From aa5a29806f359945ec3483906a4e40ec71362a61 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 30 Jun 2021 11:44:06 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee --- spec/frontend/behaviors/copy_as_gfm_spec.js | 48 ++++++----- spec/requests/ide_controller_spec.rb | 119 +++++++++++++++------------- 2 files changed, 91 insertions(+), 76 deletions(-) (limited to 'spec') diff --git a/spec/frontend/behaviors/copy_as_gfm_spec.js b/spec/frontend/behaviors/copy_as_gfm_spec.js index acff990e84a..557b609f5f9 100644 --- a/spec/frontend/behaviors/copy_as_gfm_spec.js +++ b/spec/frontend/behaviors/copy_as_gfm_spec.js @@ -1,50 +1,54 @@ import initCopyAsGFM, { CopyAsGFM } from '~/behaviors/markdown/copy_as_gfm'; -import * as commonUtils from '~/lib/utils/common_utils'; describe('CopyAsGFM', () => { describe('CopyAsGFM.pasteGFM', () => { - function callPasteGFM() { + let target; + + beforeEach(() => { + target = document.createElement('input'); + target.value = 'This is code: '; + }); + + // When GFM code is copied, we put the regular plain text + // on the clipboard as `text/plain`, and the GFM as `text/x-gfm`. + // This emulates the behavior of `getData` with that data. + function callPasteGFM(data = { 'text/plain': 'code', 'text/x-gfm': '`code`' }) { const e = { originalEvent: { clipboardData: { getData(mimeType) { - // When GFM code is copied, we put the regular plain text - // on the clipboard as `text/plain`, and the GFM as `text/x-gfm`. - // This emulates the behavior of `getData` with that data. - if (mimeType === 'text/plain') { - return 'code'; - } - if (mimeType === 'text/x-gfm') { - return '`code`'; - } - return null; + return data[mimeType] || null; }, }, }, preventDefault() {}, + target, }; CopyAsGFM.pasteGFM(e); } it('wraps pasted code when not already in code tags', () => { - jest.spyOn(commonUtils, 'insertText').mockImplementation((el, textFunc) => { - const insertedText = textFunc('This is code: ', ''); + callPasteGFM(); - expect(insertedText).toEqual('`code`'); - }); + expect(target.value).toBe('This is code: `code`'); + }); + + it('does not wrap pasted code when already in code tags', () => { + target.value = 'This is code: `'; callPasteGFM(); + + expect(target.value).toBe('This is code: `code'); }); - it('does not wrap pasted code when already in code tags', () => { - jest.spyOn(commonUtils, 'insertText').mockImplementation((el, textFunc) => { - const insertedText = textFunc('This is code: `', '`'); + it('does not allow xss in x-gfm-html', () => { + const testEl = document.createElement('div'); + jest.spyOn(document, 'createElement').mockReturnValueOnce(testEl); - expect(insertedText).toEqual('code'); - }); + callPasteGFM({ 'text/plain': 'code', 'text/x-gfm-html': 'code' }); - callPasteGFM(); + expect(testEl.innerHTML).toBe('code'); }); }); diff --git a/spec/requests/ide_controller_spec.rb b/spec/requests/ide_controller_spec.rb index 9b0d8dcd828..4bf1e43ba40 100644 --- a/spec/requests/ide_controller_spec.rb +++ b/spec/requests/ide_controller_spec.rb @@ -3,7 +3,14 @@ require 'spec_helper' RSpec.describe IdeController do - let_it_be(:project) { create(:project, :public) } + let_it_be(:reporter) { create(:user) } + + let_it_be(:project) do + create(:project, :private).tap do |p| + p.add_reporter(reporter) + end + end + let_it_be(:creator) { project.creator } let_it_be(:other_user) { create(:user) } @@ -14,48 +21,62 @@ RSpec.describe IdeController do sign_in(user) end - it 'increases the views counter' do - expect(Gitlab::UsageDataCounters::WebIdeCounter).to receive(:increment_views_count) - - get ide_url - end - describe '#index', :aggregate_failures do subject { get route } - shared_examples 'user cannot push code' do - include ProjectForksHelper - - let(:user) { other_user } + shared_examples 'user access rights check' do + context 'user can read project' do + it 'increases the views counter' do + expect(Gitlab::UsageDataCounters::WebIdeCounter).to receive(:increment_views_count) - context 'when user does not have fork' do - it 'instantiates fork_info instance var with fork_path and return 200' do subject - - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:project)).to eq project - expect(assigns(:fork_info)).to eq({ fork_path: controller.helpers.ide_fork_and_edit_path(project, branch, '', with_notice: false) }) end - it 'has nil fork_info if user cannot fork' do - project.project_feature.update!(forking_access_level: ProjectFeature::DISABLED) + context 'user can read project but cannot push code' do + include ProjectForksHelper - subject + let(:user) { reporter } - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:fork_info)).to be_nil + context 'when user does not have fork' do + it 'instantiates fork_info instance var with fork_path and returns 200' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(assigns(:project)).to eq project + expect(assigns(:fork_info)).to eq({ fork_path: controller.helpers.ide_fork_and_edit_path(project, branch, '', with_notice: false) }) + end + + it 'has nil fork_info if user cannot fork' do + project.project_feature.update!(forking_access_level: ProjectFeature::DISABLED) + + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(assigns(:fork_info)).to be_nil + end + end + + context 'when user has fork' do + let!(:fork) { fork_project(project, user, repository: true, namespace: user.namespace) } + + it 'instantiates fork_info instance var with ide_path and returns 200' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(assigns(:project)).to eq project + expect(assigns(:fork_info)).to eq({ ide_path: controller.helpers.ide_edit_path(fork, branch, '') }) + end + end end end - context 'when user has fork' do - let!(:fork) { fork_project(project, user, repository: true, namespace: user.namespace) } + context 'user cannot read project' do + let(:user) { other_user } - it 'instantiates fork_info instance var with ide_path and return 200' do + it 'returns 404' do subject - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:project)).to eq project - expect(assigns(:fork_info)).to eq({ ide_path: controller.helpers.ide_edit_path(fork, branch, '') }) + expect(response).to have_gitlab_http_status(:not_found) end end end @@ -63,37 +84,27 @@ RSpec.describe IdeController do context '/-/ide' do let(:route) { '/-/ide' } - it 'does not instantiate any instance var and return 200' do + it 'returns 404' do subject - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:project)).to be_nil - expect(assigns(:branch)).to be_nil - expect(assigns(:path)).to be_nil - expect(assigns(:merge_request)).to be_nil - expect(assigns(:fork_info)).to be_nil + expect(response).to have_gitlab_http_status(:not_found) end end context '/-/ide/project' do let(:route) { '/-/ide/project' } - it 'does not instantiate any instance var and return 200' do + it 'returns 404' do subject - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:project)).to be_nil - expect(assigns(:branch)).to be_nil - expect(assigns(:path)).to be_nil - expect(assigns(:merge_request)).to be_nil - expect(assigns(:fork_info)).to be_nil + expect(response).to have_gitlab_http_status(:not_found) end end context '/-/ide/project/:project' do let(:route) { "/-/ide/project/#{project.full_path}" } - it 'instantiates project instance var and return 200' do + it 'instantiates project instance var and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -104,13 +115,13 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' %w(edit blob tree).each do |action| context "/-/ide/project/:project/#{action}" do let(:route) { "/-/ide/project/#{project.full_path}/#{action}" } - it 'instantiates project instance var and return 200' do + it 'instantiates project instance var and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -121,13 +132,13 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' context "/-/ide/project/:project/#{action}/:branch" do let(:branch) { 'master' } let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}" } - it 'instantiates project and branch instance vars and return 200' do + it 'instantiates project and branch instance vars and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -138,13 +149,13 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' context "/-/ide/project/:project/#{action}/:branch/-" do let(:branch) { 'branch/slash' } let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}/-" } - it 'instantiates project and branch instance vars and return 200' do + it 'instantiates project and branch instance vars and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -155,13 +166,13 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' context "/-/ide/project/:project/#{action}/:branch/-/:path" do let(:branch) { 'master' } let(:route) { "/-/ide/project/#{project.full_path}/#{action}/#{branch}/-/foo/.bar" } - it 'instantiates project, branch, and path instance vars and return 200' do + it 'instantiates project, branch, and path instance vars and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -172,7 +183,7 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' end end end @@ -184,7 +195,7 @@ RSpec.describe IdeController do let(:route) { "/-/ide/project/#{project.full_path}/merge_requests/#{merge_request.id}" } - it 'instantiates project and merge_request instance vars and return 200' do + it 'instantiates project and merge_request instance vars and returns 200' do subject expect(response).to have_gitlab_http_status(:ok) @@ -195,7 +206,7 @@ RSpec.describe IdeController do expect(assigns(:fork_info)).to be_nil end - it_behaves_like 'user cannot push code' + it_behaves_like 'user access rights check' end end end -- cgit v1.2.1