Merge remote-tracking branch 'dev/master'

* dev/master: Update CHANGELOG.md for 11.3.13 Validate LFS hrefs before downloading them
author: Alex Hanselka <alex@gitlab.com> 2018-12-14 02:58:13 +0300
committer: Alex Hanselka <alex@gitlab.com> 2018-12-14 02:58:13 +0300
commit: de9b380e73992de3c76d965f3843d269a03f97f8 (patch)
tree: 978f7ccbbae566c8f4bb66d064b4ca5ce21c1ddc /spec/services
parent: 07e079e8dd336e76986ad001fce79ab9babb00b0 (diff)
parent: 0b7e870f9e938f3776d91866f491302945d604ba (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb b/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
index 6af5bfc7689..d7d7f1874eb 100644
--- a/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
+++ b/spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
@@ -54,6 +54,18 @@ describe Projects::LfsPointers::LfsDownloadService do
       end
     end
 
+    context 'when a bad URL is used' do
+      where(download_link: ['/etc/passwd', 'ftp://example.com', 'http://127.0.0.2'])
+
+      with_them do
+        it 'does not download the file' do
+          expect(subject).not_to receive(:download_and_save_file)
+
+          expect { subject.execute(oid, download_link) }.not_to change { LfsObject.count }
+        end
+      end
+    end
+
     context 'when an lfs object with the same oid already exists'  do
       before do
         create(:lfs_object, oid: 'oid')
author	Alex Hanselka <alex@gitlab.com>	2018-12-14 02:58:13 +0300
committer	Alex Hanselka <alex@gitlab.com>	2018-12-14 02:58:13 +0300
commit	de9b380e73992de3c76d965f3843d269a03f97f8 (patch)
tree	978f7ccbbae566c8f4bb66d064b4ca5ce21c1ddc /spec/services
parent	07e079e8dd336e76986ad001fce79ab9babb00b0 (diff)
parent	0b7e870f9e938f3776d91866f491302945d604ba (diff)