Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-29 17:30:51 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-29 17:30:51 +0300
commit: e74db6bfa85dbeb243dafcdbf03c0e5aff3f6069 (patch)
tree: b10184090863fcb73ebcc444cc6123cdfd7f9520 /spec
parent: 5370ec1c3d27d646be672039e78161d22b1e2a80 (diff)
9 files changed, 236 insertions, 55 deletions
diff --git a/spec/frontend/projects/settings/access_dropdown_spec.js b/spec/frontend/projects/settings/access_dropdown_spec.js
index 65b01172e7e..d51360a7597 100644
--- a/spec/frontend/projects/settings/access_dropdown_spec.js
+++ b/spec/frontend/projects/settings/access_dropdown_spec.js
@@ -159,4 +159,21 @@ describe('AccessDropdown', () => {
       expect(template).not.toContain(user.name);
     });
   });
+
+  describe('deployKeyRowHtml', () => {
+    const deployKey = {
+      id: 1,
+      title: 'title <script>alert(document.domain)</script>',
+      fullname: 'fullname <script>alert(document.domain)</script>',
+      avatar_url: '',
+      username: '',
+    };
+
+    it('escapes deploy key title and fullname', () => {
+      const template = dropdown.deployKeyRowHtml(deployKey);
+
+      expect(template).not.toContain(deployKey.title);
+      expect(template).not.toContain(deployKey.fullname);
+    });
+  });
 });
diff --git a/spec/lib/bulk_imports/projects/pipelines/project_pipeline_spec.rb b/spec/lib/bulk_imports/projects/pipelines/project_pipeline_spec.rb
index c53c0849931..567a0a4fcc3 100644
--- a/spec/lib/bulk_imports/projects/pipelines/project_pipeline_spec.rb
+++ b/spec/lib/bulk_imports/projects/pipelines/project_pipeline_spec.rb
@@ -25,18 +25,7 @@ RSpec.describe BulkImports::Projects::Pipelines::ProjectPipeline do
     let(:project_data) do
       {
         'visibility' => 'private',
-        'created_at' => 10.days.ago,
-        'archived' => false,
-        'shared_runners_enabled' => true,
-        'container_registry_enabled' => true,
-        'only_allow_merge_if_pipeline_succeeds' => true,
-        'only_allow_merge_if_all_discussions_are_resolved' => true,
-        'request_access_enabled' => true,
-        'printing_merge_request_link_enabled' => true,
-        'remove_source_branch_after_merge' => true,
-        'autoclose_referenced_issues' => true,
-        'suggestion_commit_message' => 'message',
-        'wiki_enabled' => true
+        'created_at' => '2016-08-12T09:41:03'
       }
     end
 
@@ -58,17 +47,8 @@ RSpec.describe BulkImports::Projects::Pipelines::ProjectPipeline do
 
       expect(imported_project).not_to be_nil
       expect(imported_project.group).to eq(group)
-      expect(imported_project.suggestion_commit_message).to eq('message')
-      expect(imported_project.archived?).to eq(project_data['archived'])
-      expect(imported_project.shared_runners_enabled?).to eq(project_data['shared_runners_enabled'])
-      expect(imported_project.container_registry_enabled?).to eq(project_data['container_registry_enabled'])
-      expect(imported_project.only_allow_merge_if_pipeline_succeeds?).to eq(project_data['only_allow_merge_if_pipeline_succeeds'])
-      expect(imported_project.only_allow_merge_if_all_discussions_are_resolved?).to eq(project_data['only_allow_merge_if_all_discussions_are_resolved'])
-      expect(imported_project.request_access_enabled?).to eq(project_data['request_access_enabled'])
-      expect(imported_project.printing_merge_request_link_enabled?).to eq(project_data['printing_merge_request_link_enabled'])
-      expect(imported_project.remove_source_branch_after_merge?).to eq(project_data['remove_source_branch_after_merge'])
-      expect(imported_project.autoclose_referenced_issues?).to eq(project_data['autoclose_referenced_issues'])
-      expect(imported_project.wiki_enabled?).to eq(project_data['wiki_enabled'])
+      expect(imported_project.visibility).to eq(project_data['visibility'])
+      expect(imported_project.created_at).to eq(project_data['created_at'])
     end
   end
 
diff --git a/spec/lib/bulk_imports/projects/transformers/project_attributes_transformer_spec.rb b/spec/lib/bulk_imports/projects/transformers/project_attributes_transformer_spec.rb
index 822bb9a5605..a1d77b9732d 100644
--- a/spec/lib/bulk_imports/projects/transformers/project_attributes_transformer_spec.rb
+++ b/spec/lib/bulk_imports/projects/transformers/project_attributes_transformer_spec.rb
@@ -25,8 +25,8 @@ RSpec.describe BulkImports::Projects::Transformers::ProjectAttributesTransformer
 
     let(:data) do
       {
-        'name' => 'source_name',
-        'visibility' => 'private'
+        'visibility' => 'private',
+        'created_at' => '2016-11-18T09:29:42.634Z'
       }
     end
 
@@ -76,8 +76,21 @@ RSpec.describe BulkImports::Projects::Transformers::ProjectAttributesTransformer
       end
     end
 
-    it 'converts all keys to symbols' do
-      expect(transformed_data.keys).to contain_exactly(:name, :path, :import_type, :visibility_level, :namespace_id)
+    context 'when data has extra keys' do
+      it 'returns a fixed number of keys' do
+        data = {
+          'visibility' => 'private',
+          'created_at' => '2016-11-18T09:29:42.634Z',
+          'my_key' => 'my_key',
+          'another_key' => 'another_key',
+          'last_key' => 'last_key'
+        }
+
+        transformed_data = described_class.new.transform(context, data)
+
+        expect(transformed_data.keys)
+          .to contain_exactly(:created_at, :import_type, :name, :namespace_id, :path, :visibility_level)
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb b/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
index fe3b638d20f..dea584e5019 100644
--- a/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
+++ b/spec/lib/gitlab/import_export/decompressed_archive_size_validator_spec.rb
@@ -86,6 +86,65 @@ RSpec.describe Gitlab::ImportExport::DecompressedArchiveSizeValidator do
         include_examples 'logs raised exception and terminates validator process group'
       end
     end
+
+    context 'archive path validation' do
+      let(:filesize) { nil }
+
+      before do
+        expect(Gitlab::Import::Logger)
+          .to receive(:info)
+          .with(
+            import_upload_archive_path: filepath,
+            import_upload_archive_size: filesize,
+            message: error_message
+          )
+      end
+
+      context 'when archive path is traversed' do
+        let(:filepath) { '/foo/../bar' }
+        let(:error_message) { 'Invalid path' }
+
+        it 'returns false' do
+          expect(subject.valid?).to eq(false)
+        end
+      end
+
+      context 'when archive path is not a string' do
+        let(:filepath) { 123 }
+        let(:error_message) { 'Archive path is not a string' }
+
+        it 'returns false' do
+          expect(subject.valid?).to eq(false)
+        end
+      end
+
+      context 'which archive path is a symlink' do
+        let(:filepath) { File.join(Dir.tmpdir, 'symlink') }
+        let(:error_message) { 'Archive path is a symlink' }
+
+        before do
+          FileUtils.ln_s(filepath, filepath, force: true)
+        end
+
+        it 'returns false' do
+          expect(subject.valid?).to eq(false)
+        end
+      end
+
+      context 'when archive path is not a file' do
+        let(:filepath) { Dir.mktmpdir }
+        let(:filesize) { File.size(filepath) }
+        let(:error_message) { 'Archive path is not a file' }
+
+        after do
+          FileUtils.rm_rf(filepath)
+        end
+
+        it 'returns false' do
+          expect(subject.valid?).to eq(false)
+        end
+      end
+    end
   end
 
   def create_compressed_file
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 59fe601ed43..d363a822d18 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1080,25 +1080,117 @@ RSpec.describe ProjectPolicy do
 
     subject { described_class.new(deploy_token, project) }
 
-    context 'a deploy token with read_package_registry scope' do
-      let(:deploy_token) { create(:deploy_token, read_package_registry: true) }
+    context 'private project' do
+      let(:project) { private_project }
 
-      it { is_expected.to be_allowed(:read_package) }
-      it { is_expected.to be_allowed(:read_project) }
-      it { is_expected.to be_disallowed(:create_package) }
+      context 'a deploy token with read_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) }
 
-      it_behaves_like 'package access with repository disabled'
+        it { is_expected.to be_allowed(:read_container_image) }
+        it { is_expected.to be_disallowed(:create_container_image) }
+
+        context 'with registry disabled' do
+          include_context 'registry disabled via project features'
+
+          it { is_expected.to be_disallowed(:read_container_image) }
+          it { is_expected.to be_disallowed(:create_container_image) }
+        end
+      end
+
+      context 'a deploy token with write_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) }
+
+        it { is_expected.to be_disallowed(:read_container_image) }
+        it { is_expected.to be_allowed(:create_container_image) }
+
+        context 'with registry disabled' do
+          include_context 'registry disabled via project features'
+
+          it { is_expected.to be_disallowed(:read_container_image) }
+          it { is_expected.to be_disallowed(:create_container_image) }
+        end
+      end
+
+      context 'a deploy token with no registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false) }
+
+        it { is_expected.to be_disallowed(:read_container_image) }
+        it { is_expected.to be_disallowed(:create_container_image) }
+      end
+
+      context 'a deploy token with read_package_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, read_package_registry: true) }
+
+        it { is_expected.to be_allowed(:read_project) }
+        it { is_expected.to be_allowed(:read_package) }
+        it { is_expected.to be_disallowed(:create_package) }
+
+        it_behaves_like 'package access with repository disabled'
+      end
+
+      context 'a deploy token with write_package_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_repository: false, read_registry: false, write_package_registry: true) }
+
+        it { is_expected.to be_allowed(:create_package) }
+        it { is_expected.to be_allowed(:read_package) }
+        it { is_expected.to be_allowed(:read_project) }
+        it { is_expected.to be_disallowed(:destroy_package) }
+
+        it_behaves_like 'package access with repository disabled'
+      end
     end
 
-    context 'a deploy token with write_package_registry scope' do
-      let(:deploy_token) { create(:deploy_token, write_package_registry: true) }
+    context 'public project' do
+      let(:project) { public_project }
+
+      context 'a deploy token with read_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: true, write_registry: false) }
 
-      it { is_expected.to be_allowed(:create_package) }
-      it { is_expected.to be_allowed(:read_package) }
-      it { is_expected.to be_allowed(:read_project) }
-      it { is_expected.to be_disallowed(:destroy_package) }
+        it { is_expected.to be_allowed(:read_container_image) }
+        it { is_expected.to be_disallowed(:create_container_image) }
 
-      it_behaves_like 'package access with repository disabled'
+        context 'with registry disabled' do
+          include_context 'registry disabled via project features'
+
+          it { is_expected.to be_disallowed(:read_container_image) }
+          it { is_expected.to be_disallowed(:create_container_image) }
+        end
+
+        context 'with registry private' do
+          include_context 'registry set to private via project features'
+
+          it { is_expected.to be_allowed(:read_container_image) }
+          it { is_expected.to be_disallowed(:create_container_image) }
+        end
+      end
+
+      context 'a deploy token with write_registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: true) }
+
+        it { is_expected.to be_allowed(:read_container_image) }
+        it { is_expected.to be_allowed(:create_container_image) }
+
+        context 'with registry disabled' do
+          include_context 'registry disabled via project features'
+
+          it { is_expected.to be_disallowed(:read_container_image) }
+          it { is_expected.to be_disallowed(:create_container_image) }
+        end
+
+        context 'with registry private' do
+          include_context 'registry set to private via project features'
+
+          it { is_expected.to be_allowed(:read_container_image) }
+          it { is_expected.to be_allowed(:create_container_image) }
+        end
+      end
+
+      context 'a deploy token with no registry scope' do
+        let(:deploy_token) { create(:deploy_token, read_registry: false, write_registry: false) }
+
+        it { is_expected.to be_disallowed(:read_container_image) }
+        it { is_expected.to be_disallowed(:create_container_image) }
+      end
     end
   end
 
diff --git a/spec/services/bulk_imports/file_decompression_service_spec.rb b/spec/services/bulk_imports/file_decompression_service_spec.rb
index 1d6aa79a37f..77348428d60 100644
--- a/spec/services/bulk_imports/file_decompression_service_spec.rb
+++ b/spec/services/bulk_imports/file_decompression_service_spec.rb
@@ -80,7 +80,8 @@ RSpec.describe BulkImports::FileDecompressionService do
       subject { described_class.new(tmpdir: tmpdir, filename: 'symlink.gz') }
 
       it 'raises an error and removes the file' do
-        expect { subject.execute }.to raise_error(described_class::ServiceError, 'Invalid file')
+        expect { subject.execute }
+          .to raise_error(BulkImports::FileDecompressionService::ServiceError, 'File decompression error')
 
         expect(File.exist?(symlink)).to eq(false)
       end
diff --git a/spec/support/shared_contexts/project_features_shared_context.rb b/spec/support/shared_contexts/project_features_shared_context.rb
new file mode 100644
index 00000000000..40d9cb29c14
--- /dev/null
+++ b/spec/support/shared_contexts/project_features_shared_context.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+RSpec.shared_context 'repository disabled via project features' do
+  before do
+    project.project_feature.update_columns(
+      # Disable merge_requests and builds as well, since merge_requests and
+      # builds cannot have higher visibility than repository.
+      merge_requests_access_level: ProjectFeature::DISABLED,
+      builds_access_level: ProjectFeature::DISABLED,
+      repository_access_level: ProjectFeature::DISABLED)
+  end
+end
+
+RSpec.shared_context 'registry disabled via project features' do
+  before do
+    project.project_feature.update_columns(
+      container_registry_access_level: ProjectFeature::DISABLED
+    )
+  end
+end
+
+RSpec.shared_context 'registry set to private via project features' do
+  before do
+    project.project_feature.update_columns(
+      container_registry_access_level: ProjectFeature::PRIVATE
+    )
+  end
+end
diff --git a/spec/support/shared_examples/policies/project_policy_shared_examples.rb b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
index 63e4d458ad4..c4083df47e2 100644
--- a/spec/support/shared_examples/policies/project_policy_shared_examples.rb
+++ b/spec/support/shared_examples/policies/project_policy_shared_examples.rb
@@ -345,16 +345,7 @@ RSpec.shared_examples 'project policies as admin without admin mode' do
 end
 
 RSpec.shared_examples 'package access with repository disabled' do
-  context 'when repository is disabled' do
-    before do
-      project.project_feature.update!(
-        # Disable merge_requests and builds as well, since merge_requests and
-        # builds cannot have higher visibility than repository.
-        merge_requests_access_level: ProjectFeature::DISABLED,
-        builds_access_level: ProjectFeature::DISABLED,
-        repository_access_level: ProjectFeature::DISABLED)
-    end
+  include_context 'repository disabled via project features'
 
-    it { is_expected.to be_allowed(:read_package) }
-  end
+  it { is_expected.to be_allowed(:read_package) }
 end
diff --git a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
index 7677e5d8cb2..f18869fb380 100644
--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -142,9 +142,9 @@ RSpec.shared_examples 'logs an auth warning' do |requested_actions|
       requested_project_path: project.full_path,
       requested_actions: requested_actions,
       authorized_actions: [],
-      user_id: current_user.id,
-      username: current_user.username
-    }
+      user_id: current_user&.id,
+      username: current_user&.username
+    }.compact
   end
 
   it do
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-29 17:30:51 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-29 17:30:51 +0300
commit	e74db6bfa85dbeb243dafcdbf03c0e5aff3f6069 (patch)
tree	b10184090863fcb73ebcc444cc6123cdfd7f9520 /spec
parent	5370ec1c3d27d646be672039e78161d22b1e2a80 (diff)