diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:26:40 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-09-28 01:26:58 +0300 |
| commit | 5b91f2a1e51c291fb84ea60766791684fa982f22 (patch) | |
| tree | 5eea88eb04d1ddd52210bfd08167e6a8d7206362 /spec | |
| parent | f0f3848e7a0b458c35a1adf3cb1cca29a205a60e (diff) | |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/projects/error_tracking/projects_controller_spec.rb | 2 | ||||
| -rw-r--r-- | spec/features/markdown/math_spec.rb | 104 | ||||
| -rw-r--r-- | spec/helpers/merge_requests_helper_spec.rb | 39 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/asset_proxy_filter_spec.rb | 27 | ||||
| -rw-r--r-- | spec/models/project_spec.rb | 60 | ||||
| -rw-r--r-- | spec/requests/api/commits_spec.rb | 56 | ||||
| -rw-r--r-- | spec/requests/api/projects_spec.rb | 20 | ||||
| -rw-r--r-- | spec/services/error_tracking/list_projects_service_spec.rb | 12 |
8 files changed, 274 insertions, 46 deletions
diff --git a/spec/controllers/projects/error_tracking/projects_controller_spec.rb b/spec/controllers/projects/error_tracking/projects_controller_spec.rb index 7529c701b2b..63346faccbf 100644 --- a/spec/controllers/projects/error_tracking/projects_controller_spec.rb +++ b/spec/controllers/projects/error_tracking/projects_controller_spec.rb @@ -19,7 +19,7 @@ RSpec.describe Projects::ErrorTracking::ProjectsController do let(:user) { create(:user) } it 'returns 404' do - project.add_guest(user) + project.add_developer(user) get :index, params: list_projects_params diff --git a/spec/features/markdown/math_spec.rb b/spec/features/markdown/math_spec.rb index 25459494a0c..0bc8f2146e9 100644 --- a/spec/features/markdown/math_spec.rb +++ b/spec/features/markdown/math_spec.rb @@ -24,9 +24,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) expect(page).to have_selector('.katex .mord.mathnormal', text: 'b') expect(page).to have_selector('.katex-display .mord.mathnormal', text: 'b') @@ -40,9 +38,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do This link is valid $`\\href{https://gitlab.com}{Gitlab}`$. MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) page.within '.description > .md' do # unfortunately there is no class selector for KaTeX's "unsupported command" @@ -59,9 +55,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.js-lazy-render-math-container', text: /math block exceeds 1000 characters/) @@ -75,11 +69,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).not_to have_selector('.katex-error') @@ -93,11 +83,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do click_button 'Display anyway' @@ -113,11 +99,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.katex-error', @@ -132,11 +114,7 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do ``` MATH - issue = create(:issue, project: project, description: description) - - visit project_issue_path(project, issue) - - wait_for_requests + create_and_visit_issue_with_description(description) page.within '.description > .md' do expect(page).to have_selector('.katex-error', text: /&lt;script&gt;/) @@ -162,4 +140,72 @@ RSpec.describe 'Math rendering', :js, feature_category: :team_planning do expect(page).not_to have_selector('.js-lazy-render-math') end end + + it 'uses math-content-display for display math', :js do + description = <<~MATH + ```math + 1 + 2 + ``` + MATH + + create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + expect(page).to have_selector('.math-content-display') + end + end + + it 'uses math-content-inline for inline math', :js do + description = 'one $`1 + 2`$ two' + + create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + expect(page).to have_selector('.math-content-inline') + end + end + + context 'when math tries to cover other elements on the page' do + it 'prevents hijacking for display math', :js do + description = <<~MATH + [test link](#) + + ```math + \\hskip{-200pt}\\href{https://example.com}{\\smash{\\raisebox{20em}{$\\smash{\\raisebox{20em}{$\\phantom{\\underset{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}}{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{}}}$}}$}}} + ``` + MATH + + issue = create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + click_link 'test link' + + expect(page).to have_current_path(project_issue_path(project, issue)) + end + end + + it 'prevents hijacking for inline math', :js do + description = <<~MATH + [test link](#) $`\\hskip{-200pt}\\href{https://example.com}{\\smash{\\raisebox{20em}{$\\smash{\\raisebox{20em}{$\\phantom{\\underset{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}}{\\underset{\\underset{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}{\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}\\rule{20em}{20em}}}{}}}$}}$}}}`$ + MATH + + issue = create_and_visit_issue_with_description(description) + + page.within '.description > .md' do + click_link 'test link' + + expect(page).to have_current_path(project_issue_path(project, issue)) + end + end + end + + def create_and_visit_issue_with_description(description) + issue = create(:issue, project: project, description: description) + + visit project_issue_path(project, issue) + + wait_for_requests + + issue + end end diff --git a/spec/helpers/merge_requests_helper_spec.rb b/spec/helpers/merge_requests_helper_spec.rb index b6c8653a563..3614cbe5011 100644 --- a/spec/helpers/merge_requests_helper_spec.rb +++ b/spec/helpers/merge_requests_helper_spec.rb @@ -234,4 +234,43 @@ RSpec.describe MergeRequestsHelper, feature_category: :code_review_workflow do it { expect(tab_count_display(merge_request, '10')).to eq('10') } end end + + describe '#allow_collaboration_unavailable_reason' do + subject { allow_collaboration_unavailable_reason(merge_request) } + + let(:merge_request) do + create(:merge_request, author: author, source_project: project, source_branch: generate(:branch)) + end + + let_it_be(:public_project) { create(:project, :small_repo, :public) } + let(:project) { public_project } + let(:forked_project) { fork_project(project) } + let(:author) { project.creator } + + context 'when the merge request allows collaboration for the user' do + before do + allow(merge_request).to receive(:can_allow_collaboration?).with(current_user).and_return(true) + end + + it { is_expected.to be_nil } + end + + context 'when the project is private' do + let(:project) { create(:project, :empty_repo, :private) } + + it { is_expected.to eq(_('Not available for private projects')) } + end + + context 'when the source branch is protected' do + let!(:protected_branch) { create(:protected_branch, project: project, name: merge_request.source_branch) } + + it { is_expected.to eq(_('Not available for protected branches')) } + end + + context 'when the merge request author cannot push to the source project' do + let(:author) { create(:user) } + + it { is_expected.to eq(_('Merge request author cannot push to target project')) } + end + end end diff --git a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb index dc6ac52a8c2..7a34bf13c8f 100644 --- a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb +++ b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb @@ -89,6 +89,33 @@ RSpec.describe Banzai::Filter::AssetProxyFilter, feature_category: :team_plannin expect(doc.at_css('img')['data-canonical-src']).to eq src end + it 'replaces by default, even strings that do not look like URLs' do + src = 'oigjsie8787%$**(#(%0' + new_src = 'https://assets.example.com/1b893f9a71d66c99437f27e19b9a061a6f5d9391/6f69676a7369653837383725242a2a2823282530' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + + it 'replaces URL with non-ASCII characters' do + src = 'https://example.com/x?¬' + new_src = 'https://assets.example.com/2f29a8c7f13f3ae14dc18c154dbbd657d703e75f/68747470733a2f2f6578616d706c652e636f6d2f783fc2ac' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + + it 'replaces out-of-spec URL that would still be rendered in the browser' do + src = 'https://example.com/##' + new_src = 'https://assets.example.com/d7d0c845cc553d9430804c07e9456545ef3e6fe6/68747470733a2f2f6578616d706c652e636f6d2f2323' + doc = filter(image(src), @context) + + expect(doc.at_css('img')['src']).to eq new_src + expect(doc.at_css('img')['data-canonical-src']).to eq src + end + it 'skips internal images' do src = "#{Gitlab.config.gitlab.url}/test.png" doc = filter(image(src), @context) diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index aedfc7fca53..46bf80b1e8f 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -6438,6 +6438,8 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr let!(:merge_request) do create( :merge_request, + author: author, + state_id: state_id, target_project: target_project, target_branch: 'target-branch', source_project: project, @@ -6446,6 +6448,9 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr ) end + let(:author) { project.creator } + let(:state_id) { MergeRequest.available_states[:opened] } + before do target_project.add_developer(user) end @@ -6455,10 +6460,12 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr expect(project.merge_requests_allowing_push_to_user(user)).to include(merge_request) end - it 'does not include closed merge requests' do - merge_request.close + context 'when the merge requests are closed' do + let(:state_id) { MergeRequest.available_states[:closed] } - expect(project.merge_requests_allowing_push_to_user(user)).to be_empty + it 'does not include closed merge requests' do + expect(project.merge_requests_allowing_push_to_user(user)).to be_empty + end end it 'does not include merge requests for guest users' do @@ -6480,16 +6487,38 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr end describe '#any_branch_allows_collaboration?' do - it 'allows access when there are merge requests open allowing collaboration', :sidekiq_might_not_need_inline do - expect(project.any_branch_allows_collaboration?(user)) - .to be_truthy - end + context 'when there is an open merge request allowing collaboration' do + it 'allows access', :sidekiq_might_not_need_inline do + expect(project.any_branch_allows_collaboration?(user)) + .to be_truthy + end + + context 'when the merge request author is not allowed to push_code' do + let(:author) { create(:user) } - it 'does not allow access when there are no merge requests open allowing collaboration' do - merge_request.close! + it 'returns false' do + expect(project.any_branch_allows_collaboration?(user)) + .to be_falsey + end + end - expect(project.any_branch_allows_collaboration?(user)) - .to be_falsey + context 'when the merge request is closed' do + let(:state_id) { MergeRequest.available_states[:closed] } + + it 'returns false' do + expect(project.any_branch_allows_collaboration?(user)) + .to be_falsey + end + end + + context 'when the merge request is merged' do + let(:state_id) { MergeRequest.available_states[:merged] } + + it 'returns false' do + expect(project.any_branch_allows_collaboration?(user)) + .to be_falsey + end + end end end @@ -6537,6 +6566,15 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr .not_to exceed_query_limit(control).with_threshold(2) end end + + context 'when the merge request author is not allowed to push_code' do + let(:author) { create(:user) } + + it 'returns false' do + expect(project.branch_allows_collaboration?(user, 'awesome-feature-1')) + .to be_falsey + end + end end end diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb index 8b9ac7cd588..90595c2d7f9 100644 --- a/spec/requests/api/commits_spec.rb +++ b/spec/requests/api/commits_spec.rb @@ -774,6 +774,62 @@ RSpec.describe API::Commits, feature_category: :source_code_management do end end + context 'when project repository access becomes restricted after being forked' do + let!(:fork_owner) { create(:user) } + let!(:forked_project) { fork_project(public_project, fork_owner, namespace: fork_owner.namespace, repository: true) } + let(:url) { "/projects/#{forked_project.id}/repository/commits" } + + before do + # Restrict repository visibility of the public project + public_project.merge_requests_access_level = 'private' + public_project.builds_access_level = 'private' + public_project.repository_access_level = 'private' + public_project.save! + + valid_c_params[:start_branch] = 'master' + valid_c_params[:branch] = 'patch' + valid_c_params[:start_project] = public_project.id + end + + after do + # Reopen repository visibility of the public project + public_project.merge_requests_access_level = 'enabled' + public_project.repository_access_level = 'enabled' + public_project.builds_access_level = 'enabled' + public_project.save! + end + + it 'returns a 403' do + post api(url, fork_owner), params: valid_c_params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'when fork owner has no more access to a private repository' do + let_it_be(:private_project) { create(:project, :private, :repository) } + let_it_be(:fork_owner) { create(:user) } + let_it_be(:fork_owner_membership) { private_project.add_developer(fork_owner) } + let_it_be(:forked_project) { fork_project(private_project, fork_owner, namespace: fork_owner.namespace, repository: true) } + let(:url) { "/projects/#{forked_project.id}/repository/commits" } + + before do + # Restrict user from repository + Members::DestroyService.new(private_project.owner).execute(fork_owner_membership) + Sidekiq::Worker.drain_all + + valid_c_params[:start_branch] = 'master' + valid_c_params[:branch] = 'patch' + valid_c_params[:start_project] = private_project.id + end + + it 'returns a 402' do + post api(url, fork_owner), params: valid_c_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + context 'when the target project is not part of the fork network of start_project' do let(:unrelated_project) { create(:project, :public, :repository, creator: guest) } let(:url) { "/projects/#{unrelated_project.id}/repository/commits" } diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index e3e8df79a1d..12898060e22 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -3292,6 +3292,10 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and let(:failed_status_code) { :not_found } end + it 'refreshes the forks count cache' do + expect(project_fork_source.forks_count).to be_zero + end + context 'user is a developer' do before do project_fork_target.add_developer(user) @@ -3304,15 +3308,23 @@ RSpec.describe API::Projects, :aggregate_failures, feature_category: :groups_and end end - it 'refreshes the forks count cache' do - expect(project_fork_source.forks_count).to be_zero - end - context 'user is maintainer' do before do project_fork_target.add_maintainer(user) end + it 'denies project to be forked from an existing project' do + post api(path, user) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'user is owner' do + before do + project_fork_target.add_owner(user) + end + context 'and user is a reporter of target group' do let_it_be_with_reload(:target_group) { create(:group, project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) } let_it_be_with_reload(:project_fork_target) { create(:project, namespace: target_group) } diff --git a/spec/services/error_tracking/list_projects_service_spec.rb b/spec/services/error_tracking/list_projects_service_spec.rb index d91808edc8d..53dbbfd8c71 100644 --- a/spec/services/error_tracking/list_projects_service_spec.rb +++ b/spec/services/error_tracking/list_projects_service_spec.rb @@ -19,7 +19,7 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio subject { described_class.new(project, user, params) } before do - project.add_reporter(user) + project.add_maintainer(user) end describe '#execute' do @@ -137,6 +137,16 @@ RSpec.describe ErrorTracking::ListProjectsService, feature_category: :integratio end end + context 'with user with insufficient permissions' do + before do + project.add_developer(user) + end + + it 'returns error' do + expect(result).to include(status: :error, message: 'Access denied', http_status: :unauthorized) + end + end + context 'with error tracking disabled' do before do expect(project).to receive(:error_tracking_setting).at_least(:once) |