Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-28 22:01:32 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-28 22:01:37 +0000
commit: cbc166ca72db07da07995c60bbbf4e83ba30699d (patch)
tree: 6c3f398e6be23b6e3c9aa03e1fe9579f815ebbe3 /spec
parent: 36c8a31d573bdd2edd4c87be63eb8dde20a79761 (diff)
download: gitlab-ce-cbc166ca72db07da07995c60bbbf4e83ba30699d.tar.gz
3 files changed, 53 insertions, 7 deletions
diff --git a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
index 38b22538e70..a968104fc91 100644
--- a/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/projects/pipelines/repository_pipeline_spec.rb
@@ -20,8 +20,9 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
     )
   end
 
-  let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) }
-  let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) }
+  let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) }
+
+  let(:context) { BulkImports::Pipeline::Context.new(tracker) }
 
   let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: project_data) }
 
@@ -61,7 +62,7 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
     context 'blocked local networks' do
       let(:project_data) { { 'httpUrlToRepo' => 'http://localhost/foo.git' } }
 
-      it 'imports new repository into destination project' do
+      it 'prevents import' do
         allow(Gitlab.config.gitlab).to receive(:host).and_return('notlocalhost.gitlab.com')
         allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(false)
 
@@ -70,6 +71,18 @@ RSpec.describe BulkImports::Projects::Pipelines::RepositoryPipeline do
         expect(context.entity.failed?).to eq(true)
       end
     end
+
+    context 'when scheme is blocked' do
+      let(:project_data) { { 'httpUrlToRepo' => 'file://example/tmp/foo.git' } }
+
+      it 'prevents import' do
+        pipeline.run
+
+        expect(context.entity.failed?).to eq(true)
+        expect(context.entity.failures.first).to be_present
+        expect(context.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+      end
+    end
   end
 
   describe '#after_run' do
diff --git a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
index 4d12b49e2c0..dfd01cdf4bb 100644
--- a/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/projects/pipelines/snippets_repository_pipeline_spec.rb
@@ -135,9 +135,25 @@ RSpec.describe BulkImports::Projects::Pipelines::SnippetsRepositoryPipeline do
       end
 
       context 'when url is invalid' do
-        let(:http_url_to_repo) { 'http://0.0.0.0' }
+        context 'when not a real URL' do
+          let(:http_url_to_repo) { 'http://0.0.0.0' }
 
-        it_behaves_like 'skippable snippet'
+          it_behaves_like 'skippable snippet'
+        end
+
+        context 'when scheme is blocked' do
+          let(:http_url_to_repo) { 'file://example.com/foo/bar/snippets/42.git' }
+
+          it_behaves_like 'skippable snippet'
+
+          it 'logs the failure' do
+            pipeline.run
+
+            expect(tracker.failed?).to eq(true)
+            expect(tracker.entity.failures.first).to be_present
+            expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+          end
+        end
       end
 
       context 'when snippet is invalid' do
diff --git a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
index 06800f7cded..7e7460cd602 100644
--- a/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
+++ b/spec/support/shared_examples/bulk_imports/common/pipelines/wiki_pipeline_examples.rb
@@ -4,8 +4,9 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do
   describe '#run' do
     let_it_be(:bulk_import_configuration) { create(:bulk_import_configuration, bulk_import: bulk_import) }
 
-    let_it_be(:tracker) { create(:bulk_import_tracker, entity: entity) }
-    let_it_be(:context) { BulkImports::Pipeline::Context.new(tracker) }
+    let_it_be_with_reload(:tracker) { create(:bulk_import_tracker, entity: entity) }
+
+    let(:context) { BulkImports::Pipeline::Context.new(tracker) }
 
     let(:extracted_data) { BulkImports::Pipeline::ExtractedData.new(data: {}) }
 
@@ -40,5 +41,21 @@ RSpec.shared_examples 'wiki pipeline imports a wiki for an entity' do
         expect { subject.run }.not_to raise_error
       end
     end
+
+    context 'when scheme is blocked' do
+      it 'prevents import' do
+        # Force bulk_import_configuration to have a file:// URL
+        bulk_import_configuration.url = 'file://example.com'
+        bulk_import_configuration.save!(validate: false)
+
+        expect(subject).to receive(:source_wiki_exists?).and_return(true)
+
+        subject.run
+
+        expect(tracker.failed?).to eq(true)
+        expect(tracker.entity.failures.first).to be_present
+        expect(tracker.entity.failures.first.exception_message).to eq('Only allowed schemes are http, https')
+      end
+    end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-28 22:01:32 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-28 22:01:37 +0000
commit	cbc166ca72db07da07995c60bbbf4e83ba30699d (patch)
tree	6c3f398e6be23b6e3c9aa03e1fe9579f815ebbe3 /spec
parent	36c8a31d573bdd2edd4c87be63eb8dde20a79761 (diff)
download	gitlab-ce-cbc166ca72db07da07995c60bbbf4e83ba30699d.tar.gz