From 1153e17b2d34c50834251038269ac11f18219bdf Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 31 Mar 2022 00:00:32 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

---
 spec/models/integrations/asana_spec.rb | 36 ++++++++++++++++++++++++---
 spec/models/ssh_host_key_spec.rb       | 45 +++++++++++++++++++++++++++++++++-
 2 files changed, 77 insertions(+), 4 deletions(-)

(limited to 'spec/models')

diff --git a/spec/models/integrations/asana_spec.rb b/spec/models/integrations/asana_spec.rb
index b6602964182..43e876a4f47 100644
--- a/spec/models/integrations/asana_spec.rb
+++ b/spec/models/integrations/asana_spec.rb
@@ -20,11 +20,13 @@ RSpec.describe Integrations::Asana do
     let(:gid) { "123456789ABCD" }
     let(:asana_task) { double(::Asana::Resources::Task) }
     let(:asana_integration) { described_class.new }
+    let(:ref) { 'main' }
+    let(:restrict_to_branch) { nil }
 
     let(:data) do
       {
         object_kind: 'push',
-        ref: 'master',
+        ref: ref,
         user_name: user.name,
         commits: [
           {
@@ -40,16 +42,44 @@ RSpec.describe Integrations::Asana do
         project: project,
         project_id: project.id,
         api_key: 'verySecret',
-        restrict_to_branch: 'master'
+        restrict_to_branch: restrict_to_branch
       )
     end
 
     subject(:execute_integration) { asana_integration.execute(data) }
 
+    context 'with restrict_to_branch' do
+      let(:restrict_to_branch) { 'feature-branch, main' }
+      let(:message) { 'fix #456789' }
+
+      context 'when ref is in scope of restriced branches' do
+        let(:ref) { 'main' }
+
+        it 'calls the Asana integration' do
+          expect(asana_task).to receive(:add_comment)
+          expect(asana_task).to receive(:update).with(completed: true)
+          expect(::Asana::Resources::Task).to receive(:find_by_id).with(anything, '456789').once.and_return(asana_task)
+
+          execute_integration
+        end
+      end
+
+      context 'when ref is not in scope of restricted branches' do
+        let(:ref) { 'mai' }
+
+        it 'does not call the Asana integration' do
+          expect(asana_task).not_to receive(:add_comment)
+          expect(::Asana::Resources::Task).not_to receive(:find_by_id)
+
+          execute_integration
+        end
+      end
+    end
+
     context 'when creating a story' do
       let(:message) { "Message from commit. related to ##{gid}" }
       let(:expected_message) do
-        "#{user.name} pushed to branch master of #{project.full_name} ( https://gitlab.com/ ): #{message}"
+        "#{user.name} pushed to branch main of #{project.full_name} ( https://gitlab.com/ ): #{message}"
       end
 
       it 'calls Asana integration to create a story' do
diff --git a/spec/models/ssh_host_key_spec.rb b/spec/models/ssh_host_key_spec.rb
index 4d729d5585f..4b756846598 100644
--- a/spec/models/ssh_host_key_spec.rb
+++ b/spec/models/ssh_host_key_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 
 RSpec.describe SshHostKey do
   using RSpec::Parameterized::TableSyntax
+
   include ReactiveCachingHelpers
+  include StubRequests
 
   let(:key1) do
     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3UpyF2iLqy1d63M6k3jH1vuEnq/NWtE+o' \
@@ -35,6 +37,7 @@ RSpec.describe SshHostKey do
   let(:extra) { known_hosts + "foo\nbar\n" }
   let(:reversed) { known_hosts.lines.reverse.join }
 
+  let(:url) { 'ssh://example.com:2222' }
   let(:compare_host_keys) { nil }
 
   def stub_ssh_keyscan(args, status: true, stdout: "", stderr: "")
@@ -50,7 +53,7 @@ RSpec.describe SshHostKey do
 
   let(:project) { build(:project) }
 
-  subject(:ssh_host_key) { described_class.new(project: project, url: 'ssh://example.com:2222', compare_host_keys: compare_host_keys) }
+  subject(:ssh_host_key) { described_class.new(project: project, url: url, compare_host_keys: compare_host_keys) }
 
   describe '.primary_key' do
     it 'returns a symbol' do
@@ -191,5 +194,45 @@ RSpec.describe SshHostKey do
         is_expected.to eq(error: 'Failed to detect SSH host keys')
       end
     end
+
+    context 'DNS rebinding protection enabled' do
+      before do
+        stub_application_setting(dns_rebinding_protection_enabled: true)
+      end
+
+      it 'sends an address as well as hostname to ssh-keyscan' do
+        stub_dns(url, ip_address: '1.2.3.4')
+
+        stdin = stub_ssh_keyscan(%w[-T 5 -p 2222 -f-])
+
+        cache
+
+        expect(stdin.string).to eq("1.2.3.4 example.com\n")
+      end
+    end
+  end
+
+  describe 'URL validation' do
+    let(:url) { 'ssh://127.0.0.1' }
+
+    context 'when local requests are not allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+      end
+
+      it 'forbids scanning localhost' do
+        expect { ssh_host_key }.to raise_error(/Invalid URL/)
+      end
+    end
+
+    context 'when local requests are allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+      end
+
+      it 'permits scanning localhost' do
+        expect(ssh_host_key.url.to_s).to eq('ssh://127.0.0.1:22')
+      end
+    end
   end
 end
-- 
cgit v1.2.1