diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:54:01 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:54:01 +0300 |
commit | 22afa6177e5cdd2843502d425cb584135a35df60 (patch) | |
tree | 57a0d0b688f058b395f41445bdbc2372dc5da85e /spec | |
parent | 52dd3cdae10174cc35af6698b280acd1431cc4f8 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/controllers/concerns/confirm_email_warning_spec.rb | 34 | ||||
-rw-r--r-- | spec/controllers/projects/blob_controller_spec.rb | 33 | ||||
-rw-r--r-- | spec/controllers/projects/refs_controller_spec.rb | 2 | ||||
-rw-r--r-- | spec/controllers/projects/tree_controller_spec.rb | 37 | ||||
-rw-r--r-- | spec/controllers/projects_controller_spec.rb | 63 | ||||
-rw-r--r-- | spec/features/admin/users/user_spec.rb | 30 | ||||
-rw-r--r-- | spec/frontend/behaviors/markdown/render_observability_spec.js | 12 | ||||
-rw-r--r-- | spec/frontend/repository/utils/ref_switcher_utils_spec.js | 29 | ||||
-rw-r--r-- | spec/lib/banzai/filter/inline_observability_filter_spec.rb | 52 |
9 files changed, 274 insertions, 18 deletions
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb index 334c156e1ae..b8a4b94aa66 100644 --- a/spec/controllers/concerns/confirm_email_warning_spec.rb +++ b/spec/controllers/concerns/confirm_email_warning_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ConfirmEmailWarning do +RSpec.describe ConfirmEmailWarning, feature_category: :system_access do before do stub_feature_flags(soft_email_confirmation: true) end @@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do it { is_expected.to set_confirm_warning_for(user.email) } end end + + context 'when user is being impersonated' do + let(:impersonator) { create(:admin) } + + before do + allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id }) + + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when impersonated user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end + + context 'when user is not being impersonated' do + before do + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end end end end diff --git a/spec/controllers/projects/blob_controller_spec.rb b/spec/controllers/projects/blob_controller_spec.rb index 887a5ba598f..ec92d92e2a9 100644 --- a/spec/controllers/projects/blob_controller_spec.rb +++ b/spec/controllers/projects/blob_controller_spec.rb @@ -2,15 +2,16 @@ require 'spec_helper' -RSpec.describe Projects::BlobController do +RSpec.describe Projects::BlobController, feature_category: :source_code_management do include ProjectForksHelper let(:project) { create(:project, :public, :repository, previous_default_branch: previous_default_branch) } let(:previous_default_branch) { nil } describe "GET show" do - def request - get(:show, params: { namespace_id: project.namespace, project_id: project, id: id }) + let(:params) { { namespace_id: project.namespace, project_id: project, id: id } } + let(:request) do + get(:show, params: params) end render_views @@ -18,10 +19,34 @@ RSpec.describe Projects::BlobController do context 'with file path' do before do expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original - + project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id) + project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id) request end + context 'when the ref is ambiguous' do + let(:ref) { 'ambiguous_ref' } + let(:path) { 'README.md' } + let(:id) { "#{ref}/#{path}" } + let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } } + + context 'and explicitly requesting a branch' do + let(:ref_type) { 'heads' } + + it 'redirects to blob#show with sha for the branch' do + expect(response).to redirect_to(project_blob_path(project, "#{RepoHelpers.another_sample_commit.id}/#{path}")) + end + end + + context 'and explicitly requesting a tag' do + let(:ref_type) { 'tags' } + + it 'responds with success' do + expect(response).to be_ok + end + end + end + context "valid branch, valid file" do let(:id) { 'master/README.md' } diff --git a/spec/controllers/projects/refs_controller_spec.rb b/spec/controllers/projects/refs_controller_spec.rb index a0d119baf16..7a511ab676e 100644 --- a/spec/controllers/projects/refs_controller_spec.rb +++ b/spec/controllers/projects/refs_controller_spec.rb @@ -26,7 +26,7 @@ RSpec.describe Projects::RefsController, feature_category: :source_code_manageme 'tree' | nil | lazy { project_tree_path(project, id) } 'tree' | 'heads' | lazy { project_tree_path(project, id) } 'blob' | nil | lazy { project_blob_path(project, id) } - 'blob' | 'heads' | lazy { project_blob_path(project, id) } + 'blob' | 'heads' | lazy { project_blob_path(project, id, ref_type: 'heads') } 'graph' | nil | lazy { project_network_path(project, id) } 'graph' | 'heads' | lazy { project_network_path(project, id, ref_type: 'heads') } 'graphs' | nil | lazy { project_graph_path(project, id) } diff --git a/spec/controllers/projects/tree_controller_spec.rb b/spec/controllers/projects/tree_controller_spec.rb index 9bc3065b6da..37149e1d3ca 100644 --- a/spec/controllers/projects/tree_controller_spec.rb +++ b/spec/controllers/projects/tree_controller_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Projects::TreeController do +RSpec.describe Projects::TreeController, feature_category: :source_code_management do let(:project) { create(:project, :repository, previous_default_branch: previous_default_branch) } let(:previous_default_branch) { nil } let(:user) { create(:user) } @@ -15,18 +15,41 @@ RSpec.describe Projects::TreeController do end describe "GET show" do + let(:params) do + { + namespace_id: project.namespace.to_param, project_id: project, id: id + } + end + # Make sure any errors accessing the tree in our views bubble up to this spec render_views before do expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original + project.repository.add_tag(project.creator, 'ambiguous_ref', RepoHelpers.sample_commit.id) + project.repository.add_branch(project.creator, 'ambiguous_ref', RepoHelpers.another_sample_commit.id) + get :show, params: params + end - get(:show, - params: { - namespace_id: project.namespace.to_param, - project_id: project, - id: id - }) + context 'when the ref is ambiguous' do + let(:id) { 'ambiguous_ref' } + let(:params) { { namespace_id: project.namespace, project_id: project, id: id, ref_type: ref_type } } + + context 'and explicitly requesting a branch' do + let(:ref_type) { 'heads' } + + it 'redirects to blob#show with sha for the branch' do + expect(response).to redirect_to(project_tree_path(project, RepoHelpers.another_sample_commit.id)) + end + end + + context 'and explicitly requesting a tag' do + let(:ref_type) { 'tags' } + + it 'responds with success' do + expect(response).to be_ok + end + end end context "valid branch, no path" do diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb index 51f8a3b1197..c5ec6651ab3 100644 --- a/spec/controllers/projects_controller_spec.rb +++ b/spec/controllers/projects_controller_spec.rb @@ -163,6 +163,69 @@ RSpec.describe ProjectsController, feature_category: :projects do expect(assigns(:notification_setting).level).to eq("watch") end end + + context 'when there is a tag with the same name as the default branch' do + let_it_be(:tagged_project) { create(:project, :public, :custom_repo, files: ['somefile']) } + let(:tree_with_default_branch) do + branch = tagged_project.repository.find_branch(tagged_project.default_branch) + project_tree_path(tagged_project, branch.target) + end + + before do + tagged_project.repository.create_file( + tagged_project.creator, + 'file_for_tag', + 'content for file', + message: "Automatically created file", + branch_name: 'branch-to-tag' + ) + + tagged_project.repository.add_tag( + tagged_project.creator, + tagged_project.default_branch, # tag name + 'branch-to-tag' # target + ) + end + + it 'redirects to tree view for the default branch' do + get :show, params: { namespace_id: tagged_project.namespace, id: tagged_project } + expect(response).to redirect_to(tree_with_default_branch) + end + end + + context 'when the default branch name can resolve to another ref' do + let!(:project_with_default_branch) do + create(:project, :public, :custom_repo, files: ['somefile']).tap do |p| + p.repository.create_branch("refs/heads/refs/heads/#{other_ref}", 'master') + p.change_head("refs/heads/#{other_ref}") + end.reload + end + + let(:other_ref) { 'branch-name' } + + context 'but there is no other ref' do + it 'responds with ok' do + get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch } + expect(response).to be_ok + end + end + + context 'and that other ref exists' do + let(:tree_with_default_branch) do + branch = project_with_default_branch.repository.find_branch(project_with_default_branch.default_branch) + project_tree_path(project_with_default_branch, branch.target) + end + + before do + project_with_default_branch.repository.create_branch(other_ref, 'master') + end + + it 'redirects to tree view for the default branch' do + get :show, params: { namespace_id: project_with_default_branch.namespace, id: project_with_default_branch } + expect(response).to redirect_to(tree_with_default_branch) + end + end + end end describe "when project repository is disabled" do diff --git a/spec/features/admin/users/user_spec.rb b/spec/features/admin/users/user_spec.rb index 1552d4e6187..66129617220 100644 --- a/spec/features/admin/users/user_spec.rb +++ b/spec/features/admin/users/user_spec.rb @@ -271,6 +271,36 @@ RSpec.describe 'Admin::Users::User', feature_category: :user_management do icon = first('[data-testid="incognito-icon"]') expect(icon).not_to be nil end + + context 'when viewing the confirm email warning', :js do + let_it_be(:another_user) { create(:user, :unconfirmed) } + + let(:warning_alert) { page.find(:css, '[data-testid="alert-warning"]') } + let(:expected_styling) { { 'pointer-events' => 'none', 'cursor' => 'default' } } + + context 'with an email that does not contain HTML' do + before do + subject + end + + it 'displays the warning alert including the email' do + expect(warning_alert.text).to include("Please check your email (#{another_user.email}) to verify") + end + end + + context 'with an email that contains HTML' do + let(:malicious_email) { "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>" } + let(:another_user) { create(:user, confirmed_at: nil, unconfirmed_email: malicious_email) } + + before do + subject + end + + it 'displays the impersonation alert, excludes email, and disables links' do + expect(warning_alert.text).to include("check your email (#{another_user.unconfirmed_email}) to verify") + end + end + end end context 'ending impersonation' do diff --git a/spec/frontend/behaviors/markdown/render_observability_spec.js b/spec/frontend/behaviors/markdown/render_observability_spec.js index c87d11742dc..03a0cb2fcc2 100644 --- a/spec/frontend/behaviors/markdown/render_observability_spec.js +++ b/spec/frontend/behaviors/markdown/render_observability_spec.js @@ -16,7 +16,7 @@ describe('Observability iframe renderer', () => { }); it('renders an observability iframe', () => { - document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`; + document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/" ></div>`; expect(findObservabilityIframes()).toHaveLength(0); @@ -26,7 +26,7 @@ describe('Observability iframe renderer', () => { }); it('renders iframe with dark param when GL has dark theme', () => { - document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/"></div>`; + document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://observe.gitlab.com/" data-observability-url="https://observe.gitlab.com/"></div>`; jest.spyOn(ColorUtils, 'darkModeEnabled').mockImplementation(() => true); expect(findObservabilityIframes('dark')).toHaveLength(0); @@ -35,4 +35,12 @@ describe('Observability iframe renderer', () => { expect(findObservabilityIframes('dark')).toHaveLength(1); }); + + it('does not render if url is different from observability url', () => { + document.body.innerHTML = `<div class="js-render-observability" data-frame-url="https://example.com/" data-observability-url="https://observe.gitlab.com/"></div>`; + + renderEmbeddedObservability(); + + expect(findObservabilityIframes()).toHaveLength(0); + }); }); diff --git a/spec/frontend/repository/utils/ref_switcher_utils_spec.js b/spec/frontend/repository/utils/ref_switcher_utils_spec.js index 7f708f13eaa..220dbf17398 100644 --- a/spec/frontend/repository/utils/ref_switcher_utils_spec.js +++ b/spec/frontend/repository/utils/ref_switcher_utils_spec.js @@ -1,5 +1,6 @@ import { generateRefDestinationPath } from '~/repository/utils/ref_switcher_utils'; import setWindowLocation from 'helpers/set_window_location_helper'; +import { TEST_HOST } from 'spec/test_constants'; import { refWithSpecialCharMock, encodedRefWithSpecialCharMock } from '../mock_data'; const projectRootPath = 'root/Project1'; @@ -16,16 +17,38 @@ describe('generateRefDestinationPath', () => { ${`${projectRootPath}/-/blob/${currentRef}/dir1/test.js`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/test.js`} ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js`} ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${`${projectRootPath}/-/blob/${selectedRef}/dir1/dir2/test.js#L123`} - `('generates the correct destination path for $currentPath', ({ currentPath, result }) => { + `('generates the correct destination path for $currentPath', ({ currentPath, result }) => { setWindowLocation(currentPath); - expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe(result); + expect(generateRefDestinationPath(projectRootPath, currentRef, selectedRef)).toBe( + `${TEST_HOST}/${result}`, + ); + }); + + describe('when using symbolic ref names', () => { + it.each` + currentPath | nextRef | result + ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'someHash'} | ${`${projectRootPath}/-/blob/someHash/dir1/dir2/test.js#L123`} + ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'} | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`} + ${`${projectRootPath}/-/blob/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'} | ${`${projectRootPath}/-/blob/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`} + ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/prefixedByUseSymbolicRefNames'} | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=heads#L123`} + ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/tags/prefixedByUseSymbolicRefNames'} | ${`${projectRootPath}/-/tree/prefixedByUseSymbolicRefNames/dir1/dir2/test.js?ref_type=tags#L123`} + ${`${projectRootPath}/-/tree/${currentRef}/dir1/dir2/test.js#L123`} | ${'refs/heads/refs/heads/branchNameContainsPrefix'} | ${`${projectRootPath}/-/tree/refs/heads/branchNameContainsPrefix/dir1/dir2/test.js?ref_type=heads#L123`} + `( + 'generates the correct destination path for $currentPath with ref type when it can be extracted', + ({ currentPath, result, nextRef }) => { + setWindowLocation(currentPath); + expect(generateRefDestinationPath(projectRootPath, currentRef, nextRef)).toBe( + `${TEST_HOST}/${result}`, + ); + }, + ); }); it('encodes the selected ref', () => { const result = `${projectRootPath}/-/tree/${encodedRefWithSpecialCharMock}`; expect(generateRefDestinationPath(projectRootPath, currentRef, refWithSpecialCharMock)).toBe( - result, + `${TEST_HOST}/${result}`, ); }); }); diff --git a/spec/lib/banzai/filter/inline_observability_filter_spec.rb b/spec/lib/banzai/filter/inline_observability_filter_spec.rb index fb1ba46e76c..69a9dc96c2c 100644 --- a/spec/lib/banzai/filter/inline_observability_filter_spec.rb +++ b/spec/lib/banzai/filter/inline_observability_filter_spec.rb @@ -34,6 +34,58 @@ RSpec.describe Banzai::Filter::InlineObservabilityFilter do end end + context 'when the document contains an embeddable observability link with redirect' do + let(:url) { 'https://observe.gitlab.com@example.com/12345' } + + it 'leaves the original link unchanged' do + expect(doc.at_css('a').to_s).to eq(input) + end + + it 'does not append an observability charts placeholder' do + node = doc.at_css('.js-render-observability') + + expect(node).not_to be_present + end + end + + context 'when the document contains an embeddable observability link with different port' do + let(:url) { 'https://observe.gitlab.com:3000/12345' } + let(:observe_url) { 'https://observe.gitlab.com:3001' } + + before do + stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url) + end + + it 'leaves the original link unchanged' do + expect(doc.at_css('a').to_s).to eq(input) + end + + it 'does not append an observability charts placeholder' do + node = doc.at_css('.js-render-observability') + + expect(node).not_to be_present + end + end + + context 'when the document contains an embeddable observability link with auth/start' do + let(:url) { 'https://observe.gitlab.com/auth/start' } + let(:observe_url) { 'https://observe.gitlab.com' } + + before do + stub_env('OVERRIDE_OBSERVABILITY_URL', observe_url) + end + + it 'leaves the original link unchanged' do + expect(doc.at_css('a').to_s).to eq(input) + end + + it 'does not append an observability charts placeholder' do + node = doc.at_css('.js-render-observability') + + expect(node).not_to be_present + end + end + context 'when feature flag is disabled' do let(:url) { 'https://observe.gitlab.com/12345' } |