diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:48:15 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:48:15 +0300 |
commit | ef77d7f75069ca5f71261d80bc9caea59168cba2 (patch) | |
tree | b5d128c44de05edc90e0d3cb5fca398c55803628 /spec | |
parent | b405157ce7809b3671155faa8f3c3395e3fc74ce (diff) |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/finders/environments/environment_names_finder_spec.rb | 26 | ||||
-rw-r--r-- | spec/lib/gitlab/regex_spec.rb | 10 | ||||
-rw-r--r-- | spec/lib/gitlab/untrusted_regexp_spec.rb | 32 | ||||
-rw-r--r-- | spec/models/concerns/taskable_spec.rb | 6 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 4 | ||||
-rw-r--r-- | spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb | 26 |
6 files changed, 87 insertions, 17 deletions
diff --git a/spec/finders/environments/environment_names_finder_spec.rb b/spec/finders/environments/environment_names_finder_spec.rb index 438f9e9ea7c..c2336c59119 100644 --- a/spec/finders/environments/environment_names_finder_spec.rb +++ b/spec/finders/environments/environment_names_finder_spec.rb @@ -6,6 +6,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do describe '#execute' do let!(:group) { create(:group) } let!(:public_project) { create(:project, :public, namespace: group) } + let_it_be_with_reload(:public_project_with_private_environments) { create(:project, :public) } let!(:private_project) { create(:project, :private, namespace: group) } let!(:user) { create(:user) } @@ -14,6 +15,11 @@ RSpec.describe Environments::EnvironmentNamesFinder do create(:environment, name: 'gprd', project: public_project) create(:environment, name: 'gprd', project: private_project) create(:environment, name: 'gcny', project: private_project) + create(:environment, name: 'gprivprd', project: public_project_with_private_environments) + create(:environment, name: 'gprivstg', project: public_project_with_private_environments) + + public_project_with_private_environments.update!(namespace: group) + public_project_with_private_environments.project_feature.update!(environments_access_level: Featurable::PRIVATE) end context 'using a group' do @@ -23,7 +29,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do names = described_class.new(group, user).execute - expect(names).to eq(%w[gcny gprd gstg]) + expect(names).to eq(%w[gcny gprd gprivprd gprivstg gstg]) end end @@ -33,7 +39,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do names = described_class.new(group, user).execute - expect(names).to eq(%w[gcny gprd gstg]) + expect(names).to eq(%w[gcny gprd gprivprd gprivstg gstg]) end end @@ -57,8 +63,18 @@ RSpec.describe Environments::EnvironmentNamesFinder do end end + context 'with a public project reporter which has private environments' do + it 'returns environment names for public projects' do + public_project_with_private_environments.add_reporter(user) + + names = described_class.new(group, user).execute + + expect(names).to eq(%w[gprd gprivprd gprivstg gstg]) + end + end + context 'with a group guest' do - it 'returns environment names for all public projects' do + it 'returns environment names for public projects' do group.add_guest(user) names = described_class.new(group, user).execute @@ -68,7 +84,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do end context 'with a non-member' do - it 'returns environment names for all public projects' do + it 'returns environment names for only public projects with public environments' do names = described_class.new(group, user).execute expect(names).to eq(%w[gprd gstg]) @@ -76,7 +92,7 @@ RSpec.describe Environments::EnvironmentNamesFinder do end context 'without a user' do - it 'returns environment names for all public projects' do + it 'returns environment names for only public projects with public environments' do names = described_class.new(group).execute expect(names).to eq(%w[gprd gstg]) diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb index 31de4068bc5..bc0f9e22d50 100644 --- a/spec/lib/gitlab/regex_spec.rb +++ b/spec/lib/gitlab/regex_spec.rb @@ -1140,7 +1140,7 @@ RSpec.describe Gitlab::Regex, feature_category: :tooling do end context 'HTML comment lines' do - subject { described_class::MARKDOWN_HTML_COMMENT_LINE_REGEX } + subject { Gitlab::UntrustedRegexp.new(described_class::MARKDOWN_HTML_COMMENT_LINE_REGEX_UNTRUSTED, multiline: true) } let(:expected) { [['<!-- an HTML comment -->'], ['<!-- another HTML comment -->']] } let(:markdown) do @@ -1158,20 +1158,20 @@ RSpec.describe Gitlab::Regex, feature_category: :tooling do it { is_expected.to match(%(<!-- single line comment -->)) } it { is_expected.not_to match(%(<!--\nblock comment\n-->)) } it { is_expected.not_to match(%(must start in first column <!-- comment -->)) } - it { expect(markdown.scan(subject)).to eq expected } + it { expect(subject.scan(markdown)).to eq expected } end context 'HTML comment blocks' do - subject { described_class::MARKDOWN_HTML_COMMENT_BLOCK_REGEX } + subject { Gitlab::UntrustedRegexp.new(described_class::MARKDOWN_HTML_COMMENT_BLOCK_REGEX_UNTRUSTED, multiline: true) } - let(:expected) { %(<!-- the start of an HTML comment\n- [ ] list item commented out\n-->) } + let(:expected) { %(<!-- the start of an HTML comment\n- [ ] list item commented out\nmore text -->) } let(:markdown) do <<~MARKDOWN Regular text <!-- the start of an HTML comment - [ ] list item commented out - --> + more text --> MARKDOWN end diff --git a/spec/lib/gitlab/untrusted_regexp_spec.rb b/spec/lib/gitlab/untrusted_regexp_spec.rb index 270c4beec97..66675b20107 100644 --- a/spec/lib/gitlab/untrusted_regexp_spec.rb +++ b/spec/lib/gitlab/untrusted_regexp_spec.rb @@ -137,6 +137,38 @@ RSpec.describe Gitlab::UntrustedRegexp do end end + describe '#extract_named_group' do + let(:re) { described_class.new('(?P<name>\w+) (?P<age>\d+)|(?P<name_only>\w+)') } + let(:text) { 'Bob 40' } + + it 'returns values for both named groups' do + matched = re.scan(text).first + + expect(re.extract_named_group(:name, matched)).to eq 'Bob' + expect(re.extract_named_group(:age, matched)).to eq '40' + end + + it 'returns nil if there was no match for group' do + matched = re.scan('Bob').first + + expect(re.extract_named_group(:name, matched)).to be_nil + expect(re.extract_named_group(:age, matched)).to be_nil + expect(re.extract_named_group(:name_only, matched)).to eq 'Bob' + end + + it 'returns nil if match is nil' do + matched = '(?P<age>\d+)'.scan(text).first + + expect(re.extract_named_group(:age, matched)).to be_nil + end + + it 'raises if name is not a capture group' do + matched = re.scan(text).first + + expect { re.extract_named_group(:foo, matched) }.to raise_error('Invalid named capture group: foo') + end + end + describe '#match' do context 'when there are matches' do it 'returns a match object' do diff --git a/spec/models/concerns/taskable_spec.rb b/spec/models/concerns/taskable_spec.rb index 14f346f353b..20de8995d13 100644 --- a/spec/models/concerns/taskable_spec.rb +++ b/spec/models/concerns/taskable_spec.rb @@ -35,11 +35,7 @@ RSpec.describe Taskable, feature_category: :team_planning do TaskList::Item.new('- [ ]', 'First item'), TaskList::Item.new('- [x]', 'Second item'), TaskList::Item.new('* [x]', 'First item'), - TaskList::Item.new('* [ ]', 'Second item'), - TaskList::Item.new('+ [ ]', 'No-break space (U+00A0)'), - TaskList::Item.new('+ [ ]', 'Figure space (U+2007)'), - TaskList::Item.new('+ [ ]', 'Narrow no-break space (U+202F)'), - TaskList::Item.new('+ [ ]', 'Thin space (U+2009)') + TaskList::Item.new('* [ ]', 'Second item') ] end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index b2fb310aca3..c29446c1f38 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2016,7 +2016,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio :public | ProjectFeature::ENABLED | :anonymous | true :public | ProjectFeature::PRIVATE | :maintainer | true :public | ProjectFeature::PRIVATE | :developer | true - :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :guest | false :public | ProjectFeature::PRIVATE | :anonymous | false :public | ProjectFeature::DISABLED | :maintainer | false :public | ProjectFeature::DISABLED | :developer | false @@ -2028,7 +2028,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio :internal | ProjectFeature::ENABLED | :anonymous | false :internal | ProjectFeature::PRIVATE | :maintainer | true :internal | ProjectFeature::PRIVATE | :developer | true - :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :guest | false :internal | ProjectFeature::PRIVATE | :anonymous | false :internal | ProjectFeature::DISABLED | :maintainer | false :internal | ProjectFeature::DISABLED | :developer | false diff --git a/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb b/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb new file mode 100644 index 00000000000..1ace28be5b4 --- /dev/null +++ b/spec/views/explore/projects/page_out_of_bounds.html.haml_spec.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'explore/projects/page_out_of_bounds.html.haml', feature_category: :projects do + let(:page_limit) { 10 } + let(:unsafe_param) { 'hacked_using_unsafe_param!' } + + before do + assign(:max_page_number, page_limit) + + controller.params[:action] = 'index' + controller.params[:host] = unsafe_param + controller.params[:protocol] = unsafe_param + controller.params[:sort] = 'name_asc' + end + + it 'removes unsafe params from the link' do + render + + href = "/explore/projects?page=#{page_limit}&sort=name_asc" + button_text = format(_("Back to page %{number}"), number: page_limit) + expect(rendered).to have_link(button_text, href: href) + expect(rendered).not_to include(unsafe_param) + end +end |