diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 21:38:07 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 21:38:07 +0300 |
| commit | 8d2da107095dc8d7d23db88f169306cdc9a869e1 (patch) | |
| tree | 4208bcb8ff351b2d1a118c9bbcdfb54fcd2b6acb /spec | |
| parent | 0fcbe48468f0e566929599dda36b2dedd72e5708 (diff) | |
Add latest changes from gitlab-org/security/gitlab@15-8-stable-ee
Diffstat (limited to 'spec')
12 files changed, 132 insertions, 51 deletions
diff --git a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb index 8d93cdcf378..5ef0fec1e9d 100644 --- a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb +++ b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb @@ -184,7 +184,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote do let(:location) { 'http://127.0.0.1/some/path/to/config.yaml' } it 'includes details about blocked URL' do - expect(subject).to eq "Remote file could not be fetched because URL '#{location}' " \ + expect(subject).to eq "Remote file could not be fetched because URL " \ 'is blocked: Requests to localhost are not allowed!' end end diff --git a/spec/lib/gitlab/fogbugz_import/importer_spec.rb b/spec/lib/gitlab/fogbugz_import/importer_spec.rb index 9b58b772d1a..a4246809725 100644 --- a/spec/lib/gitlab/fogbugz_import/importer_spec.rb +++ b/spec/lib/gitlab/fogbugz_import/importer_spec.rb @@ -72,7 +72,7 @@ RSpec.describe Gitlab::FogbugzImport::Importer do expect { subject.execute } .to raise_error( ::Gitlab::HTTP::BlockedUrlError, - "URL 'https://localhost:3000/api.asp' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end end @@ -84,7 +84,7 @@ RSpec.describe Gitlab::FogbugzImport::Importer do expect { subject.execute } .to raise_error( ::Gitlab::HTTP::BlockedUrlError, - "URL 'http://192.168.0.1/api.asp' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end end diff --git a/spec/lib/gitlab/http_connection_adapter_spec.rb b/spec/lib/gitlab/http_connection_adapter_spec.rb index 5e2c6be8993..dbf0252da46 100644 --- a/spec/lib/gitlab/http_connection_adapter_spec.rb +++ b/spec/lib/gitlab/http_connection_adapter_spec.rb @@ -44,7 +44,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/12' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -67,7 +67,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -131,7 +131,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'ssh://example.org' is blocked: Only allowed schemes are http, https" + "URL is blocked: Only allowed schemes are http, https" ) end end diff --git a/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb b/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb index b1bc6b7eeaf..3d9d6e1b96b 100644 --- a/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb +++ b/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb @@ -88,7 +88,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -114,7 +114,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/file.txt' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -142,7 +142,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -168,7 +168,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/file.txt' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -192,7 +192,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://example.com/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end end diff --git a/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb b/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb index e3706a4b106..f09fa3548f8 100644 --- a/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb +++ b/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb @@ -43,10 +43,7 @@ RSpec.describe Gitlab::Prometheus::Queries::ValidateQuery do context 'Gitlab::HTTP::BlockedUrlError' do let(:api_url) { 'http://192.168.1.1' } - let(:message) do - "URL 'http://192.168.1.1/api/v1/query?query=avg%28metric%29&time=#{Time.now.to_f}'" \ - " is blocked: Requests to the local network are not allowed" - end + let(:message) { "URL is blocked: Requests to the local network are not allowed" } before do stub_application_setting(allow_local_requests_from_web_hooks_and_services: false) diff --git a/spec/models/integration_spec.rb b/spec/models/integration_spec.rb index 9b3250e3c08..3c6f9ad7fea 100644 --- a/spec/models/integration_spec.rb +++ b/spec/models/integration_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Integration do +RSpec.describe Integration, feature_category: :integrations do using RSpec::Parameterized::TableSyntax let_it_be(:group) { create(:group) } @@ -854,6 +854,7 @@ RSpec.describe Integration do { name: 'api_key', type: 'password' }, { name: 'password', type: 'password' }, { name: 'password_field', type: 'password' }, + { name: 'webhook' }, { name: 'some_safe_field' }, { name: 'safe_field' }, { name: 'url' }, @@ -881,6 +882,7 @@ RSpec.describe Integration do field :api_key, type: 'password' field :password, type: 'password' field :password_field, type: 'password' + field :webhook field :some_safe_field field :safe_field field :url @@ -1090,6 +1092,8 @@ RSpec.describe Integration do field :bar, type: 'password' field :password + field :webhook + field :with_help, help: -> { 'help' } field :select, type: 'select' field :boolean, type: 'checkbox' @@ -1140,7 +1144,7 @@ RSpec.describe Integration do it 'registers fields in the fields list' do expect(integration.fields.pluck(:name)).to match_array %w[ - foo foo_p foo_dt bar password with_help select boolean + foo foo_p foo_dt bar password with_help select boolean webhook ] expect(integration.api_field_names).to match_array %w[ @@ -1155,6 +1159,7 @@ RSpec.describe Integration do have_attributes(name: 'foo_dt', type: 'text'), have_attributes(name: 'bar', type: 'password'), have_attributes(name: 'password', type: 'password'), + have_attributes(name: 'webhook', type: 'text'), have_attributes(name: 'with_help', help: 'help'), have_attributes(name: 'select', type: 'select'), have_attributes(name: 'boolean', type: 'checkbox') diff --git a/spec/models/integrations/datadog_spec.rb b/spec/models/integrations/datadog_spec.rb index 65ecd9bee83..2d1e23b103f 100644 --- a/spec/models/integrations/datadog_spec.rb +++ b/spec/models/integrations/datadog_spec.rb @@ -3,7 +3,7 @@ require 'securerandom' require 'spec_helper' -RSpec.describe Integrations::Datadog do +RSpec.describe Integrations::Datadog, feature_category: :integrations do let_it_be(:project) { create(:project) } let_it_be(:pipeline) { create(:ci_pipeline, project: project) } let_it_be(:build) { create(:ci_build, pipeline: pipeline) } diff --git a/spec/models/integrations/prometheus_spec.rb b/spec/models/integrations/prometheus_spec.rb index 3c3850854b3..aa248abd3bb 100644 --- a/spec/models/integrations/prometheus_spec.rb +++ b/spec/models/integrations/prometheus_spec.rb @@ -239,6 +239,7 @@ RSpec.describe Integrations::Prometheus, :use_clean_rails_memory_store_caching, context 'behind IAP' do let(:manual_configuration) { true } + let(:google_iap_service_account_json) { Gitlab::Json.generate(google_iap_service_account) } let(:google_iap_service_account) do { @@ -259,7 +260,7 @@ RSpec.describe Integrations::Prometheus, :use_clean_rails_memory_store_caching, end def stub_iap_request - integration.google_iap_service_account_json = Gitlab::Json.generate(google_iap_service_account) + integration.google_iap_service_account_json = google_iap_service_account_json integration.google_iap_audience_client_id = 'IAP_CLIENT_ID.apps.googleusercontent.com' stub_request(:post, 'https://oauth2.googleapis.com/token') @@ -278,6 +279,17 @@ RSpec.describe Integrations::Prometheus, :use_clean_rails_memory_store_caching, expect(integration.prometheus_client.send(:options)[:headers]).to eq(authorization: "Bearer FOO") end + context 'with invalid IAP JSON' do + let(:google_iap_service_account_json) { 'invalid json' } + + it 'does not include authorization header' do + stub_iap_request + + expect(integration.prometheus_client).not_to be_nil + expect(integration.prometheus_client.send(:options)).not_to have_key(:headers) + end + end + context 'when passed with token_credential_uri', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/284819' do let(:malicious_host) { 'http://example.com' } @@ -477,4 +489,45 @@ RSpec.describe Integrations::Prometheus, :use_clean_rails_memory_store_caching, end end end + + describe '#google_iap_service_account_json' do + subject(:iap_details) { integration.google_iap_service_account_json } + + before do + integration.google_iap_service_account_json = value + end + + context 'with valid JSON' do + let(:masked_value) { described_class::MASKED_VALUE } + let(:json) { Gitlab::Json.parse(iap_details) } + + let(:value) do + Gitlab::Json.generate({ + type: 'service_account', + private_key: 'SECRET', + foo: 'secret', + nested: { + key: 'value' + } + }) + end + + it 'masks all JSON values', issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/384580' do + expect(json).to eq( + 'type' => masked_value, + 'private_key' => masked_value, + 'foo' => masked_value, + 'nested' => masked_value + ) + end + end + + context 'with invalid JSON' do + where(:value) { [nil, '', ' ', 'invalid json'] } + + with_them do + it { is_expected.to eq(value) } + end + end + end end diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb index 3932abd20cc..bcc27a80cf8 100644 --- a/spec/requests/api/commits_spec.rb +++ b/spec/requests/api/commits_spec.rb @@ -249,6 +249,18 @@ RSpec.describe API::Commits, feature_category: :source_code_management do end end + context 'when per_page is over 100' do + let(:per_page) { 101 } + + it 'returns 100 commits (maximum)' do + expect(Gitlab::Git::Commit).to receive(:where).with( + hash_including(ref: ref_name, limit: 100, offset: 0) + ) + + request + end + end + context 'when pagination params are invalid' do let_it_be(:project) { create(:project, :repository) } @@ -279,7 +291,7 @@ RSpec.describe API::Commits, feature_category: :source_code_management do where(:page, :per_page, :error_message, :status) do 0 | nil | nil | :success - -10 | nil | nil | :internal_server_error + -10 | nil | nil | :success 'a' | nil | 'page is invalid' | :bad_request nil | 0 | 'per_page has a value not allowed' | :bad_request nil | -1 | nil | :success @@ -297,6 +309,18 @@ RSpec.describe API::Commits, feature_category: :source_code_management do end end end + + context 'when per_page is below 0' do + let(:per_page) { -100 } + + it 'returns 20 commits (default)' do + expect(Gitlab::Git::Commit).to receive(:where).with( + hash_including(ref: ref_name, limit: 20, offset: 0) + ) + + request + end + end end end end diff --git a/spec/services/resource_access_tokens/create_service_spec.rb b/spec/services/resource_access_tokens/create_service_spec.rb index 442232920f9..a8c8d41ca09 100644 --- a/spec/services/resource_access_tokens/create_service_spec.rb +++ b/spec/services/resource_access_tokens/create_service_spec.rb @@ -27,6 +27,13 @@ RSpec.describe ResourceAccessTokens::CreateService do end end + shared_examples 'correct error message' do + it 'returns correct error message' do + expect(subject.error?).to be true + expect(subject.errors).to include(error_message) + end + end + shared_examples 'allows creation of bot with valid params' do it { expect { subject }.to change { User.count }.by(1) } @@ -200,16 +207,11 @@ RSpec.describe ResourceAccessTokens::CreateService do end context 'when invalid scope is passed' do + let(:error_message) { 'Scopes can only contain available scopes' } let_it_be(:params) { { scopes: [:invalid_scope] } } it_behaves_like 'token creation fails' - - it 'returns the scope error message' do - response = subject - - expect(response.error?).to be true - expect(response.errors).to include("Scopes can only contain available scopes") - end + it_behaves_like 'correct error message' end end @@ -217,6 +219,7 @@ RSpec.describe ResourceAccessTokens::CreateService do let_it_be(:bot_user) { create(:user, :project_bot) } let(:unpersisted_member) { build(:project_member, source: resource, user: bot_user) } + let(:error_message) { 'Could not provision maintainer access to project access token' } before do allow_next_instance_of(ResourceAccessTokens::CreateService) do |service| @@ -226,13 +229,7 @@ RSpec.describe ResourceAccessTokens::CreateService do end it_behaves_like 'token creation fails' - - it 'returns the provisioning error message' do - response = subject - - expect(response.error?).to be true - expect(response.errors).to include("Could not provision maintainer access to project access token") - end + it_behaves_like 'correct error message' end end @@ -246,14 +243,10 @@ RSpec.describe ResourceAccessTokens::CreateService do end shared_examples 'when user does not have permission to create a resource bot' do - it_behaves_like 'token creation fails' - - it 'returns the permission error message' do - response = subject + let(:error_message) { "User does not have permission to create #{resource_type} access token" } - expect(response.error?).to be true - expect(response.errors).to include("User does not have permission to create #{resource_type} access token") - end + it_behaves_like 'token creation fails' + it_behaves_like 'correct error message' end context 'when resource is a project' do @@ -273,11 +266,19 @@ RSpec.describe ResourceAccessTokens::CreateService do let_it_be(:params) { { access_level: Gitlab::Access::OWNER } } context 'when the executor is a MAINTAINER' do - it 'does not add the bot user with the specified access level in the resource' do - response = subject + let(:error_message) { 'Could not provision owner access to project access token' } - expect(response.error?).to be true - expect(response.errors).to include('Could not provision owner access to project access token') + context 'with OWNER access_level, in integer format' do + it_behaves_like 'token creation fails' + it_behaves_like 'correct error message' + end + + context 'with OWNER access_level, in string format' do + let(:error_message) { 'Could not provision owner access to project access token' } + let_it_be(:params) { { access_level: Gitlab::Access::OWNER.to_s } } + + it_behaves_like 'token creation fails' + it_behaves_like 'correct error message' end end diff --git a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb index bf5158c9a92..2c92ef64815 100644 --- a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb +++ b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb @@ -93,6 +93,7 @@ Integration.available_integration_names.each do |integration| def initialize_integration(integration, attrs = {}) record = project.find_or_initialize_integration(integration) + record.reset_updated_properties if integration == 'datadog' record.attributes = attrs record.properties = integration_attrs record.save! diff --git a/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb b/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb index 553e9f10b0d..cef76bd4356 100644 --- a/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb +++ b/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb @@ -33,7 +33,7 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do expect { make_request('https://example.com') } .to raise_error(url_blocked_error_class, - "URL 'https://example.com' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request that resolves to a localhost address' do @@ -41,19 +41,19 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do expect { make_request('https://example.com') } .to raise_error(url_blocked_error_class, - "URL 'https://example.com' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end it 'raises error when it is a request to local address' do expect { make_request('http://172.16.0.0') } .to raise_error(url_blocked_error_class, - "URL 'http://172.16.0.0' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request to localhost address' do expect { make_request('http://127.0.0.1') } .to raise_error(url_blocked_error_class, - "URL 'http://127.0.0.1' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end end @@ -69,13 +69,13 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do it 'raises error when it is a request to local address' do expect { make_request('https://172.16.0.0:8080') } .to raise_error(url_blocked_error_class, - "URL 'https://172.16.0.0:8080' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request to localhost address' do expect { make_request('https://127.0.0.1:8080') } .to raise_error(url_blocked_error_class, - "URL 'https://127.0.0.1:8080' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end end |