Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2023-03-01 21:28:24 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2023-03-01 21:28:24 +0300
commit47414496d427785d86832bcaca617233f904a2e0 (patch)
tree55c0e9671c5f513654fabdfc6dea1982528a5f9e /spec
parent6b75388b67c35271bc18f2dbd41a72accd927808 (diff)
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb40
-rw-r--r--spec/finders/notes_finder_spec.rb47
-rw-r--r--spec/finders/snippets_finder_spec.rb25
-rw-r--r--spec/fixtures/api/schemas/public_api/v4/tag.json3
-rw-r--r--spec/frontend/work_items/components/item_title_spec.js24
-rw-r--r--spec/lib/banzai/filter/kroki_filter_spec.rb7
-rw-r--r--spec/requests/api/tags_spec.rb64
7 files changed, 177 insertions, 33 deletions
diff --git a/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb b/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
index 496ef7859f9..3d271a22f27 100644
--- a/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
@@ -2,24 +2,40 @@
require 'spec_helper'
-RSpec.describe Oauth::JiraDvcs::AuthorizationsController do
+RSpec.describe Oauth::JiraDvcs::AuthorizationsController, feature_category: :integrations do
+ let_it_be(:application) { create(:oauth_application, redirect_uri: 'https://example.com/callback') }
+
describe 'GET new' do
it 'redirects to OAuth authorization with correct params' do
- get :new, params: { client_id: 'client-123', scope: 'foo', redirect_uri: 'http://example.com/' }
+ get :new, params: { client_id: application.uid, scope: 'foo', redirect_uri: 'https://example.com/callback' }
- expect(response).to redirect_to(oauth_authorization_url(client_id: 'client-123',
- response_type: 'code',
- scope: 'foo',
- redirect_uri: oauth_jira_dvcs_callback_url))
+ expect(response).to redirect_to(oauth_authorization_url(
+ client_id: application.uid,
+ response_type: 'code',
+ scope: 'foo',
+ redirect_uri: oauth_jira_dvcs_callback_url))
end
it 'replaces the GitHub "repo" scope with "api"' do
- get :new, params: { client_id: 'client-123', scope: 'repo', redirect_uri: 'http://example.com/' }
+ get :new, params: { client_id: application.uid, scope: 'repo', redirect_uri: 'https://example.com/callback' }
+
+ expect(response).to redirect_to(oauth_authorization_url(
+ client_id: application.uid,
+ response_type: 'code',
+ scope: 'api',
+ redirect_uri: oauth_jira_dvcs_callback_url))
+ end
+
+ it 'returns 404 with an invalid client' do
+ get :new, params: { client_id: 'client-123', scope: 'foo', redirect_uri: 'https://example.com/callback' }
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+
+ it 'returns 403 with an incorrect redirect_uri' do
+ get :new, params: { client_id: application.uid, scope: 'foo', redirect_uri: 'http://unsafe-website.com/callback' }
- expect(response).to redirect_to(oauth_authorization_url(client_id: 'client-123',
- response_type: 'code',
- scope: 'api',
- redirect_uri: oauth_jira_dvcs_callback_url))
+ expect(response).to have_gitlab_http_status(:forbidden)
end
end
@@ -47,7 +63,7 @@ RSpec.describe Oauth::JiraDvcs::AuthorizationsController do
double(status: :ok, body: { 'access_token' => 'fake-123', 'scope' => 'foo', 'token_type' => 'bar' })
end
- post :access_token, params: { code: 'code-123', client_id: 'client-123', client_secret: 'secret-123' }
+ post :access_token, params: { code: 'code-123', client_id: application.uid, client_secret: 'secret-123' }
expect(response.body).to eq('access_token=fake-123&scope=foo&token_type=bar')
end
diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb
index 61be90b267a..792a14e3064 100644
--- a/spec/finders/notes_finder_spec.rb
+++ b/spec/finders/notes_finder_spec.rb
@@ -148,15 +148,6 @@ RSpec.describe NotesFinder do
expect(notes.count).to eq(1)
end
- it 'finds notes on personal snippets' do
- note = create(:note_on_personal_snippet)
- params = { project: project, target_type: 'personal_snippet', target_id: note.noteable_id }
-
- notes = described_class.new(user, params).execute
-
- expect(notes.count).to eq(1)
- end
-
it 'raises an exception for an invalid target_type' do
params[:target_type] = 'invalid'
expect { described_class.new(user, params).execute }.to raise_error("invalid target_type '#{params[:target_type]}'")
@@ -190,6 +181,44 @@ RSpec.describe NotesFinder do
expect { described_class.new(user, params).execute }.to raise_error(ActiveRecord::RecordNotFound)
end
end
+
+ context 'when targeting personal_snippet' do
+ using RSpec::Parameterized::TableSyntax
+
+ let(:author) { create(:user) }
+ let(:user) { create(:user, email: 'foo@baz.com') }
+ let(:admin) { create(:admin) }
+
+ where(:snippet_visibility, :current_user, :access) do
+ Snippet::PRIVATE | ref(:author) | true
+ Snippet::PRIVATE | ref(:admin) | true
+ Snippet::PRIVATE | ref(:user) | false
+ Snippet::PUBLIC | ref(:author) | true
+ Snippet::PUBLIC | ref(:user) | true
+ end
+
+ with_them do
+ let(:personal_snippet) { create(:personal_snippet, author: author, visibility_level: snippet_visibility) }
+ let(:note) { create(:note, noteable: personal_snippet) }
+ let(:params) { { project: project, target_type: 'personal_snippet', target_id: note.noteable.id } }
+
+ subject(:notes) do
+ described_class.new(current_user, params).execute
+ end
+
+ before do
+ allow(admin).to receive(:can_read_all_resources?).and_return(true)
+ end
+
+ it 'returns the proper access' do
+ if access
+ expect(notes.count).to eq(1)
+ else
+ expect { notes }.to raise_error(::ActiveRecord::RecordNotFound)
+ end
+ end
+ end
+ end
end
context 'for explicit target' do
diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb
index 9c9a04a4df5..48880ec2c1f 100644
--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -231,22 +231,31 @@ RSpec.describe SnippetsFinder do
context 'filter by snippet type' do
context 'when filtering by only_personal snippet', :enable_admin_mode do
- it 'returns only personal snippet' do
+ let!(:admin_private_personal_snippet) { create(:personal_snippet, :private, author: admin) }
+ let(:user_without_snippets) { create :user }
+
+ it 'returns all personal snippets for the admin' do
snippets = described_class.new(admin, only_personal: true).execute
+ expect(snippets).to contain_exactly(admin_private_personal_snippet,
+ private_personal_snippet,
+ internal_personal_snippet,
+ public_personal_snippet)
+ end
+
+ it 'returns only personal snippets visible by user' do
+ snippets = described_class.new(user, only_personal: true).execute
+
expect(snippets).to contain_exactly(private_personal_snippet,
internal_personal_snippet,
public_personal_snippet)
end
- end
- context 'when filtering by only_project snippet', :enable_admin_mode do
- it 'returns only project snippet' do
- snippets = described_class.new(admin, only_project: true).execute
+ it 'returns only internal or public personal snippets for user without snippets' do
+ snippets = described_class.new(user_without_snippets, only_personal: true).execute
- expect(snippets).to contain_exactly(private_project_snippet,
- internal_project_snippet,
- public_project_snippet)
+ expect(snippets).to contain_exactly(internal_personal_snippet,
+ public_personal_snippet)
end
end
end
diff --git a/spec/fixtures/api/schemas/public_api/v4/tag.json b/spec/fixtures/api/schemas/public_api/v4/tag.json
index bb0190955f0..71e6c0ec035 100644
--- a/spec/fixtures/api/schemas/public_api/v4/tag.json
+++ b/spec/fixtures/api/schemas/public_api/v4/tag.json
@@ -3,8 +3,7 @@
"required" : [
"name",
"message",
- "commit",
- "release"
+ "commit"
],
"properties" : {
"name": { "type": "string" },
diff --git a/spec/frontend/work_items/components/item_title_spec.js b/spec/frontend/work_items/components/item_title_spec.js
index 13e04ef6671..6361f8dafc4 100644
--- a/spec/frontend/work_items/components/item_title_spec.js
+++ b/spec/frontend/work_items/components/item_title_spec.js
@@ -1,8 +1,7 @@
import { shallowMount } from '@vue/test-utils';
+import { escape } from 'lodash';
import ItemTitle from '~/work_items/components/item_title.vue';
-jest.mock('lodash/escape', () => jest.fn((fn) => fn));
-
const createComponent = ({ title = 'Sample title', disabled = false } = {}) =>
shallowMount(ItemTitle, {
propsData: {
@@ -51,4 +50,25 @@ describe('ItemTitle', () => {
expect(wrapper.emitted(eventName)).toBeDefined();
});
+
+ it('renders only the text content from clipboard', async () => {
+ const htmlContent = '<strong>bold text</strong>';
+ const buildClipboardData = (data = {}) => ({
+ clipboardData: {
+ getData(mimeType) {
+ return data[mimeType];
+ },
+ types: Object.keys(data),
+ },
+ });
+
+ findInputEl().trigger(
+ 'paste',
+ buildClipboardData({
+ html: htmlContent,
+ text: htmlContent,
+ }),
+ );
+ expect(findInputEl().element.innerHTML).toBe(escape(htmlContent));
+ });
});
diff --git a/spec/lib/banzai/filter/kroki_filter_spec.rb b/spec/lib/banzai/filter/kroki_filter_spec.rb
index a528c5835b2..1cd11161439 100644
--- a/spec/lib/banzai/filter/kroki_filter_spec.rb
+++ b/spec/lib/banzai/filter/kroki_filter_spec.rb
@@ -54,4 +54,11 @@ RSpec.describe Banzai::Filter::KrokiFilter, feature_category: :team_planning do
expect(doc.to_s).to start_with '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KyJyVNQiE5KTSxKidXVjS5ILCrKL4lFFrSyi07LL81RyM0vLckAysRGjxo8avCowaMGjxo8avCowaMGU8lgAE7mIdc=" hidden="" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDog'
end
+
+ it 'verifies diagram type to avoid possible XSS' do
+ stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000")
+ doc = filter(%(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>))
+
+ expect(doc.to_s).to eq %(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>)
+ end
end
diff --git a/spec/requests/api/tags_spec.rb b/spec/requests/api/tags_spec.rb
index b02c7135b7b..ab5e04246e8 100644
--- a/spec/requests/api/tags_spec.rb
+++ b/spec/requests/api/tags_spec.rb
@@ -111,6 +111,22 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
let(:project) { create(:project, :public, :repository) }
it_behaves_like 'repository tags'
+
+ context 'and releases are private' do
+ before do
+ create(:release, project: project, tag: tag_name)
+ project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+ end
+
+ it 'returns the repository tags without release information' do
+ get api(route, current_user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to match_response_schema('public_api/v4/tags')
+ expect(response).to include_pagination_headers
+ expect(json_response.map { |r| r.has_key?('release') }).to all(be_falsey)
+ end
+ end
end
context 'when unauthenticated', 'and project is private' do
@@ -251,6 +267,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
it_behaves_like "cache expired"
end
+
+ context 'when user is not allowed to :read_release' do
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+
+ get api(route, user) # Cache as a user allowed to :read_release
+ end
+
+ it "isn't cached" do
+ expect(API::Entities::Tag).to receive(:represent).exactly(3).times
+
+ get api(route, nil)
+ end
+ end
end
context 'when gitaly is unavailable' do
@@ -302,6 +333,21 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
let(:project) { create(:project, :public, :repository) }
it_behaves_like 'repository tag'
+
+ context 'and releases are private' do
+ before do
+ create(:release, project: project, tag: tag_name)
+ project.project_feature.update!(releases_access_level: ProjectFeature::PRIVATE)
+ end
+
+ it 'returns the repository tags without release information' do
+ get api(route, current_user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to match_response_schema('public_api/v4/tag')
+ expect(json_response.has_key?('release')).to be_falsey
+ end
+ end
end
context 'when unauthenticated', 'and project is private' do
@@ -328,6 +374,24 @@ RSpec.describe API::Tags, feature_category: :source_code_management do
let(:request) { get api(route, guest) }
end
end
+
+ context 'with releases' do
+ let(:description) { 'Awesome release!' }
+
+ before do
+ create(:release, project: project, tag: tag_name, description: description)
+ end
+
+ it 'returns release information' do
+ get api(route, user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response).to match_response_schema('public_api/v4/tag')
+
+ expect(json_response['message']).to eq(tag_message)
+ expect(json_response.dig('release', 'description')).to eq(description)
+ end
+ end
end
describe 'POST /projects/:id/repository/tags' do
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-27 12:11:20 +0300