Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee

2 files changed, 69 insertions, 0 deletions

diff --git a/spec/features/issues/notes_on_issues_spec.rb b/spec/features/issues/notes_on_issues_spec.rb
index be85d73d777..4e98062e8b2 100644
--- a/spec/features/issues/notes_on_issues_spec.rb
+++ b/spec/features/issues/notes_on_issues_spec.rb
@@ -91,4 +91,62 @@ RSpec.describe 'Create notes on issues', :js do
 
     expect(page).to have_selector '.gfm-project_member.current-user', text: user.username
   end
+
+  shared_examples "when reference belongs to a private project" do
+    let(:project) { create(:project, :private, :repository) }
+    let(:issue) { create(:issue, project: project) }
+
+    before do
+      sign_in(user)
+    end
+
+    context 'when the user does not have permission to see the reference' do
+      before do
+        project.add_guest(user)
+      end
+
+      it 'does not show the user the reference' do
+        visit project_issue_path(project, issue)
+
+        expect(page).not_to have_content('closed via')
+      end
+    end
+
+    context 'when the user has permission to see the reference' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'shows the user the reference' do
+        visit project_issue_path(project, issue)
+
+        page.within('div#notes li.note .system-note-message') do
+          expect(page).to have_content('closed via')
+          expect(page.find('a')).to have_content(reference_content)
+        end
+      end
+    end
+  end
+
+  context 'when the issue is closed via a merge request' do
+    it_behaves_like "when reference belongs to a private project" do
+      let(:reference) { create(:merge_request, source_project: project) }
+      let(:reference_content) { reference.to_reference }
+
+      before do
+        create(:resource_state_event, issue: issue, state: :closed, created_at: '2020-02-05', source_merge_request: reference)
+      end
+    end
+  end
+
+  context 'when the issue is closed via a commit' do
+    it_behaves_like "when reference belongs to a private project" do
+      let(:reference) { create(:commit, project: project) }
+      let(:reference_content) { reference.short_sha }
+
+      before do
+        create(:resource_state_event, issue: issue, state: :closed, created_at: '2020-02-05', source_commit: reference.id)
+      end
+    end
+  end
 end
diff --git a/spec/features/protected_branches_spec.rb b/spec/features/protected_branches_spec.rb
index 4278efc5a8f..389a51a10e0 100644
--- a/spec/features/protected_branches_spec.rb
+++ b/spec/features/protected_branches_spec.rb
@@ -38,6 +38,17 @@ RSpec.describe 'Protected Branches', :js do
       sign_in(user)
     end
 
+    it 'allows to create a protected branch with name containing HTML tags' do
+      visit project_protected_branches_path(project)
+      set_defaults
+      set_protected_branch_name('foo<b>bar<\b>')
+      click_on "Protect"
+
+      within(".protected-branches-list") { expect(page).to have_content('foo<b>bar<\b>') }
+      expect(ProtectedBranch.count).to eq(1)
+      expect(ProtectedBranch.last.name).to eq('foo<b>bar<\b>')
+    end
+
     describe 'Delete protected branch' do
       before do
         create(:protected_branch, project: project, name: 'fix')