diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-30 12:13:00 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-30 12:13:00 +0300 |
| commit | e92925533667e147ff34cf1e9b8af21680c8c7d4 (patch) | |
| tree | 1594de73938c3015737864b667e43b5e9650c9fb /spec/models | |
| parent | c3e54801bb461b6d53c48e3194f87cb5ebf3f5ba (diff) | |
Add latest changes from gitlab-org/security/gitlab@15-8-stable-ee
Diffstat (limited to 'spec/models')
| -rw-r--r-- | spec/models/concerns/issuable_spec.rb | 1 | ||||
| -rw-r--r-- | spec/models/concerns/sanitizable_spec.rb | 53 | ||||
| -rw-r--r-- | spec/models/namespace_setting_spec.rb | 6 |
3 files changed, 57 insertions, 3 deletions
diff --git a/spec/models/concerns/issuable_spec.rb b/spec/models/concerns/issuable_spec.rb index e553e34ab51..206b3ae61cf 100644 --- a/spec/models/concerns/issuable_spec.rb +++ b/spec/models/concerns/issuable_spec.rb @@ -65,7 +65,6 @@ RSpec.describe Issuable do it { is_expected.to validate_presence_of(:author) } it { is_expected.to validate_presence_of(:title) } it { is_expected.to validate_length_of(:title).is_at_most(described_class::TITLE_LENGTH_MAX) } - it { is_expected.to validate_length_of(:description).is_at_most(described_class::DESCRIPTION_LENGTH_MAX).on(:create) } it_behaves_like 'validates description length with custom validation' do before do diff --git a/spec/models/concerns/sanitizable_spec.rb b/spec/models/concerns/sanitizable_spec.rb index 4a1d463d666..be7169f8dca 100644 --- a/spec/models/concerns/sanitizable_spec.rb +++ b/spec/models/concerns/sanitizable_spec.rb @@ -75,7 +75,58 @@ RSpec.describe Sanitizable do it 'is not valid', :aggregate_failures do expect(record).not_to be_valid - expect(record.errors.full_messages).to include('Name cannot contain escaped HTML entities') + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped HTML entities', + 'Description cannot contain escaped HTML entities' + ) + end + end + + context 'when input contains double-escaped data' do + let_it_be(:input) do + '%2526lt%253Bscript%2526gt%253Balert%25281%2529%2526lt%253B%252Fscript%2526gt%253B' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped components', + 'Description cannot contain escaped components' + ) + end + end + + context 'when input contains a path traversal attempt' do + let_it_be(:input) { 'main../../../../../../api/v4/projects/1/import_project_members/2' } + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Description cannot contain a path traversal component' + ) + end + end + + context 'when input contains both path traversal attempt and pre-escaped entities' do + let_it_be(:input) do + 'main../../../../../../api/v4/projects/1/import_project_members/2<script>alert(1)</script>' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Name cannot contain escaped HTML entities', + 'Description cannot contain a path traversal component', + 'Description cannot contain escaped HTML entities' + ) end end end diff --git a/spec/models/namespace_setting_spec.rb b/spec/models/namespace_setting_spec.rb index 0bf6fdf4fa0..15b80749aa2 100644 --- a/spec/models/namespace_setting_spec.rb +++ b/spec/models/namespace_setting_spec.rb @@ -18,7 +18,7 @@ RSpec.describe NamespaceSetting, feature_category: :subgroups, type: :model do describe "#default_branch_name_content" do let_it_be(:group) { create(:group) } - let(:namespace_settings) { group.namespace_settings } + subject(:namespace_settings) { group.namespace_settings } shared_examples "doesn't return an error" do it "doesn't return an error" do @@ -28,6 +28,10 @@ RSpec.describe NamespaceSetting, feature_category: :subgroups, type: :model do end context "when not set" do + before do + namespace_settings.default_branch_name = nil + end + it_behaves_like "doesn't return an error" end |