Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

13 files changed, 149 insertions, 20 deletions

diff --git a/spec/factories/diff_position.rb b/spec/factories/diff_position.rb
index 41f9a7b574e..bd248452de8 100644
--- a/spec/factories/diff_position.rb
+++ b/spec/factories/diff_position.rb
@@ -43,8 +43,12 @@ FactoryBot.define do
       trait :multi_line do
         line_range do
           {
-            start_line_code: Gitlab::Git.diff_line_code(file, 10, 10),
-            end_line_code: Gitlab::Git.diff_line_code(file, 12, 13)
+            start: {
+              line_code: Gitlab::Git.diff_line_code(file, 10, 10)
+            },
+            end: {
+              line_code: Gitlab::Git.diff_line_code(file, 12, 13)
+            }
           }
         end
       end
diff --git a/spec/frontend/diffs/store/utils_spec.js b/spec/frontend/diffs/store/utils_spec.js
index 73de0a6d381..55c0141552d 100644
--- a/spec/frontend/diffs/store/utils_spec.js
+++ b/spec/frontend/diffs/store/utils_spec.js
@@ -138,7 +138,7 @@ describe('DiffsStoreUtils', () => {
           old_line: 1,
         },
         linePosition: LINE_POSITION_LEFT,
-        lineRange: { start_line_code: 'abc_1_1', end_line_code: 'abc_2_2' },
+        lineRange: { start: { line_code: 'abc_1_1' }, end: { line_code: 'abc_2_2' } },
       };
 
       const position = JSON.stringify({
@@ -608,7 +608,7 @@ describe('DiffsStoreUtils', () => {
     // When multi line comments are fully implemented `line_code` will be
     // included in all requests. Until then we need to ensure the logic does
     // not change when it is included only in the "comparison" argument.
-    const lineRange = { start_line_code: 'abc_1_1', end_line_code: 'abc_1_2' };
+    const lineRange = { start: { line_code: 'abc_1_1' }, end: { line_code: 'abc_1_2' } };
 
     it('returns true when the discussion is up to date', () => {
       expect(
diff --git a/spec/lib/banzai/filter/front_matter_filter_spec.rb b/spec/lib/banzai/filter/front_matter_filter_spec.rb
index cef6a2ddcce..1562c388296 100644
--- a/spec/lib/banzai/filter/front_matter_filter_spec.rb
+++ b/spec/lib/banzai/filter/front_matter_filter_spec.rb
@@ -139,4 +139,20 @@ RSpec.describe Banzai::Filter::FrontMatterFilter do
       end
     end
   end
+
+  it 'fails fast for strings with many spaces' do
+    content = "coding:" + " " * 50_000 + ";"
+
+    expect do
+      Timeout.timeout(3.seconds) { filter(content) }
+    end.not_to raise_error
+  end
+
+  it 'fails fast for strings with many newlines' do
+    content = "coding:\n" + ";;;" + "\n" * 10_000 + "x"
+
+    expect do
+      Timeout.timeout(3.seconds) { filter(content) }
+    end.not_to raise_error
+  end
 end
diff --git a/spec/lib/gitlab/current_settings_spec.rb b/spec/lib/gitlab/current_settings_spec.rb
index a5ab1047a40..46c33d7b7b2 100644
--- a/spec/lib/gitlab/current_settings_spec.rb
+++ b/spec/lib/gitlab/current_settings_spec.rb
@@ -51,9 +51,17 @@ RSpec.describe Gitlab::CurrentSettings do
       it { is_expected.to be_truthy }
     end
 
+    context 'when new users are set to external' do
+      before do
+        create(:application_setting, user_default_external: true)
+      end
+
+      it { is_expected.to be_truthy }
+    end
+
     context 'when there are no restrictions' do
       before do
-        create(:application_setting, domain_allowlist: [], email_restrictions_enabled: false, require_admin_approval_after_user_signup: false)
+        create(:application_setting, domain_allowlist: [], email_restrictions_enabled: false, require_admin_approval_after_user_signup: false, user_default_external: false)
       end
 
       it { is_expected.to be_falsey }
diff --git a/spec/lib/gitlab/diff/formatters/text_formatter_spec.rb b/spec/lib/gitlab/diff/formatters/text_formatter_spec.rb
index 41877a16ebf..b6bdc5ff493 100644
--- a/spec/lib/gitlab/diff/formatters/text_formatter_spec.rb
+++ b/spec/lib/gitlab/diff/formatters/text_formatter_spec.rb
@@ -47,14 +47,14 @@ RSpec.describe Gitlab::Diff::Formatters::TextFormatter do
 
   describe "#==" do
     it "is false when the line_range changes" do
-      formatter_1 = described_class.new(base.merge(line_range: { start_line_code: "foo", end_line_code: "bar" }))
-      formatter_2 = described_class.new(base.merge(line_range: { start_line_code: "foo", end_line_code: "baz" }))
+      formatter_1 = described_class.new(base.merge(line_range: { "start": { "line_code" => "foo" }, "end": { "line_code" => "bar" } }))
+      formatter_2 = described_class.new(base.merge(line_range: { "start": { "line_code" => "foo" }, "end": { "line_code" => "baz" } }))
 
       expect(formatter_1).not_to eq(formatter_2)
     end
 
     it "is true when the line_range doesn't change" do
-      attrs = base.merge({ line_range: { start_line_code: "foo", end_line_code: "baz" } })
+      attrs = base.merge({ line_range: { start: { line_code: "foo" }, end: { line_code: "baz" } } })
       formatter_1 = described_class.new(attrs)
       formatter_2 = described_class.new(attrs)
 
diff --git a/spec/lib/gitlab/diff/lines_unfolder_spec.rb b/spec/lib/gitlab/diff/lines_unfolder_spec.rb
index 8385cba3532..f0e710be2e4 100644
--- a/spec/lib/gitlab/diff/lines_unfolder_spec.rb
+++ b/spec/lib/gitlab/diff/lines_unfolder_spec.rb
@@ -215,6 +215,16 @@ RSpec.describe Gitlab::Diff::LinesUnfolder do
       build(:text_diff_position, old_line: 43, new_line: 40)
     end
 
+    context 'old_line is an invalid number' do
+      let(:position) do
+        build(:text_diff_position, old_line: "foo", new_line: 40)
+      end
+
+      it 'fails gracefully' do
+        expect(subject.unfolded_diff_lines).to be_nil
+      end
+    end
+
     context 'blob lines' do
       let(:expected_blob_lines) do
         [[40, 40, "             \"config-opts\": [ \"--disable-introspection\" ],"],
diff --git a/spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb b/spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb
index b646cf38178..c46f476899e 100644
--- a/spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb
+++ b/spec/lib/gitlab/diff/position_tracer/line_strategy_spec.rb
@@ -295,8 +295,12 @@ RSpec.describe Gitlab::Diff::PositionTracer::LineStrategy, :clean_gitlab_redis_c
                     new_path: file_name,
                     new_line: 2,
                     line_range: {
-                      "start_line_code" => 1,
-                      "end_line_code"   => 2
+                      "start" => {
+                        "line_code" => 1
+                      },
+                      "end" => {
+                        "line_code" => 2
+                      }
                     }
                   )
                 end
@@ -575,8 +579,12 @@ RSpec.describe Gitlab::Diff::PositionTracer::LineStrategy, :clean_gitlab_redis_c
                     new_path: file_name,
                     new_line: 2,
                     line_range: {
-                      "start_line_code" => 1,
-                      "end_line_code"   => 2
+                      "start" => {
+                        "line_code" => 1
+                      },
+                      "end" => {
+                        "line_code" => 2
+                      }
                     }
                   )
                 end
@@ -588,8 +596,12 @@ RSpec.describe Gitlab::Diff::PositionTracer::LineStrategy, :clean_gitlab_redis_c
                     old_line: nil,
                     new_line: 2,
                     line_range: {
-                      "start_line_code" => 1,
-                      "end_line_code"   => 2
+                      "start" => {
+                        "line_code" => 1
+                      },
+                      "end" => {
+                        "line_code" => 2
+                      }
                     }
                   )
                 end
diff --git a/spec/lib/gitlab/wiki_pages/front_matter_parser_spec.rb b/spec/lib/gitlab/wiki_pages/front_matter_parser_spec.rb
index c78103f33f4..3152dc2ad2f 100644
--- a/spec/lib/gitlab/wiki_pages/front_matter_parser_spec.rb
+++ b/spec/lib/gitlab/wiki_pages/front_matter_parser_spec.rb
@@ -118,7 +118,7 @@ RSpec.describe Gitlab::WikiPages::FrontMatterParser do
         MD
       end
 
-      it { is_expected.to have_attributes(reason: :not_mapping) }
+      it { is_expected.to have_attributes(reason: :no_match) }
     end
 
     context 'there is a string in the YAML block' do
diff --git a/spec/models/preloaders/user_max_access_level_in_groups_preloader_spec.rb b/spec/models/preloaders/user_max_access_level_in_groups_preloader_spec.rb
index 5fc7bfb1f62..2060e6cd44a 100644
--- a/spec/models/preloaders/user_max_access_level_in_groups_preloader_spec.rb
+++ b/spec/models/preloaders/user_max_access_level_in_groups_preloader_spec.rb
@@ -13,7 +13,8 @@ RSpec.describe Preloaders::UserMaxAccessLevelInGroupsPreloader do
 
   shared_examples 'executes N max member permission queries to the DB' do
     it 'executes the specified max membership queries' do
-      expect { groups.each { |group| user.can?(:read_group, group) } }.to make_queries_matching(max_query_regex, expected_query_count)
+      expect { groups.each { |group| user.can?(:read_group, group) } }
+        .to make_queries_matching(max_query_regex, expected_query_count)
     end
 
     it 'caches the correct access_level for each group' do
diff --git a/spec/requests/api/lint_spec.rb b/spec/requests/api/lint_spec.rb
index ac30da99afe..0e83b964121 100644
--- a/spec/requests/api/lint_spec.rb
+++ b/spec/requests/api/lint_spec.rb
@@ -26,6 +26,35 @@ RSpec.describe API::Lint do
           expect(response).to have_gitlab_http_status(:ok)
         end
       end
+
+      context 'when authenticated as external user' do
+        let(:project) { create(:project) }
+        let(:api_user) { create(:user, :external) }
+
+        context 'when reporter in a project' do
+          before do
+            project.add_reporter(api_user)
+          end
+
+          it 'returns authorization failure' do
+            post api('/ci/lint', api_user), params: { content: 'content' }
+
+            expect(response).to have_gitlab_http_status(:unauthorized)
+          end
+        end
+
+        context 'when developer in a project' do
+          before do
+            project.add_developer(api_user)
+          end
+
+          it 'returns authorization success' do
+            post api('/ci/lint', api_user), params: { content: 'content' }
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+      end
     end
 
     context 'when signup is enabled and not limited' do
diff --git a/spec/support/shared_examples/models/diff_positionable_note_shared_examples.rb b/spec/support/shared_examples/models/diff_positionable_note_shared_examples.rb
index 759b22f794e..eafa589a1d3 100644
--- a/spec/support/shared_examples/models/diff_positionable_note_shared_examples.rb
+++ b/spec/support/shared_examples/models/diff_positionable_note_shared_examples.rb
@@ -71,5 +71,38 @@ RSpec.shared_examples 'a valid diff positionable note' do |factory_on_commit|
         end
       end
     end
+
+    describe 'schema validation' do
+      where(:position_attrs) do
+        [
+          { old_path: SecureRandom.alphanumeric(1001) },
+          { new_path: SecureRandom.alphanumeric(1001) },
+          { old_line: "foo" }, # this should be an integer
+          { new_line: "foo" }, # this should be an integer
+          { line_range: { "foo": "bar" } },
+          { line_range: { "line_code": SecureRandom.alphanumeric(101) } },
+          { line_range: { "type": SecureRandom.alphanumeric(101) } },
+          { line_range: { "old_line": "foo" } },
+          { line_range: { "new_line": "foo" } }
+        ]
+      end
+
+      with_them do
+        let(:position) do
+          Gitlab::Diff::Position.new(
+            {
+              old_path: "files/ruby/popen.rb",
+              new_path: "files/ruby/popen.rb",
+              old_line: nil,
+              new_line: 14,
+              line_range: nil,
+              diff_refs: diff_refs
+            }.merge(position_attrs)
+          )
+        end
+
+        it { is_expected.to be_invalid }
+      end
+    end
   end
 end
diff --git a/spec/support/shared_examples/requests/api/diff_discussions_shared_examples.rb b/spec/support/shared_examples/requests/api/diff_discussions_shared_examples.rb
index 518c5b8dc28..7f2c445e93d 100644
--- a/spec/support/shared_examples/requests/api/diff_discussions_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/diff_discussions_shared_examples.rb
@@ -29,10 +29,14 @@ RSpec.shared_examples 'diff discussions API' do |parent_type, noteable_type, id_
   describe "POST /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions" do
     it "creates a new diff note" do
       line_range = {
-        "start_line_code" => Gitlab::Git.diff_line_code(diff_note.position.file_path, 1, 1),
-        "end_line_code" => Gitlab::Git.diff_line_code(diff_note.position.file_path, 2, 2),
-        "start_line_type" => diff_note.position.type,
-        "end_line_type" => diff_note.position.type
+        "start" => {
+          "line_code" => Gitlab::Git.diff_line_code(diff_note.position.file_path, 1, 1),
+          "type" => diff_note.position.type
+        },
+        "end" => {
+          "line_code" => Gitlab::Git.diff_line_code(diff_note.position.file_path, 2, 2),
+          "type" => diff_note.position.type
+        }
       }
 
       position = diff_note.position.to_h.merge({ line_range: line_range })
diff --git a/spec/validators/json_schema_validator_spec.rb b/spec/validators/json_schema_validator_spec.rb
index 83eb0e2f3dd..01caf4ab0bd 100644
--- a/spec/validators/json_schema_validator_spec.rb
+++ b/spec/validators/json_schema_validator_spec.rb
@@ -46,5 +46,17 @@ RSpec.describe JsonSchemaValidator do
         expect { subject }.to raise_error(described_class::FilenameError)
       end
     end
+
+    describe 'hash_conversion option' do
+      context 'when hash_conversion is enabled' do
+        let(:validator) { described_class.new(attributes: [:data], filename: "build_report_result_data", hash_conversion: true) }
+
+        it 'returns no errors' do
+          subject
+
+          expect(build_report_result.errors).to be_empty
+        end
+      end
+    end
   end
 end