diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 16:52:02 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 16:52:02 +0300 |
commit | 846745cb0d327506fb313df61fc351c04134449d (patch) | |
tree | c6cd12c8bd35994c366e73fe32a4b712875063cc /spec | |
parent | dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff) |
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/groups/clusters/user_spec.rb | 2 | ||||
-rw-r--r-- | spec/features/projects/clusters/user_spec.rb | 2 | ||||
-rw-r--r-- | spec/frontend/clusters/clusters_bundle_spec.js | 22 | ||||
-rw-r--r-- | spec/frontend/fixtures/static/issue_with_mermaid_graph.html | 82 | ||||
-rw-r--r-- | spec/frontend/issue_spec.js | 27 | ||||
-rw-r--r-- | spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js | 36 | ||||
-rw-r--r-- | spec/requests/api/group_import_spec.rb | 33 | ||||
-rw-r--r-- | spec/requests/api/repositories_spec.rb | 6 | ||||
-rw-r--r-- | spec/services/clusters/update_service_spec.rb | 33 | ||||
-rw-r--r-- | spec/support/shared_examples/uncached_response_shared_examples.rb | 12 |
10 files changed, 208 insertions, 47 deletions
diff --git a/spec/features/groups/clusters/user_spec.rb b/spec/features/groups/clusters/user_spec.rb index e9ef66e31a2..a29afba99e4 100644 --- a/spec/features/groups/clusters/user_spec.rb +++ b/spec/features/groups/clusters/user_spec.rb @@ -39,7 +39,7 @@ describe 'User Cluster', :js do expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value) .to have_content('http://example.com') expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value) - .to have_content('my-token') + .to be_empty end end diff --git a/spec/features/projects/clusters/user_spec.rb b/spec/features/projects/clusters/user_spec.rb index 79676927fa2..5c82d848563 100644 --- a/spec/features/projects/clusters/user_spec.rb +++ b/spec/features/projects/clusters/user_spec.rb @@ -46,7 +46,7 @@ describe 'User Cluster', :js do expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value) .to have_content('http://example.com') expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value) - .to have_content('my-token') + .to be_empty end it 'user sees RBAC is enabled by default' do diff --git a/spec/frontend/clusters/clusters_bundle_spec.js b/spec/frontend/clusters/clusters_bundle_spec.js index d7c648bcd20..9d0ed423759 100644 --- a/spec/frontend/clusters/clusters_bundle_spec.js +++ b/spec/frontend/clusters/clusters_bundle_spec.js @@ -82,28 +82,6 @@ describe('Clusters', () => { }); }); - describe('showToken', () => { - it('should update token field type', () => { - cluster.showTokenButton.click(); - - expect(cluster.tokenField.getAttribute('type')).toEqual('text'); - - cluster.showTokenButton.click(); - - expect(cluster.tokenField.getAttribute('type')).toEqual('password'); - }); - - it('should update show token button text', () => { - cluster.showTokenButton.click(); - - expect(cluster.showTokenButton.textContent).toEqual('Hide'); - - cluster.showTokenButton.click(); - - expect(cluster.showTokenButton.textContent).toEqual('Show'); - }); - }); - describe('checkForNewInstalls', () => { const INITIAL_APP_MAP = { helm: { status: null, title: 'Helm Tiller' }, diff --git a/spec/frontend/fixtures/static/issue_with_mermaid_graph.html b/spec/frontend/fixtures/static/issue_with_mermaid_graph.html new file mode 100644 index 00000000000..4b60842a655 --- /dev/null +++ b/spec/frontend/fixtures/static/issue_with_mermaid_graph.html @@ -0,0 +1,82 @@ +<div class="description" updated-at=""> + <div class="md issue-realtime-trigger-pulse"> + <svg + id="mermaid-1587752414912" + width="100%" + xmlns="http://www.w3.org/2000/svg" + style="max-width: 185.35000610351562px;" + viewBox="0 0 185.35000610351562 50.5" + class="mermaid" + > + <g transform="translate(0, 0)"> + <g class="output"> + <g class="clusters"></g> + <g class="edgePaths"></g> + <g class="edgeLabels"></g> + <g class="nodes"> + <g + class="node js-issuable-actions btn-close clickable" + style="opacity: 1;" + id="A" + transform="translate(92.67500305175781,25.25)" + title="click to PUT" + > + <a + class="js-issuable-actions btn-close clickable" + href="https://invalid" + rel="noopener" + > + <rect + rx="0" + ry="0" + x="-84.67500305175781" + y="-17.25" + width="169.35000610351562" + height="34.5" + class="label-container" + ></rect> + <g class="label" transform="translate(0,0)"> + <g transform="translate(-74.67500305175781,-7.25)"> + <text style=""> + <tspan xml:space="preserve" dy="1em" x="1">Click to send a PUT request</tspan> + </text> + </g> + </g> + </a> + </g> + </g> + </g> + </g> + <text class="source" display="none"> + Click to send a PUT request + </text> + </svg> + </div> + <textarea + data-update-url="/h5bp/html5-boilerplate/-/issues/35.json" + dir="auto" + class="hidden js-task-list-field" + ></textarea> + <div class="modal-open recaptcha-modal js-recaptcha-modal" style="display: none;"> + <div role="dialog" tabindex="-1" class="modal d-block"> + <div role="document" class="modal-dialog"> + <div class="modal-content"> + <div class="modal-header"> + <h4 class="modal-title float-left">Please solve the reCAPTCHA</h4> + <button type="button" data-dismiss="modal" aria-label="Close" class="close float-right"> + <span aria-hidden="true">×</span> + </button> + </div> + <div class="modal-body"> + <div> + <p>We want to be sure it is you, please confirm you are not a robot.</p> + <div></div> + </div> + </div> + <!----> + </div> + </div> + </div> + <div class="modal-backdrop fade show"></div> + </div> +</div> diff --git a/spec/frontend/issue_spec.js b/spec/frontend/issue_spec.js index 586bd7f8529..24020daf728 100644 --- a/spec/frontend/issue_spec.js +++ b/spec/frontend/issue_spec.js @@ -18,6 +18,7 @@ describe('Issue', () => { preloadFixtures('issues/closed-issue.html'); preloadFixtures('issues/issue-with-task-list.html'); preloadFixtures('issues/open-issue.html'); + preloadFixtures('static/issue_with_mermaid_graph.html'); function expectErrorMessage() { const $flashMessage = $('div.flash-alert'); @@ -228,4 +229,30 @@ describe('Issue', () => { }); }); }); + + describe('when not displaying blocked warning', () => { + describe('when clicking a mermaid graph inside an issue description', () => { + let mock; + let spy; + + beforeEach(() => { + loadFixtures('static/issue_with_mermaid_graph.html'); + mock = new MockAdapter(axios); + spy = jest.spyOn(axios, 'put'); + }); + + afterEach(() => { + mock.restore(); + jest.clearAllMocks(); + }); + + it('does not make a PUT request', () => { + Issue.prototype.initIssueBtnEventListeners(); + + $('svg a.js-issuable-actions').trigger('click'); + + expect(spy).not.toHaveBeenCalled(); + }); + }); + }); }); diff --git a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js index 10fd58f749d..61d5f7a99d3 100644 --- a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js +++ b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js @@ -3,9 +3,17 @@ import DuplicateDashboardForm from '~/monitoring/components/duplicate_dashboard_ import { dashboardGitResponse } from '../mock_data'; -describe('DuplicateDashboardForm', () => { - let wrapper; +let wrapper; + +const createMountedWrapper = (props = {}) => { + // Use `mount` to render native input elements + wrapper = mount(DuplicateDashboardForm, { + propsData: { ...props }, + sync: false, + }); +}; +describe('DuplicateDashboardForm', () => { const defaultBranch = 'master'; const findByRef = ref => wrapper.find({ ref }); @@ -20,14 +28,7 @@ describe('DuplicateDashboardForm', () => { }; beforeEach(() => { - // Use `mount` to render native input elements - wrapper = mount(DuplicateDashboardForm, { - propsData: { - dashboard: dashboardGitResponse[0], - defaultBranch, - }, - sync: false, - }); + createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch }); }); it('renders correctly', () => { @@ -144,3 +145,18 @@ describe('DuplicateDashboardForm', () => { }); }); }); + +describe('DuplicateDashboardForm escapes elements', () => { + const branchToEscape = "<img/src='x'onerror=alert(document.domain)>"; + + beforeEach(() => { + createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch: branchToEscape }); + }); + + it('should escape branch name data', () => { + const branchOptionHtml = wrapper.vm.branchOptions[0].html; + const escapedBranch = '<img/src='x'onerror=alert(document.domain)>'; + + expect(branchOptionHtml).toEqual(expect.stringContaining(escapedBranch)); + }); +}); diff --git a/spec/requests/api/group_import_spec.rb b/spec/requests/api/group_import_spec.rb index 58bff08dcbb..b60a1b3f119 100644 --- a/spec/requests/api/group_import_spec.rb +++ b/spec/requests/api/group_import_spec.rb @@ -11,7 +11,7 @@ describe API::GroupImport do let(:file) { File.join('spec', 'fixtures', 'group_export.tar.gz') } let(:export_path) { "#{Dir.tmpdir}/group_export_spec" } let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') } - let(:workhorse_header) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } } + let(:workhorse_headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } } before do allow_next_instance_of(Gitlab::ImportExport) do |import_export| @@ -35,7 +35,7 @@ describe API::GroupImport do } end - subject { post api('/groups/import', user), params: params, headers: workhorse_header } + subject { upload_archive(file_upload, workhorse_headers, params) } shared_examples 'when all params are correct' do context 'when user is authorized to create new group' do @@ -151,7 +151,7 @@ describe API::GroupImport do params[:file] = file_upload expect do - post api('/groups/import', user), params: params, headers: workhorse_header + upload_archive(file_upload, workhorse_headers, params) end.not_to change { Group.count }.from(1) expect(response).to have_gitlab_http_status(:bad_request) @@ -171,7 +171,7 @@ describe API::GroupImport do context 'without a file from workhorse' do it 'rejects the request' do - subject + upload_archive(nil, workhorse_headers, params) expect(response).to have_gitlab_http_status(:bad_request) end @@ -179,7 +179,7 @@ describe API::GroupImport do context 'without a workhorse header' do it 'rejects request without a workhorse header' do - post api('/groups/import', user), params: params + upload_archive(file_upload, {}, params) expect(response).to have_gitlab_http_status(:forbidden) end @@ -189,9 +189,7 @@ describe API::GroupImport do let(:params) do { path: 'test-import-group', - name: 'test-import-group', - 'file.path' => file_upload.path, - 'file.name' => file_upload.original_filename + name: 'test-import-group' } end @@ -229,9 +227,7 @@ describe API::GroupImport do { path: 'test-import-group', name: 'test-import-group', - file: fog_file, - 'file.remote_id' => file_name, - 'file.size' => fog_file.size + file: fog_file } end @@ -245,10 +241,21 @@ describe API::GroupImport do include_examples 'when some params are missing' end end + + def upload_archive(file, headers = {}, params = {}) + workhorse_finalize( + api('/groups/import', user), + method: :post, + file_key: :file, + params: params.merge(file: file), + headers: headers, + send_rewritten_field: true + ) + end end describe 'POST /groups/import/authorize' do - subject { post api('/groups/import/authorize', user), headers: workhorse_header } + subject { post api('/groups/import/authorize', user), headers: workhorse_headers } it 'authorizes importing group with workhorse header' do subject @@ -258,7 +265,7 @@ describe API::GroupImport do end it 'rejects requests that bypassed gitlab-workhorse' do - workhorse_header.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER) + workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER) subject diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 0c66bfd6c4d..bfc782c62e5 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -177,6 +177,12 @@ describe API::Repositories do expect(headers['Content-Disposition']).to eq 'inline' end + it_behaves_like 'uncached response' do + before do + get api(route, current_user) + end + end + context 'when sha does not exist' do it_behaves_like '404 response' do let(:request) { get api(route.sub(sample_blob.oid, 'abcd9876'), current_user) } diff --git a/spec/services/clusters/update_service_spec.rb b/spec/services/clusters/update_service_spec.rb index d487edd8850..5a7726eded8 100644 --- a/spec/services/clusters/update_service_spec.rb +++ b/spec/services/clusters/update_service_spec.rb @@ -47,6 +47,39 @@ describe Clusters::UpdateService do expect(cluster.platform.namespace).to eq('custom-namespace') end end + + context 'when service token is empty' do + let(:params) do + { + platform_kubernetes_attributes: { + token: '' + } + } + end + + it 'does not update the token' do + current_token = cluster.platform.token + is_expected.to eq(true) + cluster.platform.reload + + expect(cluster.platform.token).to eq(current_token) + end + end + + context 'when service token is not empty' do + let(:params) do + { + platform_kubernetes_attributes: { + token: 'new secret token' + } + } + end + + it 'updates the token' do + is_expected.to eq(true) + expect(cluster.platform.token).to eq('new secret token') + end + end end context 'when invalid params' do diff --git a/spec/support/shared_examples/uncached_response_shared_examples.rb b/spec/support/shared_examples/uncached_response_shared_examples.rb new file mode 100644 index 00000000000..3997017ff35 --- /dev/null +++ b/spec/support/shared_examples/uncached_response_shared_examples.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true +# +# Pairs with lib/gitlab/no_cache_headers.rb +# + +RSpec.shared_examples 'uncached response' do + it 'defines an uncached header response' do + expect(response.headers["Cache-Control"]).to include("no-store", "no-cache") + expect(response.headers["Pragma"]).to eq("no-cache") + expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT") + end +end |