diff options
Diffstat (limited to 'spec/controllers/groups')
4 files changed, 38 insertions, 10 deletions
diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb index 93c560b4753..710e983dfbd 100644 --- a/spec/controllers/groups/clusters_controller_spec.rb +++ b/spec/controllers/groups/clusters_controller_spec.rb @@ -103,7 +103,7 @@ RSpec.describe Groups::ClustersController do it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) } it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) } - it { expect { go }.to be_denied_for(:developer).of(group) } + it { expect { go }.to be_allowed_for(:developer).of(group) } it { expect { go }.to be_denied_for(:reporter).of(group) } it { expect { go }.to be_denied_for(:guest).of(group) } it { expect { go }.to be_denied_for(:user) } @@ -309,7 +309,8 @@ RSpec.describe Groups::ClustersController do .to receive(:expires_at_in_session).and_return(1.hour.since.to_i.to_s) allow_any_instance_of(GoogleApi::CloudPlatform::Client) .to receive(:projects_zones_clusters_create) do - OpenStruct.new( + double( + 'instance', self_link: 'projects/gcp-project-12345/zones/us-central1-a/operations/ope-123', status: 'RUNNING' ) @@ -673,7 +674,7 @@ RSpec.describe Groups::ClustersController do it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) } it { expect { go }.to be_allowed_for(:owner).of(group) } it { expect { go }.to be_allowed_for(:maintainer).of(group) } - it { expect { go }.to be_denied_for(:developer).of(group) } + it { expect { go }.to be_allowed_for(:developer).of(group) } it { expect { go }.to be_denied_for(:reporter).of(group) } it { expect { go }.to be_denied_for(:guest).of(group) } it { expect { go }.to be_denied_for(:user) } diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index f438be534fa..57a83da3425 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -47,6 +47,24 @@ RSpec.describe Groups::DependencyProxyForContainersController do end end + shared_examples 'with invalid path' do + context 'with invalid image' do + let(:image) { '../path_traversal' } + + it 'raises an error' do + expect { subject }.to raise_error(Gitlab::Utils::PathTraversalAttackError, 'Invalid path') + end + end + + context 'with invalid tag' do + let(:tag) { 'latest%2f..%2f..%2fpath_traversal' } + + it 'raises an error' do + expect { subject }.to raise_error(Gitlab::Utils::PathTraversalAttackError, 'Invalid path') + end + end + end + shared_examples 'without permission' do context 'with invalid user' do before do @@ -164,8 +182,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do end describe 'GET #manifest' do + let_it_be(:image) { 'alpine' } let_it_be(:tag) { 'latest' } - let_it_be(:manifest) { create(:dependency_proxy_manifest, file_name: "alpine:#{tag}.json", group: group) } + let_it_be(:file_name) { "#{image}:#{tag}.json" } + let_it_be(:manifest) { create(:dependency_proxy_manifest, file_name: file_name, group: group) } let(:pull_response) { { status: :success, manifest: manifest, from_cache: false } } @@ -235,6 +255,8 @@ RSpec.describe Groups::DependencyProxyForContainersController do context 'with workhorse response' do let(:pull_response) { { status: :success, manifest: nil, from_cache: false } } + it_behaves_like 'with invalid path' + it 'returns Workhorse send-dependency instructions', :aggregate_failures do subject @@ -246,7 +268,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do "Authorization" => ["Bearer abcd1234"], "Accept" => ::ContainerRegistry::Client::ACCEPTED_TYPES ) - expect(url).to eq(DependencyProxy::Registry.manifest_url('alpine', tag)) + expect(url).to eq(DependencyProxy::Registry.manifest_url(image, tag)) expect(response.headers['Content-Type']).to eq('application/gzip') expect(response.headers['Content-Disposition']).to eq( ActionDispatch::Http::ContentDisposition.format(disposition: 'attachment', filename: manifest.file_name) @@ -277,7 +299,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do it_behaves_like 'not found when disabled' def get_manifest(tag) - get :manifest, params: { group_id: group.to_param, image: 'alpine', tag: tag } + get :manifest, params: { group_id: group.to_param, image: image, tag: tag } end end @@ -440,6 +462,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do end it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest' + it_behaves_like 'with invalid path' context 'with no existing manifest' do it 'creates a manifest' do diff --git a/spec/controllers/groups/releases_controller_spec.rb b/spec/controllers/groups/releases_controller_spec.rb index 50701382945..582a77b1c50 100644 --- a/spec/controllers/groups/releases_controller_spec.rb +++ b/spec/controllers/groups/releases_controller_spec.rb @@ -6,14 +6,14 @@ RSpec.describe Groups::ReleasesController do let(:group) { create(:group) } let!(:project) { create(:project, :repository, :public, namespace: group) } let!(:private_project) { create(:project, :repository, :private, namespace: group) } - let(:developer) { create(:user) } + let(:guest) { create(:user) } let!(:release_1) { create(:release, project: project, tag: 'v1', released_at: Time.zone.parse('2020-02-15')) } let!(:release_2) { create(:release, project: project, tag: 'v2', released_at: Time.zone.parse('2020-02-20')) } let!(:private_release_1) { create(:release, project: private_project, tag: 'p1', released_at: Time.zone.parse('2020-03-01')) } let!(:private_release_2) { create(:release, project: private_project, tag: 'p2', released_at: Time.zone.parse('2020-03-05')) } before do - private_project.add_developer(developer) + group.add_guest(guest) end describe 'GET #index' do @@ -42,7 +42,7 @@ RSpec.describe Groups::ReleasesController do end it 'does not return any releases' do - expect(json_response.map {|r| r['tag'] } ).to match_array(%w(v2 v1)) + expect(json_response.map {|r| r['tag'] } ).to be_empty end it 'returns OK' do @@ -52,7 +52,7 @@ RSpec.describe Groups::ReleasesController do context 'the user is authorized' do it "returns all group's public and private project's releases as JSON, ordered by released_at" do - sign_in(developer) + sign_in(guest) subject diff --git a/spec/controllers/groups/runners_controller_spec.rb b/spec/controllers/groups/runners_controller_spec.rb index a8830efe653..9f0615a96ae 100644 --- a/spec/controllers/groups/runners_controller_spec.rb +++ b/spec/controllers/groups/runners_controller_spec.rb @@ -190,6 +190,10 @@ RSpec.describe Groups::RunnersController do end it 'destroys the runner and redirects' do + expect_next_instance_of(Ci::UnregisterRunnerService, runner) do |service| + expect(service).to receive(:execute).once.and_call_original + end + delete :destroy, params: params expect(response).to have_gitlab_http_status(:found) |