diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-19 11:27:35 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-19 11:27:35 +0300 |
| commit | 7e9c479f7de77702622631cff2628a9c8dcbc627 (patch) | |
| tree | c8f718a08e110ad7e1894510980d2155a6549197 /spec/lib/gitlab/url_blockers | |
| parent | e852b0ae16db4052c1c567d9efa4facc81146e88 (diff) | |
Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42
Diffstat (limited to 'spec/lib/gitlab/url_blockers')
6 files changed, 297 insertions, 297 deletions
diff --git a/spec/lib/gitlab/url_blockers/domain_allowlist_entry_spec.rb b/spec/lib/gitlab/url_blockers/domain_allowlist_entry_spec.rb new file mode 100644 index 00000000000..ece0a018d53 --- /dev/null +++ b/spec/lib/gitlab/url_blockers/domain_allowlist_entry_spec.rb @@ -0,0 +1,58 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::UrlBlockers::DomainAllowlistEntry do + let(:domain) { 'www.example.com' } + + describe '#initialize' do + it 'initializes without port' do + domain_allowlist_entry = described_class.new(domain) + + expect(domain_allowlist_entry.domain).to eq(domain) + expect(domain_allowlist_entry.port).to be(nil) + end + + it 'initializes with port' do + port = 8080 + domain_allowlist_entry = described_class.new(domain, port: port) + + expect(domain_allowlist_entry.domain).to eq(domain) + expect(domain_allowlist_entry.port).to eq(port) + end + end + + describe '#match?' do + it 'matches when domain and port are equal' do + port = 8080 + domain_allowlist_entry = described_class.new(domain, port: port) + + expect(domain_allowlist_entry).to be_match(domain, port) + end + + it 'matches any port when port is nil' do + domain_allowlist_entry = described_class.new(domain) + + expect(domain_allowlist_entry).to be_match(domain, 8080) + expect(domain_allowlist_entry).to be_match(domain, 9090) + end + + it 'does not match when port is present but requested_port is nil' do + domain_allowlist_entry = described_class.new(domain, port: 8080) + + expect(domain_allowlist_entry).not_to be_match(domain, nil) + end + + it 'matches when port and requested_port are nil' do + domain_allowlist_entry = described_class.new(domain) + + expect(domain_allowlist_entry).to be_match(domain) + end + + it 'does not match if domain is not equal' do + domain_allowlist_entry = described_class.new(domain) + + expect(domain_allowlist_entry).not_to be_match('www.gitlab.com', 8080) + end + end +end diff --git a/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb b/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb deleted file mode 100644 index 58bae109146..00000000000 --- a/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Gitlab::UrlBlockers::DomainWhitelistEntry do - let(:domain) { 'www.example.com' } - - describe '#initialize' do - it 'initializes without port' do - domain_whitelist_entry = described_class.new(domain) - - expect(domain_whitelist_entry.domain).to eq(domain) - expect(domain_whitelist_entry.port).to be(nil) - end - - it 'initializes with port' do - port = 8080 - domain_whitelist_entry = described_class.new(domain, port: port) - - expect(domain_whitelist_entry.domain).to eq(domain) - expect(domain_whitelist_entry.port).to eq(port) - end - end - - describe '#match?' do - it 'matches when domain and port are equal' do - port = 8080 - domain_whitelist_entry = described_class.new(domain, port: port) - - expect(domain_whitelist_entry).to be_match(domain, port) - end - - it 'matches any port when port is nil' do - domain_whitelist_entry = described_class.new(domain) - - expect(domain_whitelist_entry).to be_match(domain, 8080) - expect(domain_whitelist_entry).to be_match(domain, 9090) - end - - it 'does not match when port is present but requested_port is nil' do - domain_whitelist_entry = described_class.new(domain, port: 8080) - - expect(domain_whitelist_entry).not_to be_match(domain, nil) - end - - it 'matches when port and requested_port are nil' do - domain_whitelist_entry = described_class.new(domain) - - expect(domain_whitelist_entry).to be_match(domain) - end - - it 'does not match if domain is not equal' do - domain_whitelist_entry = described_class.new(domain) - - expect(domain_whitelist_entry).not_to be_match('www.gitlab.com', 8080) - end - end -end diff --git a/spec/lib/gitlab/url_blockers/ip_allowlist_entry_spec.rb b/spec/lib/gitlab/url_blockers/ip_allowlist_entry_spec.rb new file mode 100644 index 00000000000..110a6c17adb --- /dev/null +++ b/spec/lib/gitlab/url_blockers/ip_allowlist_entry_spec.rb @@ -0,0 +1,75 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::UrlBlockers::IpAllowlistEntry do + let(:ipv4) { IPAddr.new('192.168.1.1') } + + describe '#initialize' do + it 'initializes without port' do + ip_allowlist_entry = described_class.new(ipv4) + + expect(ip_allowlist_entry.ip).to eq(ipv4) + expect(ip_allowlist_entry.port).to be(nil) + end + + it 'initializes with port' do + port = 8080 + ip_allowlist_entry = described_class.new(ipv4, port: port) + + expect(ip_allowlist_entry.ip).to eq(ipv4) + expect(ip_allowlist_entry.port).to eq(port) + end + end + + describe '#match?' do + it 'matches with equivalent IP and port' do + port = 8080 + ip_allowlist_entry = described_class.new(ipv4, port: port) + + expect(ip_allowlist_entry).to be_match(ipv4.to_s, port) + end + + it 'matches any port when port is nil' do + ip_allowlist_entry = described_class.new(ipv4) + + expect(ip_allowlist_entry).to be_match(ipv4.to_s, 8080) + expect(ip_allowlist_entry).to be_match(ipv4.to_s, 9090) + end + + it 'does not match when port is present but requested_port is nil' do + ip_allowlist_entry = described_class.new(ipv4, port: 8080) + + expect(ip_allowlist_entry).not_to be_match(ipv4.to_s, nil) + end + + it 'matches when port and requested_port are nil' do + ip_allowlist_entry = described_class.new(ipv4) + + expect(ip_allowlist_entry).to be_match(ipv4.to_s) + end + + it 'works with ipv6' do + ipv6 = IPAddr.new('fe80::c800:eff:fe74:8') + ip_allowlist_entry = described_class.new(ipv6) + + expect(ip_allowlist_entry).to be_match(ipv6.to_s, 8080) + end + + it 'matches ipv4 within IPv4 range' do + ipv4_range = IPAddr.new('127.0.0.0/28') + ip_allowlist_entry = described_class.new(ipv4_range) + + expect(ip_allowlist_entry).to be_match(ipv4_range.to_range.last.to_s, 8080) + expect(ip_allowlist_entry).not_to be_match('127.0.1.1', 8080) + end + + it 'matches IPv6 within IPv6 range' do + ipv6_range = IPAddr.new('fd84:6d02:f6d8:c89e::/124') + ip_allowlist_entry = described_class.new(ipv6_range) + + expect(ip_allowlist_entry).to be_match(ipv6_range.to_range.last.to_s, 8080) + expect(ip_allowlist_entry).not_to be_match('fd84:6d02:f6d8:f::f', 8080) + end + end +end diff --git a/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb b/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb deleted file mode 100644 index 52f9b31165a..00000000000 --- a/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb +++ /dev/null @@ -1,75 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Gitlab::UrlBlockers::IpWhitelistEntry do - let(:ipv4) { IPAddr.new('192.168.1.1') } - - describe '#initialize' do - it 'initializes without port' do - ip_whitelist_entry = described_class.new(ipv4) - - expect(ip_whitelist_entry.ip).to eq(ipv4) - expect(ip_whitelist_entry.port).to be(nil) - end - - it 'initializes with port' do - port = 8080 - ip_whitelist_entry = described_class.new(ipv4, port: port) - - expect(ip_whitelist_entry.ip).to eq(ipv4) - expect(ip_whitelist_entry.port).to eq(port) - end - end - - describe '#match?' do - it 'matches with equivalent IP and port' do - port = 8080 - ip_whitelist_entry = described_class.new(ipv4, port: port) - - expect(ip_whitelist_entry).to be_match(ipv4.to_s, port) - end - - it 'matches any port when port is nil' do - ip_whitelist_entry = described_class.new(ipv4) - - expect(ip_whitelist_entry).to be_match(ipv4.to_s, 8080) - expect(ip_whitelist_entry).to be_match(ipv4.to_s, 9090) - end - - it 'does not match when port is present but requested_port is nil' do - ip_whitelist_entry = described_class.new(ipv4, port: 8080) - - expect(ip_whitelist_entry).not_to be_match(ipv4.to_s, nil) - end - - it 'matches when port and requested_port are nil' do - ip_whitelist_entry = described_class.new(ipv4) - - expect(ip_whitelist_entry).to be_match(ipv4.to_s) - end - - it 'works with ipv6' do - ipv6 = IPAddr.new('fe80::c800:eff:fe74:8') - ip_whitelist_entry = described_class.new(ipv6) - - expect(ip_whitelist_entry).to be_match(ipv6.to_s, 8080) - end - - it 'matches ipv4 within IPv4 range' do - ipv4_range = IPAddr.new('127.0.0.0/28') - ip_whitelist_entry = described_class.new(ipv4_range) - - expect(ip_whitelist_entry).to be_match(ipv4_range.to_range.last.to_s, 8080) - expect(ip_whitelist_entry).not_to be_match('127.0.1.1', 8080) - end - - it 'matches IPv6 within IPv6 range' do - ipv6_range = IPAddr.new('fd84:6d02:f6d8:c89e::/124') - ip_whitelist_entry = described_class.new(ipv6_range) - - expect(ip_whitelist_entry).to be_match(ipv6_range.to_range.last.to_s, 8080) - expect(ip_whitelist_entry).not_to be_match('fd84:6d02:f6d8:f::f', 8080) - end - end -end diff --git a/spec/lib/gitlab/url_blockers/url_allowlist_spec.rb b/spec/lib/gitlab/url_blockers/url_allowlist_spec.rb new file mode 100644 index 00000000000..d9e44e9b85c --- /dev/null +++ b/spec/lib/gitlab/url_blockers/url_allowlist_spec.rb @@ -0,0 +1,164 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::UrlBlockers::UrlAllowlist do + include StubRequests + + let(:allowlist) { [] } + + before do + allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) + stub_application_setting(outbound_local_requests_whitelist: allowlist) + end + + describe '#domain_allowed?' do + let(:allowlist) { %w[www.example.com example.com] } + + it 'returns true if domains present in allowlist' do + not_allowed = %w[subdomain.example.com example.org] + + aggregate_failures do + allowlist.each do |domain| + expect(described_class).to be_domain_allowed(domain) + end + + not_allowed.each do |domain| + expect(described_class).not_to be_domain_allowed(domain) + end + end + end + + it 'returns false when domain is blank' do + expect(described_class).not_to be_domain_allowed(nil) + end + + context 'with ports' do + let(:allowlist) { ['example.io:3000'] } + + it 'returns true if domain and ports present in allowlist' do + parsed_allowlist = [['example.io', { port: 3000 }]] + not_allowed = [ + 'example.io', + ['example.io', { port: 3001 }] + ] + + aggregate_failures do + parsed_allowlist.each do |domain_and_port| + expect(described_class).to be_domain_allowed(*domain_and_port) + end + + not_allowed.each do |domain_and_port| + expect(described_class).not_to be_domain_allowed(*domain_and_port) + end + end + end + end + end + + describe '#ip_allowed?' do + let(:allowlist) do + [ + '0.0.0.0', + '127.0.0.1', + '192.168.1.1', + '0:0:0:0:0:ffff:192.168.1.2', + '::ffff:c0a8:102', + 'fc00:bf8b:e62c:abcd:abcd:aaaa:aaaa:aaaa', + '0:0:0:0:0:ffff:169.254.169.254', + '::ffff:a9fe:a9fe', + '::ffff:a9fe:a864', + 'fe80::c800:eff:fe74:8' + ] + end + + it 'returns true if ips present in allowlist' do + aggregate_failures do + allowlist.each do |ip_address| + expect(described_class).to be_ip_allowed(ip_address) + end + + %w[172.16.2.2 127.0.0.2 fe80::c800:eff:fe74:9].each do |ip_address| + expect(described_class).not_to be_ip_allowed(ip_address) + end + end + end + + it 'returns false when ip is blank' do + expect(described_class).not_to be_ip_allowed(nil) + end + + context 'with ip ranges in allowlist' do + let(:ipv4_range) { '127.0.0.0/28' } + let(:ipv6_range) { 'fd84:6d02:f6d8:c89e::/124' } + + let(:allowlist) do + [ + ipv4_range, + ipv6_range + ] + end + + it 'does not allowlist ipv4 range when not in allowlist' do + stub_application_setting(outbound_local_requests_whitelist: []) + + IPAddr.new(ipv4_range).to_range.to_a.each do |ip| + expect(described_class).not_to be_ip_allowed(ip.to_s) + end + end + + it 'allowlists all ipv4s in the range when in allowlist' do + IPAddr.new(ipv4_range).to_range.to_a.each do |ip| + expect(described_class).to be_ip_allowed(ip.to_s) + end + end + + it 'does not allowlist ipv6 range when not in allowlist' do + stub_application_setting(outbound_local_requests_whitelist: []) + + IPAddr.new(ipv6_range).to_range.to_a.each do |ip| + expect(described_class).not_to be_ip_allowed(ip.to_s) + end + end + + it 'allowlists all ipv6s in the range when in allowlist' do + IPAddr.new(ipv6_range).to_range.to_a.each do |ip| + expect(described_class).to be_ip_allowed(ip.to_s) + end + end + + it 'does not allowlist IPs outside the range' do + expect(described_class).not_to be_ip_allowed("fd84:6d02:f6d8:c89e:0:0:1:f") + + expect(described_class).not_to be_ip_allowed("127.0.1.15") + end + end + + context 'with ports' do + let(:allowlist) { %w[127.0.0.9:3000 [2001:db8:85a3:8d3:1319:8a2e:370:7348]:443] } + + it 'returns true if ip and ports present in allowlist' do + parsed_allowlist = [ + ['127.0.0.9', { port: 3000 }], + ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 443 }] + ] + not_allowed = [ + '127.0.0.9', + ['127.0.0.9', { port: 3001 }], + '[2001:db8:85a3:8d3:1319:8a2e:370:7348]', + ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 3001 }] + ] + + aggregate_failures do + parsed_allowlist.each do |ip_and_port| + expect(described_class).to be_ip_allowed(*ip_and_port) + end + + not_allowed.each do |ip_and_port| + expect(described_class).not_to be_ip_allowed(*ip_and_port) + end + end + end + end + end +end diff --git a/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb b/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb deleted file mode 100644 index 7a65516be3c..00000000000 --- a/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb +++ /dev/null @@ -1,164 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Gitlab::UrlBlockers::UrlWhitelist do - include StubRequests - - let(:whitelist) { [] } - - before do - allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) - stub_application_setting(outbound_local_requests_whitelist: whitelist) - end - - describe '#domain_whitelisted?' do - let(:whitelist) { ['www.example.com', 'example.com'] } - - it 'returns true if domains present in whitelist' do - not_whitelisted = ['subdomain.example.com', 'example.org'] - - aggregate_failures do - whitelist.each do |domain| - expect(described_class).to be_domain_whitelisted(domain) - end - - not_whitelisted.each do |domain| - expect(described_class).not_to be_domain_whitelisted(domain) - end - end - end - - it 'returns false when domain is blank' do - expect(described_class).not_to be_domain_whitelisted(nil) - end - - context 'with ports' do - let(:whitelist) { ['example.io:3000'] } - - it 'returns true if domain and ports present in whitelist' do - parsed_whitelist = [['example.io', { port: 3000 }]] - not_whitelisted = [ - 'example.io', - ['example.io', { port: 3001 }] - ] - - aggregate_failures do - parsed_whitelist.each do |domain_and_port| - expect(described_class).to be_domain_whitelisted(*domain_and_port) - end - - not_whitelisted.each do |domain_and_port| - expect(described_class).not_to be_domain_whitelisted(*domain_and_port) - end - end - end - end - end - - describe '#ip_whitelisted?' do - let(:whitelist) do - [ - '0.0.0.0', - '127.0.0.1', - '192.168.1.1', - '0:0:0:0:0:ffff:192.168.1.2', - '::ffff:c0a8:102', - 'fc00:bf8b:e62c:abcd:abcd:aaaa:aaaa:aaaa', - '0:0:0:0:0:ffff:169.254.169.254', - '::ffff:a9fe:a9fe', - '::ffff:a9fe:a864', - 'fe80::c800:eff:fe74:8' - ] - end - - it 'returns true if ips present in whitelist' do - aggregate_failures do - whitelist.each do |ip_address| - expect(described_class).to be_ip_whitelisted(ip_address) - end - - ['172.16.2.2', '127.0.0.2', 'fe80::c800:eff:fe74:9'].each do |ip_address| - expect(described_class).not_to be_ip_whitelisted(ip_address) - end - end - end - - it 'returns false when ip is blank' do - expect(described_class).not_to be_ip_whitelisted(nil) - end - - context 'with ip ranges in whitelist' do - let(:ipv4_range) { '127.0.0.0/28' } - let(:ipv6_range) { 'fd84:6d02:f6d8:c89e::/124' } - - let(:whitelist) do - [ - ipv4_range, - ipv6_range - ] - end - - it 'does not whitelist ipv4 range when not in whitelist' do - stub_application_setting(outbound_local_requests_whitelist: []) - - IPAddr.new(ipv4_range).to_range.to_a.each do |ip| - expect(described_class).not_to be_ip_whitelisted(ip.to_s) - end - end - - it 'whitelists all ipv4s in the range when in whitelist' do - IPAddr.new(ipv4_range).to_range.to_a.each do |ip| - expect(described_class).to be_ip_whitelisted(ip.to_s) - end - end - - it 'does not whitelist ipv6 range when not in whitelist' do - stub_application_setting(outbound_local_requests_whitelist: []) - - IPAddr.new(ipv6_range).to_range.to_a.each do |ip| - expect(described_class).not_to be_ip_whitelisted(ip.to_s) - end - end - - it 'whitelists all ipv6s in the range when in whitelist' do - IPAddr.new(ipv6_range).to_range.to_a.each do |ip| - expect(described_class).to be_ip_whitelisted(ip.to_s) - end - end - - it 'does not whitelist IPs outside the range' do - expect(described_class).not_to be_ip_whitelisted("fd84:6d02:f6d8:c89e:0:0:1:f") - - expect(described_class).not_to be_ip_whitelisted("127.0.1.15") - end - end - - context 'with ports' do - let(:whitelist) { ['127.0.0.9:3000', '[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443'] } - - it 'returns true if ip and ports present in whitelist' do - parsed_whitelist = [ - ['127.0.0.9', { port: 3000 }], - ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 443 }] - ] - not_whitelisted = [ - '127.0.0.9', - ['127.0.0.9', { port: 3001 }], - '[2001:db8:85a3:8d3:1319:8a2e:370:7348]', - ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 3001 }] - ] - - aggregate_failures do - parsed_whitelist.each do |ip_and_port| - expect(described_class).to be_ip_whitelisted(*ip_and_port) - end - - not_whitelisted.each do |ip_and_port| - expect(described_class).not_to be_ip_whitelisted(*ip_and_port) - end - end - end - end - end -end |