diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-22 21:44:12 +0300 |
commit | 34d6370bacdf1849de3618f23faaa9de76612e31 (patch) | |
tree | 1420e018fea4068504d059141212502e6f9ac040 /spec/support/shared_examples | |
parent | 727b75d3e8ecb88c70edbb017f29a8da302656c0 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-0-stable-eev16.0.1
Diffstat (limited to 'spec/support/shared_examples')
-rw-r--r-- | spec/support/shared_examples/requests/uploads_actions_shared_examples.rb | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb new file mode 100644 index 00000000000..41613fa9871 --- /dev/null +++ b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'uploads actions' do + describe "GET #show" do + context 'with file traversal in filename parameter' do + # Uploads in tests are stored in directories like: + # tmp/tests/public/uploads/@hashed/AB/CD/ABCD/SECRET + let(:filename) { "../../../../../../../../../Gemfile.lock" } + let(:escaped_filename) { CGI.escape filename } + + it 'responds with status 400' do + # Check files do indeed exists + upload_absolute_path = Pathname(upload.absolute_path) + expect(upload_absolute_path).to be_exist + attacked_file_path = upload_absolute_path.dirname.join(filename) + expect(attacked_file_path).to be_exist + + # Need to escape, otherwise we get `ActionController::UrlGenerationError Exception: No route matches` + get show_path.sub(File.basename(upload.path), escaped_filename) + + expect(response).to have_gitlab_http_status(:bad_request) + end + end + end +end |