Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-05-26 16:52:02 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-05-26 16:52:02 +0300
commit: 846745cb0d327506fb313df61fc351c04134449d (patch)
tree: c6cd12c8bd35994c366e73fe32a4b712875063cc /spec
parent: dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff)
10 files changed, 208 insertions, 47 deletions
diff --git a/spec/features/groups/clusters/user_spec.rb b/spec/features/groups/clusters/user_spec.rb
index e9ef66e31a2..a29afba99e4 100644
--- a/spec/features/groups/clusters/user_spec.rb
+++ b/spec/features/groups/clusters/user_spec.rb
@@ -39,7 +39,7 @@ describe 'User Cluster', :js do
           expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
             .to have_content('http://example.com')
           expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-            .to have_content('my-token')
+            .to be_empty
         end
       end
 
diff --git a/spec/features/projects/clusters/user_spec.rb b/spec/features/projects/clusters/user_spec.rb
index 79676927fa2..5c82d848563 100644
--- a/spec/features/projects/clusters/user_spec.rb
+++ b/spec/features/projects/clusters/user_spec.rb
@@ -46,7 +46,7 @@ describe 'User Cluster', :js do
         expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
           .to have_content('http://example.com')
         expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-          .to have_content('my-token')
+          .to be_empty
       end
 
       it 'user sees RBAC is enabled by default' do
diff --git a/spec/frontend/clusters/clusters_bundle_spec.js b/spec/frontend/clusters/clusters_bundle_spec.js
index d7c648bcd20..9d0ed423759 100644
--- a/spec/frontend/clusters/clusters_bundle_spec.js
+++ b/spec/frontend/clusters/clusters_bundle_spec.js
@@ -82,28 +82,6 @@ describe('Clusters', () => {
     });
   });
 
-  describe('showToken', () => {
-    it('should update token field type', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('text');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('password');
-    });
-
-    it('should update show token button text', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Hide');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Show');
-    });
-  });
-
   describe('checkForNewInstalls', () => {
     const INITIAL_APP_MAP = {
       helm: { status: null, title: 'Helm Tiller' },
diff --git a/spec/frontend/fixtures/static/issue_with_mermaid_graph.html b/spec/frontend/fixtures/static/issue_with_mermaid_graph.html
new file mode 100644
index 00000000000..4b60842a655
--- /dev/null
+++ b/spec/frontend/fixtures/static/issue_with_mermaid_graph.html
@@ -0,0 +1,82 @@
+<div class="description" updated-at="">
+  <div class="md issue-realtime-trigger-pulse">
+    <svg
+      id="mermaid-1587752414912"
+      width="100%"
+      xmlns="http://www.w3.org/2000/svg"
+      style="max-width: 185.35000610351562px;"
+      viewBox="0 0 185.35000610351562 50.5"
+      class="mermaid"
+    >
+      <g transform="translate(0, 0)">
+        <g class="output">
+          <g class="clusters"></g>
+          <g class="edgePaths"></g>
+          <g class="edgeLabels"></g>
+          <g class="nodes">
+            <g
+              class="node js-issuable-actions btn-close clickable"
+              style="opacity: 1;"
+              id="A"
+              transform="translate(92.67500305175781,25.25)"
+              title="click to PUT"
+            >
+              <a
+                class="js-issuable-actions btn-close clickable"
+                href="https://invalid"
+                rel="noopener"
+              >
+                <rect
+                  rx="0"
+                  ry="0"
+                  x="-84.67500305175781"
+                  y="-17.25"
+                  width="169.35000610351562"
+                  height="34.5"
+                  class="label-container"
+                ></rect>
+                <g class="label" transform="translate(0,0)">
+                  <g transform="translate(-74.67500305175781,-7.25)">
+                    <text style="">
+                      <tspan xml:space="preserve" dy="1em" x="1">Click to send a PUT request</tspan>
+                    </text>
+                  </g>
+                </g>
+              </a>
+            </g>
+          </g>
+        </g>
+      </g>
+      <text class="source" display="none">
+        Click to send a PUT request
+      </text>
+    </svg>
+  </div>
+  <textarea
+    data-update-url="/h5bp/html5-boilerplate/-/issues/35.json"
+    dir="auto"
+    class="hidden js-task-list-field"
+  ></textarea>
+  <div class="modal-open recaptcha-modal js-recaptcha-modal" style="display: none;">
+    <div role="dialog" tabindex="-1" class="modal d-block">
+      <div role="document" class="modal-dialog">
+        <div class="modal-content">
+          <div class="modal-header">
+            <h4 class="modal-title float-left">Please solve the reCAPTCHA</h4>
+            <button type="button" data-dismiss="modal" aria-label="Close" class="close float-right">
+              <span aria-hidden="true">×</span>
+            </button>
+          </div>
+          <div class="modal-body">
+            <div>
+              <p>We want to be sure it is you, please confirm you are not a robot.</p>
+              <div></div>
+            </div>
+          </div>
+          <!---->
+        </div>
+      </div>
+    </div>
+    <div class="modal-backdrop fade show"></div>
+  </div>
+</div>
diff --git a/spec/frontend/issue_spec.js b/spec/frontend/issue_spec.js
index 586bd7f8529..24020daf728 100644
--- a/spec/frontend/issue_spec.js
+++ b/spec/frontend/issue_spec.js
@@ -18,6 +18,7 @@ describe('Issue', () => {
   preloadFixtures('issues/closed-issue.html');
   preloadFixtures('issues/issue-with-task-list.html');
   preloadFixtures('issues/open-issue.html');
+  preloadFixtures('static/issue_with_mermaid_graph.html');
 
   function expectErrorMessage() {
     const $flashMessage = $('div.flash-alert');
@@ -228,4 +229,30 @@ describe('Issue', () => {
       });
     });
   });
+
+  describe('when not displaying blocked warning', () => {
+    describe('when clicking a mermaid graph inside an issue description', () => {
+      let mock;
+      let spy;
+
+      beforeEach(() => {
+        loadFixtures('static/issue_with_mermaid_graph.html');
+        mock = new MockAdapter(axios);
+        spy = jest.spyOn(axios, 'put');
+      });
+
+      afterEach(() => {
+        mock.restore();
+        jest.clearAllMocks();
+      });
+
+      it('does not make a PUT request', () => {
+        Issue.prototype.initIssueBtnEventListeners();
+
+        $('svg a.js-issuable-actions').trigger('click');
+
+        expect(spy).not.toHaveBeenCalled();
+      });
+    });
+  });
 });
diff --git a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
index 10fd58f749d..61d5f7a99d3 100644
--- a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
+++ b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
@@ -3,9 +3,17 @@ import DuplicateDashboardForm from '~/monitoring/components/duplicate_dashboard_
 
 import { dashboardGitResponse } from '../mock_data';
 
-describe('DuplicateDashboardForm', () => {
-  let wrapper;
+let wrapper;
+
+const createMountedWrapper = (props = {}) => {
+  // Use `mount` to render native input elements
+  wrapper = mount(DuplicateDashboardForm, {
+    propsData: { ...props },
+    sync: false,
+  });
+};
 
+describe('DuplicateDashboardForm', () => {
   const defaultBranch = 'master';
 
   const findByRef = ref => wrapper.find({ ref });
@@ -20,14 +28,7 @@ describe('DuplicateDashboardForm', () => {
   };
 
   beforeEach(() => {
-    // Use `mount` to render native input elements
-    wrapper = mount(DuplicateDashboardForm, {
-      propsData: {
-        dashboard: dashboardGitResponse[0],
-        defaultBranch,
-      },
-      sync: false,
-    });
+    createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch });
   });
 
   it('renders correctly', () => {
@@ -144,3 +145,18 @@ describe('DuplicateDashboardForm', () => {
     });
   });
 });
+
+describe('DuplicateDashboardForm escapes elements', () => {
+  const branchToEscape = "<img/src='x'onerror=alert(document.domain)>";
+
+  beforeEach(() => {
+    createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch: branchToEscape });
+  });
+
+  it('should escape branch name data', () => {
+    const branchOptionHtml = wrapper.vm.branchOptions[0].html;
+    const escapedBranch = '&lt;img/src=&#39;x&#39;onerror=alert(document.domain)&gt';
+
+    expect(branchOptionHtml).toEqual(expect.stringContaining(escapedBranch));
+  });
+});
diff --git a/spec/requests/api/group_import_spec.rb b/spec/requests/api/group_import_spec.rb
index 58bff08dcbb..b60a1b3f119 100644
--- a/spec/requests/api/group_import_spec.rb
+++ b/spec/requests/api/group_import_spec.rb
@@ -11,7 +11,7 @@ describe API::GroupImport do
   let(:file) { File.join('spec', 'fixtures', 'group_export.tar.gz') }
   let(:export_path) { "#{Dir.tmpdir}/group_export_spec" }
   let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
-  let(:workhorse_header) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
+  let(:workhorse_headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
 
   before do
     allow_next_instance_of(Gitlab::ImportExport) do |import_export|
@@ -35,7 +35,7 @@ describe API::GroupImport do
       }
     end
 
-    subject { post api('/groups/import', user), params: params, headers: workhorse_header }
+    subject { upload_archive(file_upload, workhorse_headers, params) }
 
     shared_examples 'when all params are correct' do
       context 'when user is authorized to create new group' do
@@ -151,7 +151,7 @@ describe API::GroupImport do
             params[:file] = file_upload
 
             expect do
-              post api('/groups/import', user), params: params, headers: workhorse_header
+              upload_archive(file_upload, workhorse_headers, params)
             end.not_to change { Group.count }.from(1)
 
             expect(response).to have_gitlab_http_status(:bad_request)
@@ -171,7 +171,7 @@ describe API::GroupImport do
 
       context 'without a file from workhorse' do
         it 'rejects the request' do
-          subject
+          upload_archive(nil, workhorse_headers, params)
 
           expect(response).to have_gitlab_http_status(:bad_request)
         end
@@ -179,7 +179,7 @@ describe API::GroupImport do
 
       context 'without a workhorse header' do
         it 'rejects request without a workhorse header' do
-          post api('/groups/import', user), params: params
+          upload_archive(file_upload, {}, params)
 
           expect(response).to have_gitlab_http_status(:forbidden)
         end
@@ -189,9 +189,7 @@ describe API::GroupImport do
         let(:params) do
           {
             path: 'test-import-group',
-            name: 'test-import-group',
-            'file.path' => file_upload.path,
-            'file.name' => file_upload.original_filename
+            name: 'test-import-group'
           }
         end
 
@@ -229,9 +227,7 @@ describe API::GroupImport do
           {
             path: 'test-import-group',
             name: 'test-import-group',
-            file: fog_file,
-            'file.remote_id' => file_name,
-            'file.size' => fog_file.size
+            file: fog_file
           }
         end
 
@@ -245,10 +241,21 @@ describe API::GroupImport do
         include_examples 'when some params are missing'
       end
     end
+
+    def upload_archive(file, headers = {}, params = {})
+      workhorse_finalize(
+        api('/groups/import', user),
+        method: :post,
+        file_key: :file,
+        params: params.merge(file: file),
+        headers: headers,
+        send_rewritten_field: true
+      )
+    end
   end
 
   describe 'POST /groups/import/authorize' do
-    subject { post api('/groups/import/authorize', user), headers: workhorse_header }
+    subject { post api('/groups/import/authorize', user), headers: workhorse_headers }
 
     it 'authorizes importing group with workhorse header' do
       subject
@@ -258,7 +265,7 @@ describe API::GroupImport do
     end
 
     it 'rejects requests that bypassed gitlab-workhorse' do
-      workhorse_header.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
+      workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
 
       subject
 
diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb
index 0c66bfd6c4d..bfc782c62e5 100644
--- a/spec/requests/api/repositories_spec.rb
+++ b/spec/requests/api/repositories_spec.rb
@@ -177,6 +177,12 @@ describe API::Repositories do
         expect(headers['Content-Disposition']).to eq 'inline'
       end
 
+      it_behaves_like 'uncached response' do
+        before do
+          get api(route, current_user)
+        end
+      end
+
       context 'when sha does not exist' do
         it_behaves_like '404 response' do
           let(:request) { get api(route.sub(sample_blob.oid, 'abcd9876'), current_user) }
diff --git a/spec/services/clusters/update_service_spec.rb b/spec/services/clusters/update_service_spec.rb
index d487edd8850..5a7726eded8 100644
--- a/spec/services/clusters/update_service_spec.rb
+++ b/spec/services/clusters/update_service_spec.rb
@@ -47,6 +47,39 @@ describe Clusters::UpdateService do
           expect(cluster.platform.namespace).to eq('custom-namespace')
         end
       end
+
+      context 'when service token is empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: ''
+              }
+          }
+        end
+
+        it 'does not update the token' do
+          current_token = cluster.platform.token
+          is_expected.to eq(true)
+          cluster.platform.reload
+
+          expect(cluster.platform.token).to eq(current_token)
+        end
+      end
+
+      context 'when service token is not empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: 'new secret token'
+              }
+          }
+        end
+
+        it 'updates the token' do
+          is_expected.to eq(true)
+          expect(cluster.platform.token).to eq('new secret token')
+        end
+      end
     end
 
     context 'when invalid params' do
diff --git a/spec/support/shared_examples/uncached_response_shared_examples.rb b/spec/support/shared_examples/uncached_response_shared_examples.rb
new file mode 100644
index 00000000000..3997017ff35
--- /dev/null
+++ b/spec/support/shared_examples/uncached_response_shared_examples.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+#
+# Pairs with lib/gitlab/no_cache_headers.rb
+#
+
+RSpec.shared_examples 'uncached response' do
+  it 'defines an uncached header response' do
+    expect(response.headers["Cache-Control"]).to include("no-store", "no-cache")
+    expect(response.headers["Pragma"]).to eq("no-cache")
+    expect(response.headers["Expires"]).to eq("Fri, 01 Jan 1990 00:00:00 GMT")
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-05-26 16:52:02 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-05-26 16:52:02 +0300
commit	846745cb0d327506fb313df61fc351c04134449d (patch)
tree	c6cd12c8bd35994c366e73fe32a4b712875063cc /spec
parent	dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff)