Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

7 files changed, 131 insertions, 0 deletions

diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 3d966848c5b..b34cfedb767 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -323,6 +323,34 @@ RSpec.describe ProjectsController do
         expect(response).to render_template('_files')
         expect(response.body).to have_content('LICENSE') # would be 'MIT license' if stub not works
       end
+
+      describe "PUC highlighting" do
+        render_views
+
+        before do
+          expect(controller).to receive(:find_routable!).and_return(public_project)
+        end
+
+        context "option is enabled" do
+          it "adds the highlighting class" do
+            expect(public_project).to receive(:warn_about_potentially_unwanted_characters?).and_return(true)
+
+            get_show
+
+            expect(response.body).to have_css(".project-highlight-puc")
+          end
+        end
+
+        context "option is disabled" do
+          it "doesn't add the highlighting class" do
+            expect(public_project).to receive(:warn_about_potentially_unwanted_characters?).and_return(false)
+
+            get_show
+
+            expect(response.body).not_to have_css(".project-highlight-puc")
+          end
+        end
+      end
     end
 
     context "when the url contains .atom" do
diff --git a/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js b/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
index 1e562419f32..0020269e4e7 100644
--- a/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
+++ b/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
@@ -27,6 +27,7 @@ const defaultProps = {
     emailsDisabled: false,
     packagesEnabled: true,
     showDefaultAwardEmojis: true,
+    warnAboutPotentiallyUnwantedCharacters: true,
   },
   isGitlabCom: true,
   canDisableEmails: true,
@@ -97,6 +98,10 @@ describe('Settings Panel', () => {
   const findEmailSettings = () => wrapper.find({ ref: 'email-settings' });
   const findShowDefaultAwardEmojis = () =>
     wrapper.find('input[name="project[project_setting_attributes][show_default_award_emojis]"]');
+  const findWarnAboutPuc = () =>
+    wrapper.find(
+      'input[name="project[project_setting_attributes][warn_about_potentially_unwanted_characters]"]',
+    );
   const findMetricsVisibilitySettings = () => wrapper.find({ ref: 'metrics-visibility-settings' });
   const findOperationsSettings = () => wrapper.find({ ref: 'operations-settings' });
 
@@ -539,6 +544,14 @@ describe('Settings Panel', () => {
     });
   });
 
+  describe('Warn about potentially unwanted characters', () => {
+    it('should have a "Warn about Potentially Unwanted Characters" input', () => {
+      wrapper = mountComponent();
+
+      expect(findWarnAboutPuc().exists()).toBe(true);
+    });
+  });
+
   describe('Metrics dashboard', () => {
     it('should show the metrics dashboard access toggle', () => {
       wrapper = mountComponent();
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index 1100f4a3ad5..5d52c9178cb 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -961,4 +961,26 @@ RSpec.describe ProjectsHelper do
       )
     end
   end
+
+  describe '#project_classes' do
+    subject { helper.project_classes(project) }
+
+    it { is_expected.to be_a(String) }
+
+    context 'PUC highlighting enabled' do
+      before do
+        project.warn_about_potentially_unwanted_characters = true
+      end
+
+      it { is_expected.to include('project-highlight-puc') }
+    end
+
+    context 'PUC highlighting disabled' do
+      before do
+        project.warn_about_potentially_unwanted_characters = false
+      end
+
+      it { is_expected.not_to include('project-highlight-puc') }
+    end
+  end
 end
diff --git a/spec/lib/gitlab/unicode_spec.rb b/spec/lib/gitlab/unicode_spec.rb
new file mode 100644
index 00000000000..68f3266ecc7
--- /dev/null
+++ b/spec/lib/gitlab/unicode_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Gitlab::Unicode do
+  describe described_class::BIDI_REGEXP do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:bidi_string, :match) do
+      "\u2066"       | true # left-to-right isolate
+      "\u2067"       | true # right-to-left isolate
+      "\u2068"       | true # first strong isolate
+      "\u2069"       | true # pop directional isolate
+      "\u202a"       | true # left-to-right embedding
+      "\u202b"       | true # right-to-left embedding
+      "\u202c"       | true # pop directional formatting
+      "\u202d"       | true # left-to-right override
+      "\u202e"       | true # right-to-left override
+      "\u2066foobar" | true
+      ""             | false
+      "foo"          | false
+      "\u2713"       | false # checkmark
+    end
+
+    with_them do
+      let(:utf8_string) { bidi_string.encode("utf-8") }
+
+      it "matches only the bidi characters" do
+        expect(utf8_string.match?(subject)).to eq(match)
+      end
+    end
+  end
+end
diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb
index 4bc9b256dce..7c92c62e30b 100644
--- a/spec/lib/rouge/formatters/html_gitlab_spec.rb
+++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb
@@ -36,5 +36,26 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do
         is_expected.to eq(code)
       end
     end
+
+    context 'when unicode control characters are used' do
+      let(:lang) { 'javascript' }
+      let(:tokens) { lexer.lex(code, continue: false) }
+      let(:code) do
+        <<~JS
+          #!/usr/bin/env node
+
+          var accessLevel = "user";
+          if (accessLevel != "user‮ ⁦// Check if admin⁩ ⁦") {
+              console.log("You are an admin.");
+          }
+        JS
+      end
+
+      it 'highlights the control characters' do
+        message = "Potentially unwanted character detected: Unicode BiDi Control"
+
+        is_expected.to include(%{<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{message}">}).exactly(4).times
+      end
+    end
   end
 end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 10220448936..2e5c5af4eb0 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -667,6 +667,19 @@ RSpec.describe Project, factory_default: :keep do
     it { is_expected.to delegate_method(:container_registry_enabled?).to(:project_feature) }
     it { is_expected.to delegate_method(:container_registry_access_level).to(:project_feature) }
 
+    describe 'project settings' do
+      %i(
+        show_default_award_emojis
+        show_default_award_emojis=
+        show_default_award_emojis?
+        warn_about_potentially_unwanted_characters
+        warn_about_potentially_unwanted_characters=
+        warn_about_potentially_unwanted_characters?
+      ).each do |method|
+        it { is_expected.to delegate_method(method).to(:project_setting).with_arguments(allow_nil: true) }
+      end
+    end
+
     include_examples 'ci_cd_settings delegation' do
       # Skip attributes defined in EE code
       let(:exclude_attributes) do
diff --git a/spec/requests/api/project_attributes.yml b/spec/requests/api/project_attributes.yml
index 9174356f123..dd00d413664 100644
--- a/spec/requests/api/project_attributes.yml
+++ b/spec/requests/api/project_attributes.yml
@@ -139,6 +139,7 @@ project_setting:
     - has_confluence
     - has_vulnerabilities
     - prevent_merge_without_jira_issue
+    - warn_about_potentially_unwanted_characters
     - previous_default_branch
     - project_id
     - push_rule_id