Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/support/shared_examples/controllers
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-03-05 00:07:54 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2020-03-05 00:07:54 +0300
commit2fd92f2dc784ade9cb4e1c33dd60cbfad7b86818 (patch)
tree7779f36689db97a46e0268a4aec1d49f283eb0c8 /spec/support/shared_examples/controllers
parent42ca24aa5bbab7a2d43bc866d9bee9876941cea2 (diff)
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/support/shared_examples/controllers')
-rw-r--r--spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb30
1 files changed, 28 insertions, 2 deletions
diff --git a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
index 73087befad2..662c64647d6 100644
--- a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
@@ -69,13 +69,39 @@ RSpec.shared_examples 'handle uploads' do
end
describe "GET #show" do
+ let(:filename) { "rails_sample.jpg" }
+
+ let(:upload_service) do
+ UploadService.new(model, jpg, uploader_class).execute
+ end
+
let(:show_upload) do
- get :show, params: params.merge(secret: secret, filename: "rails_sample.jpg")
+ get :show, params: params.merge(secret: secret, filename: filename)
end
before do
allow(FileUploader).to receive(:generate_secret).and_return(secret)
- UploadService.new(model, jpg, uploader_class).execute
+ upload_service
+ end
+
+ context 'when the secret is invalid' do
+ let(:secret) { "../../../../../../../../" }
+ let(:filename) { "Gemfile.lock" }
+ let(:upload_service) { nil }
+
+ it 'responds with status 404' do
+ show_upload
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+
+ it 'is a working exploit without the validation' do
+ allow_any_instance_of(FileUploader).to receive(:secret) { secret }
+
+ show_upload
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
end
context 'when accessing a specific upload via different model' do
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-02 14:43:51 +0300