Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee

7 files changed, 100 insertions, 7 deletions

diff --git a/spec/models/integrations/campfire_spec.rb b/spec/models/integrations/campfire_spec.rb
index 405a9ff4b3f..48e24299bbd 100644
--- a/spec/models/integrations/campfire_spec.rb
+++ b/spec/models/integrations/campfire_spec.rb
@@ -5,7 +5,17 @@ require 'spec_helper'
 RSpec.describe Integrations::Campfire do
   include StubRequests
 
+  it_behaves_like Integrations::ResetSecretFields do
+    let(:integration) { described_class.new }
+  end
+
   describe 'Validations' do
+    it { is_expected.to validate_numericality_of(:room).is_greater_than(0).only_integer }
+    it { is_expected.to validate_length_of(:subdomain).is_at_most(63) }
+    it { is_expected.to allow_value("foo").for(:subdomain) }
+    it { is_expected.not_to allow_value("foo.bar").for(:subdomain) }
+    it { is_expected.not_to allow_value("foo.bar/#").for(:subdomain) }
+
     context 'when integration is active' do
       before do
         subject.active = true
diff --git a/spec/models/integrations/drone_ci_spec.rb b/spec/models/integrations/drone_ci_spec.rb
index 78d55c49e7b..5ae4af1a665 100644
--- a/spec/models/integrations/drone_ci_spec.rb
+++ b/spec/models/integrations/drone_ci_spec.rb
@@ -7,6 +7,10 @@ RSpec.describe Integrations::DroneCi, :use_clean_rails_memory_store_caching do
 
   subject(:integration) { described_class.new }
 
+  it_behaves_like Integrations::ResetSecretFields do
+    let(:integration) { subject }
+  end
+
   describe 'validations' do
     context 'active' do
       before do
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index 2a994540bd3..01c08a0948f 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -12,6 +12,7 @@ RSpec.describe Integrations::Jira do
   let(:api_url) { 'http://api-jira.example.com' }
   let(:username) { 'jira-username' }
   let(:password) { 'jira-password' }
+  let(:project_key) { nil }
   let(:transition_id) { 'test27' }
   let(:server_info_results) { { 'deploymentType' => 'Cloud' } }
   let(:jira_integration) do
@@ -19,7 +20,8 @@ RSpec.describe Integrations::Jira do
       project: project,
       url: url,
       username: username,
-      password: password
+      password: password,
+      project_key: project_key
     )
   end
 
@@ -533,6 +535,22 @@ RSpec.describe Integrations::Jira do
         expect(WebMock).to have_requested(:get, issue_url)
       end
     end
+
+    context 'with restricted restrict_project_key option' do
+      subject(:find_issue) { jira_integration.find_issue(issue_key, restrict_project_key: true) }
+
+      it { is_expected.to eq(nil) }
+
+      context 'and project_key matches' do
+        let(:project_key) { 'JIRA' }
+
+        it 'calls the Jira API to get the issue' do
+          find_issue
+
+          expect(WebMock).to have_requested(:get, issue_url)
+        end
+      end
+    end
   end
 
   describe '#close_issue' do
diff --git a/spec/models/integrations/packagist_spec.rb b/spec/models/integrations/packagist_spec.rb
index dce96890522..d1976e73e2e 100644
--- a/spec/models/integrations/packagist_spec.rb
+++ b/spec/models/integrations/packagist_spec.rb
@@ -29,6 +29,10 @@ RSpec.describe Integrations::Packagist do
     let(:hook_url) { "#{packagist_server}/api/update-package?username=#{packagist_username}&apiToken=#{packagist_token}" }
   end
 
+  it_behaves_like Integrations::ResetSecretFields do
+    let(:integration) { described_class.new(packagist_params) }
+  end
+
   describe '#execute' do
     let(:user)    { create(:user) }
     let(:project) { create(:project, :repository) }
diff --git a/spec/models/integrations/zentao_spec.rb b/spec/models/integrations/zentao_spec.rb
index 2b0532c7930..4ef977ba3d2 100644
--- a/spec/models/integrations/zentao_spec.rb
+++ b/spec/models/integrations/zentao_spec.rb
@@ -9,6 +9,31 @@ RSpec.describe Integrations::Zentao do
   let(:zentao_product_xid) { '3' }
   let(:zentao_integration) { create(:zentao_integration) }
 
+  it_behaves_like Integrations::ResetSecretFields do
+    let(:integration) { zentao_integration }
+  end
+
+  describe 'set_default_data' do
+    let(:project) { create(:project, :repository) }
+
+    context 'when gitlab.yml was initialized' do
+      it 'is prepopulated with the settings' do
+        settings = {
+          'zentao' => {
+            'url' => 'http://zentao.sample/projects/project_a',
+            'api_url' => 'http://zentao.sample/api'
+          }
+        }
+        allow(Gitlab.config).to receive(:issues_tracker).and_return(settings)
+
+        integration = project.create_zentao_integration(active: true)
+
+        expect(integration.url).to eq('http://zentao.sample/projects/project_a')
+        expect(integration.api_url).to eq('http://zentao.sample/api')
+      end
+    end
+  end
+
   describe '#create' do
     let(:project) { create(:project, :repository) }
     let(:params) do
diff --git a/spec/services/grafana/proxy_service_spec.rb b/spec/services/grafana/proxy_service_spec.rb
index 7ddc31d45d9..99120de3593 100644
--- a/spec/services/grafana/proxy_service_spec.rb
+++ b/spec/services/grafana/proxy_service_spec.rb
@@ -50,12 +50,8 @@ RSpec.describe Grafana::ProxyService do
   describe '#execute' do
     subject(:result) { service.execute }
 
-    context 'when grafana integration is not configured' do
-      before do
-        allow(project).to receive(:grafana_integration).and_return(nil)
-      end
-
-      it 'returns error' do
+    shared_examples 'missing proxy support' do
+      it 'returns API not supported error' do
         expect(result).to eq(
           status: :error,
           message: 'Proxy support for this API is not available currently'
@@ -63,6 +59,40 @@ RSpec.describe Grafana::ProxyService do
       end
     end
 
+    context 'with unsupported proxy path' do
+      where(:proxy_path) do
+        %w[
+          /api/vl/query_range
+          api/vl/query_range/
+          api/vl/labels
+          api/v2/query_range
+          ../../../org/users
+        ]
+      end
+
+      with_them do
+        include_examples 'missing proxy support'
+      end
+    end
+
+    context 'with unsupported datasource_id' do
+      where(:datasource_id) do
+        ['', '-1', '1str', 'str1', '../../1', '1/../..', "1\n1"]
+      end
+
+      with_them do
+        include_examples 'missing proxy support'
+      end
+    end
+
+    context 'when grafana integration is not configured' do
+      before do
+        allow(project).to receive(:grafana_integration).and_return(nil)
+      end
+
+      include_examples 'missing proxy support'
+    end
+
     context 'with caching', :use_clean_rails_memory_store_caching do
       context 'when value not present in cache' do
         it 'returns nil' do
diff --git a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb
index 3d3b8c2207d..255c4e6f882 100644
--- a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb
+++ b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb
@@ -66,6 +66,8 @@ Integration.available_integration_names.each do |integration|
           hash.merge!(k => 'foo@bar.com')
         elsif (integration == 'slack' || integration == 'mattermost') && k == :labels_to_be_notified_behavior
           hash.merge!(k => "match_any")
+        elsif integration == 'campfire' && k = :room
+          hash.merge!(k => '1234')
         else
           hash.merge!(k => "someword")
         end