Merge branch 'sh-backport-10-3-4-security-fixes' into 'master'

Backport 10.3.4 security fixes into master

See merge request gitlab-org/gitlab-ce!16509

3 files changed, 100 insertions, 7 deletions

diff --git a/spec/services/merge_requests/create_service_spec.rb b/spec/services/merge_requests/create_service_spec.rb
index dd8c803a2f7..5d226f34d2d 100644
--- a/spec/services/merge_requests/create_service_spec.rb
+++ b/spec/services/merge_requests/create_service_spec.rb
@@ -263,5 +263,66 @@ describe MergeRequests::CreateService do
         expect(issue_ids).to match_array([first_issue.id, second_issue.id])
       end
     end
+
+    context 'when source and target projects are different' do
+      let(:target_project) { create(:project) }
+
+      let(:opts) do
+        {
+          title: 'Awesome merge_request',
+          source_branch: 'feature',
+          target_branch: 'master',
+          target_project_id: target_project.id
+        }
+      end
+
+      context 'when user can not access source project' do
+        before do
+          target_project.add_developer(assignee)
+          target_project.add_master(user)
+        end
+
+        it 'raises an error' do
+          expect { described_class.new(project, user, opts).execute }
+            .to raise_error Gitlab::Access::AccessDeniedError
+        end
+      end
+
+      context 'when user can not access target project' do
+        before do
+          target_project.add_developer(assignee)
+          target_project.add_master(user)
+        end
+
+        it 'raises an error' do
+          expect { described_class.new(project, user, opts).execute }
+            .to raise_error Gitlab::Access::AccessDeniedError
+        end
+      end
+    end
+
+    context 'when user sets source project id' do
+      let(:another_project) { create(:project) }
+
+      let(:opts) do
+        {
+          title: 'Awesome merge_request',
+          source_branch: 'feature',
+          target_branch: 'master',
+          source_project_id: another_project.id
+        }
+      end
+
+      before do
+        project.add_developer(assignee)
+        project.add_master(user)
+      end
+
+      it 'ignores source_project_id' do
+        merge_request = described_class.new(project, user, opts).execute
+
+        expect(merge_request.source_project_id).to eq(project.id)
+      end
+    end
   end
 end
diff --git a/spec/services/projects/autocomplete_service_spec.rb b/spec/services/projects/autocomplete_service_spec.rb
index 7a8c54673f7..f7ff8b80bd7 100644
--- a/spec/services/projects/autocomplete_service_spec.rb
+++ b/spec/services/projects/autocomplete_service_spec.rb
@@ -93,26 +93,27 @@ describe Projects::AutocompleteService do
     let(:user) { create(:user) }
     let(:group) { create(:group) }
     let(:project) { create(:project, group: group) }
-    let!(:group_milestone) { create(:milestone, group: group) }
-    let!(:project_milestone) { create(:milestone, project: project) }
+    let!(:group_milestone1) { create(:milestone, group: group, due_date: '2017-01-01', title: 'Second Title') }
+    let!(:group_milestone2) { create(:milestone, group: group, due_date: '2017-01-01', title: 'First Title') }
+    let!(:project_milestone) { create(:milestone, project: project, due_date: '2016-01-01') }
 
     let(:milestone_titles) { described_class.new(project, user).milestones.map(&:title) }
 
-    it 'includes project and group milestones' do
-      expect(milestone_titles).to eq([group_milestone.title, project_milestone.title])
+    it 'includes project and group milestones and sorts them correctly' do
+      expect(milestone_titles).to eq([project_milestone.title, group_milestone2.title, group_milestone1.title])
     end
 
     it 'does not include closed milestones' do
-      group_milestone.close
+      group_milestone1.close
 
-      expect(milestone_titles).to eq([project_milestone.title])
+      expect(milestone_titles).to eq([project_milestone.title, group_milestone2.title])
     end
 
     it 'does not include milestones from other projects in the group' do
       other_project = create(:project, group: group)
       project_milestone.update!(project: other_project)
 
-      expect(milestone_titles).to eq([group_milestone.title])
+      expect(milestone_titles).to eq([group_milestone2.title, group_milestone1.title])
     end
   end
 end
diff --git a/spec/services/projects/gitlab_projects_import_service_spec.rb b/spec/services/projects/gitlab_projects_import_service_spec.rb
new file mode 100644
index 00000000000..bb0e274c93e
--- /dev/null
+++ b/spec/services/projects/gitlab_projects_import_service_spec.rb
@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe Projects::GitlabProjectsImportService do
+  set(:namespace) { build(:namespace) }
+  let(:file) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') }
+  subject { described_class.new(namespace.owner, { namespace_id: namespace.id, path: path, file: file }) }
+
+  describe '#execute' do
+    context 'with an invalid path' do
+      let(:path) { '/invalid-path/' }
+
+      it 'returns an invalid project' do
+        project = subject.execute
+
+        expect(project).not_to be_persisted
+        expect(project).not_to be_valid
+      end
+    end
+
+    context 'with a valid path' do
+      let(:path) { 'test-path' }
+
+      it 'creates a project' do
+        project = subject.execute
+
+        expect(project).to be_persisted
+        expect(project).to be_valid
+      end
+    end
+  end
+end