Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-28 15:11:16 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-06-28 15:11:16 +0300
commit: 48c36378567b3dbadd780b03ecda571652cff400 (patch)
tree: f1d4accd3942a27e6c27a9a7f34c99d893d8794b /spec
parent: 7b848eda5589ff5fa1bc3c6f782fc907c59a4417 (diff)
5 files changed, 71 insertions, 40 deletions
diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb
index 18d62cb585f..f8f1fdaabb4 100644
--- a/spec/features/admin/users/user_spec.rb
+++ b/spec/features/admin/users/user_spec.rb
@@ -504,7 +504,9 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
   end
 
   context 'when user has an unconfirmed email', :js do
-    let(:unconfirmed_user) { create(:user, :unconfirmed) }
+    # Email address contains HTML to ensure email address is displayed in an HTML safe way.
+    let_it_be(:unconfirmed_email) { "#{generate(:email)}<h2>testing<img/src=http://localhost:8000/test.png>" }
+    let_it_be(:unconfirmed_user) { create(:user, :unconfirmed, unconfirmed_email: unconfirmed_email) }
 
     where(:path_helper) do
       [
@@ -524,7 +526,9 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do
 
         within_modal do
           expect(page).to have_content("Confirm user #{unconfirmed_user.name}?")
-          expect(page).to have_content('This user has an unconfirmed email address. You may force a confirmation.')
+          expect(page).to have_content(
+            "This user has an unconfirmed email address (#{unconfirmed_email}). You may force a confirmation."
+          )
 
           click_button 'Confirm user'
         end
diff --git a/spec/lib/api/entities/issue_spec.rb b/spec/lib/api/entities/issue_spec.rb
new file mode 100644
index 00000000000..15886542571
--- /dev/null
+++ b/spec/lib/api/entities/issue_spec.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ::API::Entities::Issue, feature_category: :team_planning do
+  let_it_be(:project) { create(:project) }
+  let(:issue) { build_stubbed(:issue, project: project) }
+  let(:current_user) { build_stubbed(:user) }
+  let(:options) { { current_user: current_user }.merge(option_addons) }
+  let(:option_addons) { {} }
+  let(:entity) { described_class.new(issue, options) }
+
+  subject(:json) { entity.as_json }
+
+  describe '#service_desk_reply_to', feature_category: :service_desk do
+    # Setting to true (default) doesn't play nice with stubs
+    let(:option_addons) { { include_subscribed: false } }
+    let(:issue) { build_stubbed(:issue, project: project, service_desk_reply_to: email) }
+    let(:email) { 'creator@example.com' }
+    let(:role) { :developer }
+
+    subject { json[:service_desk_reply_to] }
+
+    context 'as developer' do
+      before do
+        stub_member_access_level(issue.project, developer: current_user)
+      end
+
+      it { is_expected.to eq(email) }
+    end
+
+    context 'as guest' do
+      before do
+        stub_member_access_level(issue.project, guest: current_user)
+      end
+
+      it { is_expected.to eq('cr*****@e*****.c**') }
+    end
+
+    context 'without email' do
+      let(:email) { nil }
+
+      specify { expect(json).to have_key(:service_desk_reply_to) }
+      it { is_expected.to eq(nil) }
+    end
+  end
+end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index ee8d811971a..200e2025517 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -2552,42 +2552,24 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do
   describe 'when user is authenticated via CI_JOB_TOKEN', :request_store do
     using RSpec::Parameterized::TableSyntax
 
-    where(:project_visibility, :user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
-      :private  | :reporter | false | :same      | true  | true
-      :private  | :reporter | false | :same      | false | true
-      :private  | :reporter | false | :different | true  | false
-      :private  | :reporter | false | :different | false | true
-      :private  | :guest    | false | :same      | true  | true
-      :private  | :guest    | false | :same      | false | true
-      :private  | :guest    | false | :different | true  | false
-      :private  | :guest    | false | :different | false | true
-
-      :internal | :reporter | false | :same      | true  | true
-      :internal | :reporter | true  | :same      | true  | true
-      :internal | :reporter | false | :same      | false | true
-      :internal | :reporter | false | :different | true  | true
-      :internal | :reporter | true  | :different | true  | false
-      :internal | :reporter | false | :different | false | true
-      :internal | :guest    | false | :same      | true  | true
-      :internal | :guest    | true  | :same      | true  | true
-      :internal | :guest    | false | :same      | false | true
-      :internal | :guest    | false | :different | true  | true
-      :internal | :guest    | true  | :different | true  | false
-      :internal | :guest    | false | :different | false | true
-
-      :public   | :reporter | false | :same      | true  | true
-      :public   | :reporter | false | :same      | false | true
-      :public   | :reporter | false | :different | true  | true
-      :public   | :reporter | false | :different | false | true
-      :public   | :guest    | false | :same      | true  | true
-      :public   | :guest    | false | :same      | false | true
-      :public   | :guest    | false | :different | true  | true
-      :public   | :guest    | false | :different | false | true
+    where(:user_role, :external_user, :scope_project_type, :token_scope_enabled, :result) do
+      :reporter | false | :same      | true  | true
+      :reporter | true  | :same      | true  | true
+      :reporter | false | :same      | false | true
+      :reporter | false | :different | true  | false
+      :reporter | true  | :different | true  | false
+      :reporter | false | :different | false | true
+      :guest    | false | :same      | true  | true
+      :guest    | true  | :same      | true  | true
+      :guest    | false | :same      | false | true
+      :guest    | false | :different | true  | false
+      :guest    | true  | :different | true  | false
+      :guest    | false | :different | false | true
     end
 
     with_them do
       let(:current_user) { public_send(user_role) }
-      let(:project) { public_send("#{project_visibility}_project") }
+      let(:project) { public_project }
       let(:job) { build_stubbed(:ci_build, project: scope_project, user: current_user) }
 
       let(:scope_project) do
diff --git a/spec/requests/api/npm_project_packages_spec.rb b/spec/requests/api/npm_project_packages_spec.rb
index 60d4bddc502..b18d99ca884 100644
--- a/spec/requests/api/npm_project_packages_spec.rb
+++ b/spec/requests/api/npm_project_packages_spec.rb
@@ -111,7 +111,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do
 
       context 'with a job token for a different user' do
         let_it_be(:other_user) { create(:user) }
-        let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) }
+        let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) }
 
         let(:headers) { build_token_auth_header(other_job.token) }
 
@@ -160,7 +160,7 @@ RSpec.describe API::NpmProjectPackages, feature_category: :package_registry do
 
       context 'with a job token for a different user' do
         let_it_be(:other_user) { create(:user) }
-        let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) }
+        let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user, project: project) }
 
         let(:headers) { build_token_auth_header(other_job.token) }
 
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index b07296a0df2..81d6b5465e3 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -677,8 +677,7 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem
                 context 'tries to push to other project' do
                   let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
 
-                  # I'm not sure what this tests that is different from the previous test
-                  it_behaves_like 'LFS http 403 response'
+                  it_behaves_like 'LFS http 404 response'
                 end
               end
 
@@ -1198,8 +1197,7 @@ RSpec.describe 'Git LFS API and storage', feature_category: :source_code_managem
               context 'tries to push to other project' do
                 let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
 
-                # I'm not sure what this tests that is different from the previous test
-                it_behaves_like 'LFS http 403 response'
+                it_behaves_like 'LFS http 404 response'
               end
             end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-28 15:11:16 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-06-28 15:11:16 +0300
commit	48c36378567b3dbadd780b03ecda571652cff400 (patch)
tree	f1d4accd3942a27e6c27a9a7f34c99d893d8794b /spec
parent	7b848eda5589ff5fa1bc3c6f782fc907c59a4417 (diff)