Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

3 files changed, 92 insertions, 28 deletions

diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index 015c36c9335..e43ba6358f9 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -807,5 +807,20 @@ RSpec.describe Admin::UsersController do
         expect(response).to have_gitlab_http_status(:not_found)
       end
     end
+
+    context 'when impersonating an admin and attempting to impersonate again' do
+      let(:admin2) { create(:admin) }
+
+      before do
+        post :impersonate, params: { id: admin2.username }
+      end
+
+      it 'does not allow double impersonation', :aggregate_failures do
+        post :impersonate, params: { id: user.username }
+
+        expect(flash[:alert]).to eq(_('You are already impersonating another user'))
+        expect(warden.user).to eq(admin2)
+      end
+    end
   end
 end
diff --git a/spec/controllers/import/gitea_controller_spec.rb b/spec/controllers/import/gitea_controller_spec.rb
index 3e4b159271a..568712d29cb 100644
--- a/spec/controllers/import/gitea_controller_spec.rb
+++ b/spec/controllers/import/gitea_controller_spec.rb
@@ -54,6 +54,48 @@ RSpec.describe Import::GiteaController do
           end
         end
       end
+
+      context 'when DNS Rebinding protection is enabled' do
+        let(:token) { 'gitea token' }
+
+        let(:ip_uri) { 'http://167.99.148.217' }
+        let(:uri) { 'try.gitea.io' }
+        let(:https_uri) { "https://#{uri}" }
+        let(:http_uri) { "http://#{uri}" }
+
+        before do
+          session[:gitea_access_token] = token
+
+          allow(Gitlab::UrlBlocker).to receive(:validate!).with(https_uri, anything).and_return([Addressable::URI.parse(https_uri), uri])
+          allow(Gitlab::UrlBlocker).to receive(:validate!).with(http_uri, anything).and_return([Addressable::URI.parse(ip_uri), uri])
+
+          allow(Gitlab::LegacyGithubImport::Client).to receive(:new).and_return(double('Gitlab::LegacyGithubImport::Client', repos: [], orgs: []))
+        end
+
+        context 'when provided host url is using https' do
+          let(:host_url) { https_uri }
+
+          it 'uses unchanged host url to send request to Gitea' do
+            expect(Gitlab::LegacyGithubImport::Client).to receive(:new).with(token, host: https_uri, api_version: 'v1', hostname: 'try.gitea.io')
+
+            get :status, format: :json
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+
+        context 'when provided host url is using http' do
+          let(:host_url) { http_uri }
+
+          it 'uses changed host url to send request to Gitea' do
+            expect(Gitlab::LegacyGithubImport::Client).to receive(:new).with(token, host: 'http://167.99.148.217', api_version: 'v1', hostname: 'try.gitea.io')
+
+            get :status, format: :json
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+      end
     end
   end
 
diff --git a/spec/controllers/oauth/applications_controller_spec.rb b/spec/controllers/oauth/applications_controller_spec.rb
index f21ef324884..5bf3b4c48bf 100644
--- a/spec/controllers/oauth/applications_controller_spec.rb
+++ b/spec/controllers/oauth/applications_controller_spec.rb
@@ -98,6 +98,19 @@ RSpec.describe Oauth::ApplicationsController do
     end
 
     describe 'POST #create' do
+      let(:oauth_params) do
+        {
+          doorkeeper_application: {
+            name: 'foo',
+            redirect_uri: redirect_uri,
+            scopes: scopes
+          }
+        }
+      end
+
+      let(:redirect_uri) { 'http://example.org' }
+      let(:scopes) { ['api'] }
+
       subject { post :create, params: oauth_params }
 
       it 'creates an application' do
@@ -116,38 +129,42 @@ RSpec.describe Oauth::ApplicationsController do
         expect(response).to redirect_to(profile_path)
       end
 
-      context 'redirect_uri' do
+      context 'when redirect_uri is invalid' do
+        let(:redirect_uri) { 'javascript://alert()' }
+
         render_views
 
         it 'shows an error for a forbidden URI' do
-          invalid_uri_params = {
-            doorkeeper_application: {
-              name: 'foo',
-              redirect_uri: 'javascript://alert()',
-              scopes: ['api']
-            }
-          }
-
-          post :create, params: invalid_uri_params
+          subject
 
           expect(response.body).to include 'Redirect URI is forbidden by the server'
+          expect(response).to render_template('doorkeeper/applications/index')
         end
       end
 
       context 'when scopes are not present' do
+        let(:scopes) { [] }
+
         render_views
 
         it 'shows an error for blank scopes' do
-          invalid_uri_params = {
-            doorkeeper_application: {
-              name: 'foo',
-              redirect_uri: 'http://example.org'
-            }
-          }
-
-          post :create, params: invalid_uri_params
+          subject
 
           expect(response.body).to include 'Scopes can't be blank'
+          expect(response).to render_template('doorkeeper/applications/index')
+        end
+      end
+
+      context 'when scopes are invalid' do
+        let(:scopes) { %w(api foo) }
+
+        render_views
+
+        it 'shows an error for invalid scopes' do
+          subject
+
+          expect(response.body).to include 'Scopes doesn't match configured on the server.'
+          expect(response).to render_template('doorkeeper/applications/index')
         end
       end
 
@@ -185,14 +202,4 @@ RSpec.describe Oauth::ApplicationsController do
   def disable_user_oauth
     allow(Gitlab::CurrentSettings.current_application_settings).to receive(:user_oauth_applications?).and_return(false)
   end
-
-  def oauth_params
-    {
-      doorkeeper_application: {
-        name: 'foo',
-        redirect_uri: 'http://example.org',
-        scopes: ['api']
-      }
-    }
-  end
 end