From fa2fec1d18330e4cd9803ff164db19e7367e3838 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 30 Oct 2020 15:16:56 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee

---
 .../file_uploads/multipart_invalid_uploads_spec.rb | 52 ++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 spec/features/file_uploads/multipart_invalid_uploads_spec.rb

(limited to 'spec/features')

diff --git a/spec/features/file_uploads/multipart_invalid_uploads_spec.rb b/spec/features/file_uploads/multipart_invalid_uploads_spec.rb
new file mode 100644
index 00000000000..e9e24c12af1
--- /dev/null
+++ b/spec/features/file_uploads/multipart_invalid_uploads_spec.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Invalid uploads that must be rejected', :api, :js do
+  include_context 'file upload requests helpers'
+
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
+
+  context 'invalid upload key', :capybara_ignore_server_errors do
+    let(:api_path) { "/projects/#{project.id}/packages/nuget/" }
+    let(:url) { capybara_url(api(api_path)) }
+    let(:file) { fixture_file_upload('spec/fixtures/dk.png') }
+
+    subject do
+      HTTParty.put(
+        url,
+        basic_auth: { user: user.username, password: personal_access_token.token },
+        body: body
+      )
+    end
+
+    RSpec.shared_examples 'rejecting invalid keys' do |key_name:, message: nil|
+      context "with invalid key #{key_name}" do
+        let(:body) { { key_name => file, 'package[test][name]' => 'test' } }
+
+        it { expect { subject }.not_to change { Packages::Package.nuget.count } }
+
+        it { expect(subject.code).to eq(500) }
+
+        it { expect(subject.body).to include(message.presence || "invalid field: \"#{key_name}\"") }
+      end
+    end
+
+    RSpec.shared_examples 'by rejecting uploads with an invalid key' do
+      it_behaves_like 'rejecting invalid keys', key_name: 'package[test'
+      it_behaves_like 'rejecting invalid keys', key_name: '[]'
+      it_behaves_like 'rejecting invalid keys', key_name: '[package]test'
+      it_behaves_like 'rejecting invalid keys', key_name: 'package][test]]'
+      it_behaves_like 'rejecting invalid keys', key_name: 'package[test[nested]]'
+    end
+
+    # These keys are rejected directly by rack itself.
+    # The request will not be received by multipart.rb (can't use the 'handling file uploads' shared example)
+    it_behaves_like 'rejecting invalid keys', key_name: 'x' * 11000, message: 'Puma caught this error: exceeded available parameter key space (RangeError)'
+    it_behaves_like 'rejecting invalid keys', key_name: 'package[]test', message: 'Puma caught this error: expected Hash (got Array)'
+
+    it_behaves_like 'handling file uploads', 'by rejecting uploads with an invalid key'
+  end
+end
-- 
cgit v1.2.1