Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee

2 files changed, 86 insertions, 47 deletions

diff --git a/spec/controllers/invites_controller_spec.rb b/spec/controllers/invites_controller_spec.rb
index 0d9cde88eca..fd7631edbbb 100644
--- a/spec/controllers/invites_controller_spec.rb
+++ b/spec/controllers/invites_controller_spec.rb
@@ -25,9 +25,64 @@ RSpec.describe InvitesController do
     end
   end
 
+  shared_examples 'invite email match enforcement' do |error_status:, flash_alert: nil|
+    it 'accepts user if invite email matches signed in user' do
+      expect do
+        request
+      end.to change { project_members.include?(user) }.from(false).to(true)
+
+      expect(response).to have_gitlab_http_status(:found)
+      expect(flash[:notice]).to include 'You have been granted'
+    end
+
+    it 'accepts invite if invite email matches confirmed secondary email' do
+      secondary_email = create(:email, :confirmed, user: user)
+      member.update!(invite_email: secondary_email.email)
+
+      expect do
+        request
+      end.to change { project_members.include?(user) }.from(false).to(true)
+
+      expect(response).to have_gitlab_http_status(:found)
+      expect(flash[:notice]).to include 'You have been granted'
+    end
+
+    it 'does not accept if invite email matches unconfirmed secondary email' do
+      secondary_email = create(:email, user: user)
+      member.update!(invite_email: secondary_email.email)
+
+      expect do
+        request
+      end.not_to change { project_members.include?(user) }
+
+      expect(response).to have_gitlab_http_status(error_status)
+      expect(flash[:alert]).to eq(flash_alert)
+    end
+
+    it 'does not accept if invite email does not match signed in user' do
+      member.update!(invite_email: 'bogus@email.com')
+
+      expect do
+        request
+      end.not_to change { project_members.include?(user) }
+
+      expect(response).to have_gitlab_http_status(error_status)
+      expect(flash[:alert]).to eq(flash_alert)
+    end
+  end
+
   describe 'GET #show' do
     subject(:request) { get :show, params: params }
 
+    context 'when logged in' do
+      before do
+        sign_in(user)
+      end
+
+      it_behaves_like 'invite email match enforcement', error_status: :ok
+      it_behaves_like 'invalid token'
+    end
+
     context 'when it is part of our invite email experiment' do
       let(:extra_params) { { invite_type: 'initial_email' } }
 
@@ -59,34 +114,6 @@ RSpec.describe InvitesController do
       end
     end
 
-    context 'when logged in' do
-      before do
-        sign_in(user)
-      end
-
-      it 'accepts user if invite email matches signed in user' do
-        expect do
-          request
-        end.to change { project_members.include?(user) }.from(false).to(true)
-
-        expect(response).to have_gitlab_http_status(:found)
-        expect(flash[:notice]).to include 'You have been granted'
-      end
-
-      it 'forces re-confirmation if email does not match signed in user' do
-        member.update!(invite_email: 'bogus@email.com')
-
-        expect do
-          request
-        end.not_to change { project_members.include?(user) }
-
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(flash[:notice]).to be_nil
-      end
-
-      it_behaves_like 'invalid token'
-    end
-
     context 'when not logged in' do
       context 'when invite token belongs to a valid member' do
         context 'when instance allows sign up' do
@@ -213,6 +240,7 @@ RSpec.describe InvitesController do
 
     subject(:request) { post :accept, params: params }
 
+    it_behaves_like 'invite email match enforcement', error_status: :redirect, flash_alert: 'The invitation could not be accepted.'
     it_behaves_like 'invalid token'
   end
 
diff --git a/spec/controllers/projects/pipelines_controller_spec.rb b/spec/controllers/projects/pipelines_controller_spec.rb
index 2379ff9fd98..65a563fac7c 100644
--- a/spec/controllers/projects/pipelines_controller_spec.rb
+++ b/spec/controllers/projects/pipelines_controller_spec.rb
@@ -302,35 +302,46 @@ RSpec.describe Projects::PipelinesController do
   end
 
   describe 'GET #show' do
-    render_views
-
-    let_it_be(:pipeline) { create(:ci_pipeline, project: project) }
-
-    subject { get_pipeline_html }
-
     def get_pipeline_html
       get :show, params: { namespace_id: project.namespace, project_id: project, id: pipeline }, format: :html
     end
 
-    def create_build_with_artifacts(stage, stage_idx, name)
-      create(:ci_build, :artifacts, :tags, pipeline: pipeline, stage: stage, stage_idx: stage_idx, name: name)
-    end
+    context 'when the project is public' do
+      render_views
 
-    before do
-      create_build_with_artifacts('build', 0, 'job1')
-      create_build_with_artifacts('build', 0, 'job2')
+      let_it_be(:pipeline) { create(:ci_pipeline, project: project) }
+
+      def create_build_with_artifacts(stage, stage_idx, name)
+        create(:ci_build, :artifacts, :tags, pipeline: pipeline, stage: stage, stage_idx: stage_idx, name: name)
+      end
+
+      before do
+        create_build_with_artifacts('build', 0, 'job1')
+        create_build_with_artifacts('build', 0, 'job2')
+      end
+
+      it 'avoids N+1 database queries', :request_store do
+        control_count = ActiveRecord::QueryRecorder.new { get_pipeline_html }.count
+        expect(response).to have_gitlab_http_status(:ok)
+
+        create_build_with_artifacts('build', 0, 'job3')
+
+        expect { get_pipeline_html }.not_to exceed_query_limit(control_count)
+        expect(response).to have_gitlab_http_status(:ok)
+      end
     end
 
-    it 'avoids N+1 database queries', :request_store do
-      get_pipeline_html
+    context 'when the project is private' do
+      let(:project) { create(:project, :private, :repository) }
+      let(:pipeline) { create(:ci_pipeline, project: project) }
 
-      control_count = ActiveRecord::QueryRecorder.new { get_pipeline_html }.count
-      expect(response).to have_gitlab_http_status(:ok)
+      it 'returns `not_found` when the user does not have access' do
+        sign_in(create(:user))
 
-      create_build_with_artifacts('build', 0, 'job3')
+        get_pipeline_html
 
-      expect { get_pipeline_html }.not_to exceed_query_limit(control_count)
-      expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
     end
   end