Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-16 06:09:14 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-16 06:09:14 +0300
commit: 78fe72d153260c355fdfd533b125026cce310da7 (patch)
tree: 0d90106443bea87cc24e2834273ae6c8dcac0260 /spec/lib/gitlab
parent: 88797b994a7dfd9bfab2a5d5431f088f17078b9f (diff)
4 files changed, 198 insertions, 7 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb
index f8bfcc6c99a..08678de87c9 100644
--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -501,6 +501,18 @@ describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
               it_behaves_like 'dns rebinding checks'
             end
           end
+
+          context 'with ports' do
+            let(:whitelist) do
+              ["127.0.0.1:2000"]
+            end
+
+            it 'allows domain with port when resolved ip has port whitelisted' do
+              stub_domain_resolv("www.resolve-domain.com", '127.0.0.1') do
+                expect(described_class).not_to be_blocked_url("http://www.resolve-domain.com:2000", url_blocker_attributes)
+              end
+            end
+          end
         end
       end
 
diff --git a/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb b/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb
new file mode 100644
index 00000000000..34ea6c328e6
--- /dev/null
+++ b/spec/lib/gitlab/url_blockers/domain_whitelist_entry_spec.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::UrlBlockers::DomainWhitelistEntry do
+  let(:domain) { 'www.example.com' }
+
+  describe '#initialize' do
+    it 'initializes without port' do
+      domain_whitelist_entry = described_class.new(domain)
+
+      expect(domain_whitelist_entry.domain).to eq(domain)
+      expect(domain_whitelist_entry.port).to be(nil)
+    end
+
+    it 'initializes with port' do
+      port = 8080
+      domain_whitelist_entry = described_class.new(domain, port: port)
+
+      expect(domain_whitelist_entry.domain).to eq(domain)
+      expect(domain_whitelist_entry.port).to eq(port)
+    end
+  end
+
+  describe '#match?' do
+    it 'matches when domain and port are equal' do
+      port = 8080
+      domain_whitelist_entry = described_class.new(domain, port: port)
+
+      expect(domain_whitelist_entry).to be_match(domain, port)
+    end
+
+    it 'matches any port when port is nil' do
+      domain_whitelist_entry = described_class.new(domain)
+
+      expect(domain_whitelist_entry).to be_match(domain, 8080)
+      expect(domain_whitelist_entry).to be_match(domain, 9090)
+    end
+
+    it 'does not match when port is present but requested_port is nil' do
+      domain_whitelist_entry = described_class.new(domain, port: 8080)
+
+      expect(domain_whitelist_entry).not_to be_match(domain, nil)
+    end
+
+    it 'matches when port and requested_port are nil' do
+      domain_whitelist_entry = described_class.new(domain)
+
+      expect(domain_whitelist_entry).to be_match(domain)
+    end
+
+    it 'does not match if domain is not equal' do
+      domain_whitelist_entry = described_class.new(domain)
+
+      expect(domain_whitelist_entry).not_to be_match('www.gitlab.com', 8080)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb b/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb
new file mode 100644
index 00000000000..042d135d265
--- /dev/null
+++ b/spec/lib/gitlab/url_blockers/ip_whitelist_entry_spec.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::UrlBlockers::IpWhitelistEntry do
+  let(:ipv4) { IPAddr.new('192.168.1.1') }
+
+  describe '#initialize' do
+    it 'initializes without port' do
+      ip_whitelist_entry = described_class.new(ipv4)
+
+      expect(ip_whitelist_entry.ip).to eq(ipv4)
+      expect(ip_whitelist_entry.port).to be(nil)
+    end
+
+    it 'initializes with port' do
+      port = 8080
+      ip_whitelist_entry = described_class.new(ipv4, port: port)
+
+      expect(ip_whitelist_entry.ip).to eq(ipv4)
+      expect(ip_whitelist_entry.port).to eq(port)
+    end
+  end
+
+  describe '#match?' do
+    it 'matches with equivalent IP and port' do
+      port = 8080
+      ip_whitelist_entry = described_class.new(ipv4, port: port)
+
+      expect(ip_whitelist_entry).to be_match(ipv4.to_s, port)
+    end
+
+    it 'matches any port when port is nil' do
+      ip_whitelist_entry = described_class.new(ipv4)
+
+      expect(ip_whitelist_entry).to be_match(ipv4.to_s, 8080)
+      expect(ip_whitelist_entry).to be_match(ipv4.to_s, 9090)
+    end
+
+    it 'does not match when port is present but requested_port is nil' do
+      ip_whitelist_entry = described_class.new(ipv4, port: 8080)
+
+      expect(ip_whitelist_entry).not_to be_match(ipv4.to_s, nil)
+    end
+
+    it 'matches when port and requested_port are nil' do
+      ip_whitelist_entry = described_class.new(ipv4)
+
+      expect(ip_whitelist_entry).to be_match(ipv4.to_s)
+    end
+
+    it 'works with ipv6' do
+      ipv6 = IPAddr.new('fe80::c800:eff:fe74:8')
+      ip_whitelist_entry = described_class.new(ipv6)
+
+      expect(ip_whitelist_entry).to be_match(ipv6.to_s, 8080)
+    end
+
+    it 'matches ipv4 within IPv4 range' do
+      ipv4_range = IPAddr.new('127.0.0.0/28')
+      ip_whitelist_entry = described_class.new(ipv4_range)
+
+      expect(ip_whitelist_entry).to be_match(ipv4_range.to_range.last.to_s, 8080)
+      expect(ip_whitelist_entry).not_to be_match('127.0.1.1', 8080)
+    end
+
+    it 'matches IPv6 within IPv6 range' do
+      ipv6_range = IPAddr.new('fd84:6d02:f6d8:c89e::/124')
+      ip_whitelist_entry = described_class.new(ipv6_range)
+
+      expect(ip_whitelist_entry).to be_match(ipv6_range.to_range.last.to_s, 8080)
+      expect(ip_whitelist_entry).not_to be_match('fd84:6d02:f6d8:f::f', 8080)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb b/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
index 64d804e8541..e43cd819838 100644
--- a/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
+++ b/spec/lib/gitlab/url_blockers/url_whitelist_spec.rb
@@ -13,20 +13,17 @@ describe Gitlab::UrlBlockers::UrlWhitelist do
   end
 
   describe '#domain_whitelisted?' do
-    let(:whitelist) do
-      [
-        'www.example.com',
-        'example.com'
-      ]
-    end
+    let(:whitelist) { ['www.example.com', 'example.com'] }
 
     it 'returns true if domains present in whitelist' do
+      not_whitelisted = ['subdomain.example.com', 'example.org']
+
       aggregate_failures do
         whitelist.each do |domain|
           expect(described_class).to be_domain_whitelisted(domain)
         end
 
-        ['subdomain.example.com', 'example.org'].each do |domain|
+        not_whitelisted.each do |domain|
           expect(described_class).not_to be_domain_whitelisted(domain)
         end
       end
@@ -35,6 +32,28 @@ describe Gitlab::UrlBlockers::UrlWhitelist do
     it 'returns false when domain is blank' do
       expect(described_class).not_to be_domain_whitelisted(nil)
     end
+
+    context 'with ports' do
+      let(:whitelist) { ['example.io:3000'] }
+
+      it 'returns true if domain and ports present in whitelist' do
+        parsed_whitelist = [['example.io', { port: 3000 }]]
+        not_whitelisted = [
+          'example.io',
+          ['example.io', { port: 3001 }]
+        ]
+
+        aggregate_failures do
+          parsed_whitelist.each do |domain_and_port|
+            expect(described_class).to be_domain_whitelisted(*domain_and_port)
+          end
+
+          not_whitelisted.each do |domain_and_port|
+            expect(described_class).not_to be_domain_whitelisted(*domain_and_port)
+          end
+        end
+      end
+    end
   end
 
   describe '#ip_whitelisted?' do
@@ -114,5 +133,32 @@ describe Gitlab::UrlBlockers::UrlWhitelist do
         expect(described_class).not_to be_ip_whitelisted("127.0.1.15")
       end
     end
+
+    context 'with ports' do
+      let(:whitelist) { ['127.0.0.9:3000', '[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443'] }
+
+      it 'returns true if ip and ports present in whitelist' do
+        parsed_whitelist = [
+          ['127.0.0.9', { port: 3000 }],
+          ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 443 }]
+        ]
+        not_whitelisted = [
+          '127.0.0.9',
+          ['127.0.0.9', { port: 3001 }],
+          '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
+          ['[2001:db8:85a3:8d3:1319:8a2e:370:7348]', { port: 3001 }]
+        ]
+
+        aggregate_failures do
+          parsed_whitelist.each do |ip_and_port|
+            expect(described_class).to be_ip_whitelisted(*ip_and_port)
+          end
+
+          not_whitelisted.each do |ip_and_port|
+            expect(described_class).not_to be_ip_whitelisted(*ip_and_port)
+          end
+        end
+      end
+    end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-16 06:09:14 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-16 06:09:14 +0300
commit	78fe72d153260c355fdfd533b125026cce310da7 (patch)
tree	0d90106443bea87cc24e2834273ae6c8dcac0260 /spec/lib/gitlab
parent	88797b994a7dfd9bfab2a5d5431f088f17078b9f (diff)