diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:25:55 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:25:55 +0300 |
commit | f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (patch) | |
tree | 99be436b75910a7242204c42eb8196ab3ac3e826 /spec/lib/gitlab | |
parent | 6d091758c4b17e6463a4476cab30d8bf258a3400 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'spec/lib/gitlab')
-rw-r--r-- | spec/lib/gitlab/checks/tag_check_spec.rb | 6 | ||||
-rw-r--r-- | spec/lib/gitlab/ci/lint_spec.rb | 56 | ||||
-rw-r--r-- | spec/lib/gitlab/ci/yaml_processor_spec.rb | 82 |
3 files changed, 143 insertions, 1 deletions
diff --git a/spec/lib/gitlab/checks/tag_check_spec.rb b/spec/lib/gitlab/checks/tag_check_spec.rb index e75b0459337..60d3eb4bfb3 100644 --- a/spec/lib/gitlab/checks/tag_check_spec.rb +++ b/spec/lib/gitlab/checks/tag_check_spec.rb @@ -15,6 +15,12 @@ RSpec.describe Gitlab::Checks::TagCheck, feature_category: :source_code_manageme end context "prohibited tags check" do + it 'prohibits tags name that include refs/heads at the head' do + allow(subject).to receive(:tag_name).and_return("refs/heads/foo") + + expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a prohibited pattern.") + end + it "prohibits tag names that include refs/tags/ at the head" do allow(subject).to receive(:tag_name).and_return("refs/tags/foo") diff --git a/spec/lib/gitlab/ci/lint_spec.rb b/spec/lib/gitlab/ci/lint_spec.rb index b238e9161eb..4196aad2db4 100644 --- a/spec/lib/gitlab/ci/lint_spec.rb +++ b/spec/lib/gitlab/ci/lint_spec.rb @@ -6,8 +6,9 @@ RSpec.describe Gitlab::Ci::Lint, feature_category: :pipeline_composition do let_it_be(:project) { create(:project, :repository) } let_it_be(:user) { create(:user) } - let(:lint) { described_class.new(project: project, current_user: user) } + let(:sha) { nil } let(:ref) { project.default_branch } + let(:lint) { described_class.new(project: project, current_user: user, sha: sha) } describe '#validate' do subject { lint.validate(content, dry_run: dry_run, ref: ref) } @@ -250,6 +251,59 @@ RSpec.describe Gitlab::Ci::Lint, feature_category: :pipeline_composition do subject end + + context 'when sha is provided' do + let(:sha) { project.commit.sha } + + it 'runs YamlProcessor with verify_project_sha: true' do + expect(Gitlab::Ci::YamlProcessor) + .to receive(:new) + .with(content, a_hash_including(verify_project_sha: true)) + .and_call_original + + subject + end + + it_behaves_like 'content is valid' + + context 'when the sha is invalid' do + let(:sha) { 'invalid-sha' } + + it_behaves_like 'content is valid' + end + + context 'when the sha is from a fork' do + include_context 'when a project repository contains a forked commit' + + let(:sha) { forked_commit_sha } + + context 'when a project ref contains the sha' do + before do + mock_branch_contains_forked_commit_sha + end + + it_behaves_like 'content is valid' + end + + context 'when a project ref does not contain the sha' do + it 'returns an error' do + expect(subject).not_to be_valid + expect(subject.errors).to include(/Could not validate configuration/) + end + end + end + end + + context 'when sha is not provided' do + it 'runs YamlProcessor with verify_project_sha: false' do + expect(Gitlab::Ci::YamlProcessor) + .to receive(:new) + .with(content, a_hash_including(verify_project_sha: false)) + .and_call_original + + subject + end + end end context 'when using dry run mode' do diff --git a/spec/lib/gitlab/ci/yaml_processor_spec.rb b/spec/lib/gitlab/ci/yaml_processor_spec.rb index c09c0b31e97..5cfd8d9b9fb 100644 --- a/spec/lib/gitlab/ci/yaml_processor_spec.rb +++ b/spec/lib/gitlab/ci/yaml_processor_spec.rb @@ -3607,6 +3607,88 @@ module Gitlab end end end + + describe 'verify project sha', :use_clean_rails_redis_caching do + include_context 'when a project repository contains a forked commit' + + let(:config) { YAML.dump(job: { script: 'echo' }) } + let(:verify_project_sha) { true } + let(:sha) { forked_commit_sha } + + let(:processor) { described_class.new(config, project: project, sha: sha, verify_project_sha: verify_project_sha) } + + subject { processor.execute } + + shared_examples 'when the processor is executed twice consecutively' do |branch_names_contains_sha = false| + it 'calls Gitaly only once for each ref type' do + expect(repository).to receive(:branch_names_contains).once.and_call_original + expect(repository).to receive(:tag_names_contains).once.and_call_original unless branch_names_contains_sha + + 2.times { processor.execute } + end + end + + context 'when a project branch contains the forked commit sha' do + before_all do + repository.add_branch(project.owner, 'branch1', forked_commit_sha) + end + + after(:all) do + repository.rm_branch(project.owner, 'branch1') + end + + it { is_expected.to be_valid } + + it_behaves_like 'when the processor is executed twice consecutively', true + end + + context 'when a project tag contains the forked commit sha' do + before_all do + repository.add_tag(project.owner, 'tag1', forked_commit_sha) + end + + after(:all) do + repository.rm_tag(project.owner, 'tag1') + end + + it { is_expected.to be_valid } + + it_behaves_like 'when the processor is executed twice consecutively' + end + + context 'when a project ref does not contain the forked commit sha' do + it 'returns an error' do + is_expected.not_to be_valid + expect(subject.errors).to include(/Could not validate configuration/) + end + + it_behaves_like 'when the processor is executed twice consecutively' + end + + context 'when verify_project_sha option is false' do + let(:verify_project_sha) { false } + + it { is_expected.to be_valid } + end + + context 'when project is not provided' do + let(:project) { nil } + + it { is_expected.to be_valid } + end + + context 'when sha is not provided' do + let(:sha) { nil } + + it { is_expected.to be_valid } + end + + context 'when sha is invalid' do + let(:sha) { 'invalid-sha' } + + it { is_expected.to be_valid } + end + end end end end |