Add latest changes from gitlab-org/security/gitlab@16-0-stable-eev16.0.1

4 files changed, 70 insertions, 0 deletions

diff --git a/spec/requests/groups/uploads_controller_spec.rb b/spec/requests/groups/uploads_controller_spec.rb
new file mode 100644
index 00000000000..8a9e3edbe20
--- /dev/null
+++ b/spec/requests/groups/uploads_controller_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::UploadsController, feature_category: :shared do
+  include WorkhorseHelpers
+
+  it_behaves_like 'uploads actions' do
+    let_it_be(:model) { create(:group, :public) }
+    let_it_be(:upload) { create(:upload, :namespace_upload, :with_file, model: model) }
+
+    let(:show_path) { show_group_uploads_path(model, upload.secret, File.basename(upload.path)) }
+  end
+end
diff --git a/spec/requests/projects/uploads_controller_spec.rb b/spec/requests/projects/uploads_controller_spec.rb
new file mode 100644
index 00000000000..03b53143c84
--- /dev/null
+++ b/spec/requests/projects/uploads_controller_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::UploadsController, feature_category: :shared do
+  include WorkhorseHelpers
+
+  it_behaves_like 'uploads actions' do
+    let_it_be(:model) { create(:project, :public) }
+    let_it_be(:upload) { create(:upload, :issuable_upload, :with_file, model: model) }
+
+    let(:show_path) { show_project_uploads_path(model, upload.secret, File.basename(upload.path)) }
+  end
+end
diff --git a/spec/requests/uploads_controller_spec.rb b/spec/requests/uploads_controller_spec.rb
new file mode 100644
index 00000000000..1e6999982a8
--- /dev/null
+++ b/spec/requests/uploads_controller_spec.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe UploadsController, feature_category: :shared do
+  include WorkhorseHelpers
+
+  it_behaves_like 'uploads actions' do
+    let_it_be(:model) { create(:personal_snippet, :public) }
+    let_it_be(:upload) { create(:upload, :personal_snippet_upload, :with_file, model: model) }
+
+    # See config/routes/uploads.rb
+    let(:show_path) do
+      "/uploads/-/system/#{model.model_name.singular}/#{model.to_param}/#{upload.secret}/#{File.basename(upload.path)}"
+    end
+  end
+end
diff --git a/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb
new file mode 100644
index 00000000000..41613fa9871
--- /dev/null
+++ b/spec/support/shared_examples/requests/uploads_actions_shared_examples.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'uploads actions' do
+  describe "GET #show" do
+    context 'with file traversal in filename parameter' do
+      # Uploads in tests are stored in directories like:
+      # tmp/tests/public/uploads/@hashed/AB/CD/ABCD/SECRET
+      let(:filename) { "../../../../../../../../../Gemfile.lock" }
+      let(:escaped_filename) { CGI.escape filename }
+
+      it 'responds with status 400' do
+        # Check files do indeed exists
+        upload_absolute_path = Pathname(upload.absolute_path)
+        expect(upload_absolute_path).to be_exist
+        attacked_file_path = upload_absolute_path.dirname.join(filename)
+        expect(attacked_file_path).to be_exist
+
+        # Need to escape, otherwise we get `ActionController::UrlGenerationError Exception: No route matches`
+        get show_path.sub(File.basename(upload.path), escaped_filename)
+
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+  end
+end