Add latest changes from gitlab-org/security/gitlab@16-0-stable-ee

3 files changed, 46 insertions, 28 deletions

diff --git a/spec/support/shared_examples/features/reportable_note_shared_examples.rb b/spec/support/shared_examples/features/reportable_note_shared_examples.rb
index 133da230bed..264cc9c798b 100644
--- a/spec/support/shared_examples/features/reportable_note_shared_examples.rb
+++ b/spec/support/shared_examples/features/reportable_note_shared_examples.rb
@@ -6,7 +6,6 @@ RSpec.shared_examples 'reportable note' do |type|
 
   let(:comment) { find("##{ActionView::RecordIdentifier.dom_id(note)}") }
   let(:more_actions_selector) { '.more-actions.dropdown' }
-  let(:abuse_report_path) { new_abuse_report_path(user_id: note.author.id, ref_url: noteable_note_url(note)) }
 
   it 'has an edit button' do
     expect(comment).to have_selector('.js-note-edit')
diff --git a/spec/support/shared_examples/models/exportable_shared_examples.rb b/spec/support/shared_examples/models/exportable_shared_examples.rb
index 37c3e68fd5f..57e231e4a6e 100644
--- a/spec/support/shared_examples/models/exportable_shared_examples.rb
+++ b/spec/support/shared_examples/models/exportable_shared_examples.rb
@@ -1,27 +1,28 @@
 # frozen_string_literal: true
 
-RSpec.shared_examples 'resource with exportable associations' do
-  before do
-    stub_licensed_features(stubbed_features) if stubbed_features.any?
-  end
+RSpec.shared_examples 'an exportable' do |restricted_association: :project|
+  let_it_be(:user) { create(:user) }
 
   describe '#exportable_association?' do
-    let(:association) { single_association }
+    let(:association) { restricted_association }
 
     subject { resource.exportable_association?(association, current_user: user) }
 
     it { is_expected.to be_falsey }
 
-    context 'when user can read resource' do
+    context 'when user can only read resource' do
       before do
-        group.add_developer(user)
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?)
+          .with(user, :"read_#{resource.to_ability_name}", resource)
+          .and_return(true)
       end
 
       it { is_expected.to be_falsey }
 
       context "when user can read resource's association" do
         before do
-          other_group.add_developer(user)
+          allow(resource).to receive(:readable_record?).with(anything, user).and_return(true)
         end
 
         it { is_expected.to be_truthy }
@@ -31,41 +32,48 @@ RSpec.shared_examples 'resource with exportable associations' do
 
           it { is_expected.to be_falsey }
         end
-
-        context 'for an unauthenticated user' do
-          let(:user) { nil }
-
-          it { is_expected.to be_falsey }
-        end
       end
     end
   end
 
-  describe '#readable_records' do
-    subject { resource.readable_records(association, current_user: user) }
+  describe '#to_authorized_json' do
+    let(:options) { { include: [{ notes: { only: [:id] } }] } }
+
+    subject { resource.to_authorized_json(keys, user, options) }
 
     before do
-      group.add_developer(user)
+      allow(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?)
+        .with(user, :"read_#{resource.to_ability_name}", resource)
+        .and_return(true)
     end
 
     context 'when association not supported' do
-      let(:association) { :foo }
+      let(:keys) { [:foo] }
 
-      it { is_expected.to be_nil }
+      it { is_expected.not_to include('foo') }
     end
 
     context 'when association is `:notes`' do
-      let(:association) { :notes }
+      let_it_be(:readable_note) { create(:system_note, noteable: resource, project: project, note: 'readable') }
+      let_it_be(:restricted_note) { create(:system_note, noteable: resource, project: project, note: 'restricted') }
 
-      it { is_expected.to match_array([readable_note]) }
+      let(:restricted_note_access) { false }
+      let(:keys) { [:notes] }
 
-      context 'when user have access' do
-        before do
-          other_group.add_developer(user)
-        end
+      before do
+        allow(Ability).to receive(:allowed?).and_call_original
+        allow(Ability).to receive(:allowed?).with(user, :read_note, readable_note).and_return(true)
+        allow(Ability).to receive(:allowed?).with(user, :read_note, restricted_note).and_return(restricted_note_access)
+      end
+
+      it { is_expected.to include("\"notes\":[{\"id\":#{readable_note.id}}]") }
+
+      context 'when user have access to all notes' do
+        let(:restricted_note_access) { true }
 
-        it 'returns all records' do
-          is_expected.to match_array([readable_note, restricted_note])
+        it 'string includes all notes' do
+          is_expected.to include("\"notes\":[{\"id\":#{readable_note.id}},{\"id\":#{restricted_note.id}}]")
         end
       end
     end
diff --git a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
index f53532d00d7..f430db61976 100644
--- a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
@@ -849,3 +849,14 @@ RSpec.shared_examples 'handling different package names, visibilities and user r
     it_behaves_like example_name, status: status
   end
 end
+
+RSpec.shared_examples 'rejects invalid package names' do
+  let(:package_name) { "%0d%0ahttp:/%2fexample.com" }
+
+  it do
+    subject
+
+    expect(response).to have_gitlab_http_status(:bad_request)
+    expect(Gitlab::Json.parse(response.body)).to eq({ 'error' => 'package_name should be a valid file path' })
+  end
+end