
         expect_any_instance_of(Gitaly::CommitService::Stub)
           .to receive(:get_tree_entries)
-          .with(gitaly_request_with_path(storage_name, relative_path), kind_of(Hash))
+          .with(gitaly_request_with_params({ pagination_params: expected_pagination_params }), kind_of(Hash))
           .and_return([response])
 
         is_expected.to eq([[], pagination_cursor])
diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb
index 530b03714b4..47532ed1216 100644
--- a/spec/models/repository_spec.rb
+++ b/spec/models/repository_spec.rb
@@ -2625,7 +2625,7 @@ RSpec.describe Repository do
   end
 
   shared_examples '#tree' do
-    subject { repository.tree(sha, path, recursive: recursive, pagination_params: pagination_params) }
+    subject { repository.tree(sha, path, recursive: recursive, skip_flat_paths: false, pagination_params: pagination_params) }
 
     let(:sha) { :head }
     let(:path) { nil }