7 files changed, 129 insertions, 17 deletions

diff --git a/spec/requests/api/deploy_tokens_spec.rb b/spec/requests/api/deploy_tokens_spec.rb
index fa20635056f..a885e80fd55 100644
--- a/spec/requests/api/deploy_tokens_spec.rb
+++ b/spec/requests/api/deploy_tokens_spec.rb
@@ -234,6 +234,25 @@ describe API::DeployTokens do
           expect(response).to match_response_schema('public_api/v4/deploy_token')
         end
 
+        context 'with no optional params given' do
+          let(:params) do
+            {
+              name: 'Foo',
+              scopes: [
+                'read_repository'
+              ]
+            }
+          end
+
+          it 'creates the deploy token with default values' do
+            subject
+
+            expect(response).to have_gitlab_http_status(:created)
+            expect(json_response['username']).to match(/gitlab\+deploy-token-\d+/)
+            expect(json_response['expires_at']).to eq(nil)
+          end
+        end
+
         context 'with an invalid scope' do
           before do
             params[:scopes] = %w[read_repository all_access]
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index ea60f783b48..30c1f99569b 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -642,6 +642,20 @@ describe API::Groups do
         expect(json_response['default_branch_protection']).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
       end
 
+      context 'malicious group name' do
+        subject { put api("/groups/#{group1.id}", user1), params: { name: "<SCRIPT>alert('DOUBLE-ATTACK!')</SCRIPT>" } }
+
+        it 'returns bad request' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+
+        it 'does not update group name' do
+          expect { subject }.not_to change { group1.reload.name }
+        end
+      end
+
       it 'returns 404 for a non existing group' do
         put api('/groups/1328', user1), params: { name: new_group_name }
 
@@ -1083,6 +1097,20 @@ describe API::Groups do
         expect(json_response["parent_id"]).to eq(parent.id)
       end
 
+      context 'malicious group name' do
+        subject { post api("/groups", user3), params: group_params }
+
+        let(:group_params) { attributes_for_group_api name: "<SCRIPT>alert('ATTACKED!')</SCRIPT>", path: "unique-url" }
+
+        it 'returns bad request' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+
+        it { expect { subject }.not_to change { Group.count } }
+      end
+
       it "does not create group, duplicate" do
         post api("/groups", user3), params: { name: 'Duplicate Test', path: group2.path }
 
diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb
index 426e15faaa6..77501c3a136 100644
--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -3,15 +3,14 @@
 require 'spec_helper'
 
 describe API::Internal::Base do
-  set(:user) { create(:user) }
+  let_it_be(:user, reload: true) { create(:user) }
+  let_it_be(:project, reload: true) { create(:project, :repository, :wiki_repo) }
+  let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) }
+  let_it_be(:project_snippet) { create(:project_snippet, :repository, author: user, project: project) }
   let(:key) { create(:key, user: user) }
-  set(:project) { create(:project, :repository, :wiki_repo) }
   let(:secret_token) { Gitlab::Shell.secret_token }
   let(:gl_repository) { "project-#{project.id}" }
   let(:reference_counter) { double('ReferenceCounter') }
-
-  let_it_be(:personal_snippet) { create(:personal_snippet, :repository, author: user) }
-  let_it_be(:project_snippet) { create(:project_snippet, :repository, author: user, project: project) }
   let(:snippet_changes) { "#{TestEnv::BRANCH_SHA['snippet/single-file']} #{TestEnv::BRANCH_SHA['snippet/edit-file']} refs/heads/snippet/edit-file" }
 
   describe "GET /internal/check" do
diff --git a/spec/requests/api/project_snippets_spec.rb b/spec/requests/api/project_snippets_spec.rb
index 8e2aed76913..1af5d553bf0 100644
--- a/spec/requests/api/project_snippets_spec.rb
+++ b/spec/requests/api/project_snippets_spec.rb
@@ -164,6 +164,30 @@ describe API::ProjectSnippets do
       end
     end
 
+    context 'with an external user' do
+      let(:user) { create(:user, :external) }
+
+      context 'that belongs to the project' do
+        before do
+          project.add_developer(user)
+        end
+
+        it 'creates a new snippet' do
+          post api("/projects/#{project.id}/snippets/", user), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'that does not belong to the project' do
+        it 'does not create a new snippet' do
+          post api("/projects/#{project.id}/snippets/", user), params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
     context 'with a regular user' do
       let(:user) { create(:user) }
 
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 97dc3899d3f..b503c923037 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -275,6 +275,18 @@ describe API::Repositories do
 
         expect(response).to have_gitlab_http_status(:too_many_requests)
       end
+
+      context "when hotlinking detection is enabled" do
+        before do
+          Feature.enable(:repository_archive_hotlinking_interception)
+        end
+
+        it_behaves_like "hotlink interceptor" do
+          let(:http_request) do
+            get api(route, current_user), headers: headers
+          end
+        end
+      end
     end
 
     context 'when unauthenticated', 'and project is public' do
diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb
index 865b0534cb0..caa9d9251d8 100644
--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -266,6 +266,16 @@ describe API::Snippets do
 
     it_behaves_like 'snippet creation'
 
+    context 'with an external user' do
+      let(:user) { create(:user, :external) }
+
+      it 'does not create a new snippet' do
+        post api("/snippets/", user), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
     it 'returns 400 for missing parameters' do
       params.delete(:title)
 
diff --git a/spec/requests/api/triggers_spec.rb b/spec/requests/api/triggers_spec.rb
index bcc1c6bc4d4..19b01cb7913 100644
--- a/spec/requests/api/triggers_spec.rb
+++ b/spec/requests/api/triggers_spec.rb
@@ -238,24 +238,44 @@ describe API::Triggers do
   end
 
   describe 'PUT /projects/:id/triggers/:trigger_id' do
-    context 'authenticated user with valid permissions' do
-      let(:new_description) { 'new description' }
+    context 'user is maintainer of the project' do
+      context 'the trigger belongs to user' do
+        let(:new_description) { 'new description' }
 
-      it 'updates description' do
-        put api("/projects/#{project.id}/triggers/#{trigger.id}", user),
-          params: { description: new_description }
+        it 'updates description' do
+          put api("/projects/#{project.id}/triggers/#{trigger.id}", user),
+            params: { description: new_description }
 
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response).to include('description' => new_description)
-        expect(trigger.reload.description).to eq(new_description)
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response).to include('description' => new_description)
+          expect(trigger.reload.description).to eq(new_description)
+        end
+      end
+
+      context 'the trigger does not belong to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
       end
     end
 
-    context 'authenticated user with invalid permissions' do
-      it 'does not update trigger' do
-        put api("/projects/#{project.id}/triggers/#{trigger.id}", user2)
+    context 'user is developer of the project' do
+      context 'the trigger belongs to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger2.id}", user2)
 
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'the trigger does not belong to user' do
+        it 'does not update trigger' do
+          put api("/projects/#{project.id}/triggers/#{trigger.id}", user2)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
       end
     end