Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

3 files changed, 79 insertions, 23 deletions

diff --git a/spec/lib/banzai/filter/spaced_link_filter_spec.rb b/spec/lib/banzai/filter/spaced_link_filter_spec.rb
index 2c64657d69d..820ebeb6945 100644
--- a/spec/lib/banzai/filter/spaced_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/spaced_link_filter_spec.rb
@@ -63,6 +63,16 @@ RSpec.describe Banzai::Filter::SpacedLinkFilter do
     end
   end
 
+  it 'does not process malicious input' do
+    Timeout.timeout(10) do
+      doc = filter('[ (](' * 60_000)
+
+      found_links = doc.css('a')
+
+      expect(found_links.size).to eq(0)
+    end
+  end
+
   it 'converts multiple URLs' do
     link1 = '[first](slug one)'
     link2 = '[second](http://example.com/slug two)'
diff --git a/spec/lib/gitlab/fogbugz_import/importer_spec.rb b/spec/lib/gitlab/fogbugz_import/importer_spec.rb
index eb0c4da6ce3..9b58b772d1a 100644
--- a/spec/lib/gitlab/fogbugz_import/importer_spec.rb
+++ b/spec/lib/gitlab/fogbugz_import/importer_spec.rb
@@ -4,23 +4,11 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::FogbugzImport::Importer do
   let(:project) { create(:project_empty_repo) }
-  let(:importer) { described_class.new(project) }
-  let(:repo) do
-    instance_double(Gitlab::FogbugzImport::Repository,
-      safe_name: 'vim',
-      path: 'vim',
-      raw_data: '')
-  end
-
-  let(:import_data) { { 'repo' => repo } }
-  let(:credentials) do
-    {
-      'fb_session' => {
-        'uri' => 'https://testing.fogbugz.com',
-        'token' => 'token'
-      }
-    }
-  end
+  let(:fogbugz_project) { { 'ixProject' => project.id, 'sProject' => 'vim' } }
+  let(:import_data) { { 'repo' => fogbugz_project } }
+  let(:base_url) { 'https://testing.fogbugz.com' }
+  let(:token) { 'token' }
+  let(:credentials) { { 'fb_session' => { 'uri' => base_url, 'token' => token } } }
 
   let(:closed_bug) do
     {
@@ -46,18 +34,22 @@ RSpec.describe Gitlab::FogbugzImport::Importer do
 
   let(:fogbugz_bugs) { [opened_bug, closed_bug] }
 
+  subject(:importer) { described_class.new(project) }
+
   before do
     project.create_import_data(data: import_data, credentials: credentials)
-    allow_any_instance_of(::Fogbugz::Interface).to receive(:command).with(:listCategories).and_return([])
-    allow_any_instance_of(Gitlab::FogbugzImport::Client).to receive(:cases).and_return(fogbugz_bugs)
+
+    stub_fogbugz('listProjects', projects: { project: [fogbugz_project], count: 1 })
+    stub_fogbugz('listCategories', categories: { category: [], count: 0 })
+    stub_fogbugz('search', cases: { case: fogbugz_bugs, count: fogbugz_bugs.size })
   end
 
   it 'imports bugs' do
-    expect { importer.execute }.to change { Issue.count }.by(2)
+    expect { subject.execute }.to change { Issue.count }.by(2)
   end
 
   it 'imports opened bugs' do
-    importer.execute
+    subject.execute
 
     issue = Issue.where(project_id: project.id).find_by_title(opened_bug[:sTitle])
 
@@ -65,10 +57,54 @@ RSpec.describe Gitlab::FogbugzImport::Importer do
   end
 
   it 'imports closed bugs' do
-    importer.execute
+    subject.execute
 
     issue = Issue.where(project_id: project.id).find_by_title(closed_bug[:sTitle])
 
     expect(issue.state_id).to eq(Issue.available_states[:closed])
   end
+
+  context 'verify url' do
+    context 'when host is localhost' do
+      let(:base_url) { 'https://localhost:3000' }
+
+      it 'does not allow localhost requests' do
+        expect { subject.execute }
+          .to raise_error(
+            ::Gitlab::HTTP::BlockedUrlError,
+            "URL 'https://localhost:3000/api.asp' is blocked: Requests to localhost are not allowed"
+          )
+      end
+    end
+
+    context 'when host is on local network' do
+      let(:base_url) { 'http://192.168.0.1' }
+
+      it 'does not allow localhost requests' do
+        expect { subject.execute }
+          .to raise_error(
+            ::Gitlab::HTTP::BlockedUrlError,
+            "URL 'http://192.168.0.1/api.asp' is blocked: Requests to the local network are not allowed"
+          )
+      end
+    end
+
+    context 'when host is ftp protocol' do
+      let(:base_url) { 'ftp://testing' }
+
+      it 'only accept http and https requests' do
+        expect { subject.execute }
+          .to raise_error(
+            HTTParty::UnsupportedURIScheme,
+            "'ftp://testing/api.asp' Must be HTTP, HTTPS or Generic"
+          )
+      end
+    end
+  end
+
+  def stub_fogbugz(command, response)
+    stub_request(:post, "#{base_url}/api.asp")
+      .with(body: hash_including({ 'cmd' => command, 'token' => token }))
+      .to_return(status: 200, body: response.to_xml(root: :response))
+  end
 end
diff --git a/spec/lib/gitlab/string_regex_marker_spec.rb b/spec/lib/gitlab/string_regex_marker_spec.rb
index a02be83558c..0cbe44eacf4 100644
--- a/spec/lib/gitlab/string_regex_marker_spec.rb
+++ b/spec/lib/gitlab/string_regex_marker_spec.rb
@@ -23,9 +23,10 @@ RSpec.describe Gitlab::StringRegexMarker do
     context 'with multiple occurrences' do
       let(:raw)  { %{a <b> <c> d} }
       let(:rich) { %{a &lt;b&gt; &lt;c&gt; d}.html_safe }
+      let(:regexp) { /<[a-z]>/ }
 
       subject do
-        described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:, mode:|
+        described_class.new(raw, rich).mark(regexp) do |text, left:, right:, mode:|
           %{<strong>#{text}</strong>}.html_safe
         end
       end
@@ -34,6 +35,15 @@ RSpec.describe Gitlab::StringRegexMarker do
         expect(subject).to eq(%{a <strong>&lt;b&gt;</strong> <strong>&lt;c&gt;</strong> d})
         expect(subject).to be_html_safe
       end
+
+      context 'with a Gitlab::UntrustedRegexp' do
+        let(:regexp) { Gitlab::UntrustedRegexp.new('<[a-z]>') }
+
+        it 'marks the matches' do
+          expect(subject).to eq(%{a <strong>&lt;b&gt;</strong> <strong>&lt;c&gt;</strong> d})
+          expect(subject).to be_html_safe
+        end
+      end
     end
   end
 end