diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 13:00:41 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 13:01:04 +0300 |
commit | f6e02a44a16ed3f4580b2040d319624e2e9407dd (patch) | |
tree | 8d9890507f39d7cac958ff9b29837fe060ca43c1 /spec | |
parent | e60147031aac9ad17e291043c19037525979eecf (diff) |
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'spec')
9 files changed, 190 insertions, 33 deletions
diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index f0aa351bee0..c1ce32abb6f 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -65,7 +65,7 @@ RSpec.describe Dashboard::TodosController do project_2 = create(:project) project_2.add_developer(user) merge_request_2 = create(:merge_request, source_project: project_2) - create(:todo, project: project, author: author, user: user, target: merge_request_2) + create(:todo, project: project_2, author: author, user: user, target: merge_request_2) expect { get :index }.not_to exceed_query_limit(control) expect(response).to have_gitlab_http_status(:ok) diff --git a/spec/lib/gitlab/import_export/members_mapper_spec.rb b/spec/lib/gitlab/import_export/members_mapper_spec.rb index 847d6b5d1ed..8b9ca90a280 100644 --- a/spec/lib/gitlab/import_export/members_mapper_spec.rb +++ b/spec/lib/gitlab/import_export/members_mapper_spec.rb @@ -267,6 +267,66 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do end end + context 'when importer is not an admin' do + let(:user) { create(:user) } + let(:group) { create(:group) } + let(:members_mapper) do + described_class.new( + exported_members: [], user: user, importable: importable) + end + + shared_examples_for 'it fetches the access level from parent group' do + before do + group.add_users([user], group_access_level) + end + + it "and resolves it correctly" do + members_mapper.map + expect(member_class.find_by_user_id(user.id).access_level).to eq(resolved_access_level) + end + end + + context 'and the imported project is part of a group' do + let(:importable) { create(:project, namespace: group) } + let(:member_class) { ProjectMember } + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::DEVELOPER } + let(:resolved_access_level) { ProjectMember::DEVELOPER } + end + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::MAINTAINER } + let(:resolved_access_level) { ProjectMember::MAINTAINER } + end + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::OWNER } + let(:resolved_access_level) { ProjectMember::MAINTAINER } + end + end + + context 'and the imported group is part of another group' do + let(:importable) { create(:group, parent: group) } + let(:member_class) { GroupMember } + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::DEVELOPER } + let(:resolved_access_level) { GroupMember::DEVELOPER } + end + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::MAINTAINER } + let(:resolved_access_level) { GroupMember::MAINTAINER } + end + + it_behaves_like 'it fetches the access level from parent group' do + let(:group_access_level) { GroupMember::OWNER } + let(:resolved_access_level) { GroupMember::OWNER } + end + end + end + context 'when importable is Group' do include_examples 'imports exported members' do let(:source_type) { 'Namespace' } diff --git a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb index 49df2313924..80ba50976af 100644 --- a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb +++ b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' RSpec.describe Gitlab::ImportExport::Project::RelationFactory, :use_clean_rails_memory_store_caching do - let(:group) { create(:group) } + let(:group) { create(:group).tap { |g| g.add_maintainer(importer_user) } } let(:project) { create(:project, :repository, group: group) } let(:members_mapper) { double('members_mapper').as_null_object } let(:admin) { create(:admin) } diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb index f512f49764d..79cf20fbaca 100644 --- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb +++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb @@ -675,6 +675,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do # Project needs to be in a group for visibility level comparison # to happen group = create(:group) + group.add_maintainer(user) project.group = group project.create_import_data(data: { override_params: { visibility_level: Gitlab::VisibilityLevel::INTERNAL.to_s } }) @@ -716,13 +717,19 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do end context 'with a project that has a group' do + let(:group) do + create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE).tap do |g| + g.add_maintainer(user) + end + end + let!(:project) do create(:project, :builds_disabled, :issues_disabled, name: 'project', path: 'project', - group: create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE)) + group: group) end before do @@ -751,13 +758,14 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do end context 'with existing group models' do + let(:group) { create(:group).tap { |g| g.add_maintainer(user) } } let!(:project) do create(:project, :builds_disabled, :issues_disabled, name: 'project', path: 'project', - group: create(:group)) + group: group) end before do @@ -786,13 +794,14 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do end context 'with clashing milestones on IID' do + let(:group) { create(:group).tap { |g| g.add_maintainer(user) } } let!(:project) do create(:project, :builds_disabled, :issues_disabled, name: 'project', path: 'project', - group: create(:group)) + group: group) end before do @@ -871,7 +880,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do context 'with group visibility' do before do group = create(:group, visibility_level: group_visibility) - + group.add_users([user], GroupMember::MAINTAINER) project.update(group: group) end diff --git a/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb index 9325cdac9ed..92ea2740ba5 100644 --- a/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb +++ b/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb @@ -108,7 +108,7 @@ RSpec.describe Gitlab::ImportExport::RelationTreeRestorer do it_behaves_like 'import project successfully' context 'logging of relations creation' do - let(:group) { create(:group) } + let(:group) { create(:group).tap { |g| g.add_maintainer(user) } } let(:importable) { create(:project, :builds_enabled, :issues_disabled, name: 'project', path: 'project', group: group) } include_examples 'logging of relations creation' @@ -145,7 +145,7 @@ RSpec.describe Gitlab::ImportExport::RelationTreeRestorer do context 'when restoring a group' do let(:path) { 'spec/fixtures/lib/gitlab/import_export/group_exports/no_children/group.json' } let(:group) { create(:group) } - let(:importable) { create(:group, parent: group) } + let(:importable) { create(:group, parent: group).tap { |g| g.add_owner(user) } } let(:importable_name) { nil } let(:importable_path) { nil } let(:object_builder) { Gitlab::ImportExport::Group::ObjectBuilder } diff --git a/spec/lib/gitlab/slash_commands/deploy_spec.rb b/spec/lib/gitlab/slash_commands/deploy_spec.rb index 36f47c711bc..71fca1e1fc8 100644 --- a/spec/lib/gitlab/slash_commands/deploy_spec.rb +++ b/spec/lib/gitlab/slash_commands/deploy_spec.rb @@ -109,6 +109,21 @@ RSpec.describe Gitlab::SlashCommands::Deploy do end end end + + context 'with extra spaces in the deploy command' do + let(:regex_match) { described_class.match('deploy staging to production ') } + + before do + create(:ci_build, :manual, pipeline: pipeline, name: 'production', environment: 'production') + create(:ci_build, :manual, pipeline: pipeline, name: 'not prod', environment: 'not prod') + end + + it 'deploys to production' do + expect(subject[:text]) + .to start_with('Deployment started from staging to production') + expect(subject[:response_type]).to be(:in_channel) + end + end end end @@ -119,5 +134,49 @@ RSpec.describe Gitlab::SlashCommands::Deploy do expect(match[:from]).to eq('staging') expect(match[:to]).to eq('production') end + + it 'matches the environment with spaces in it' do + match = described_class.match('deploy staging env to production env') + + expect(match[:from]).to eq('staging env') + expect(match[:to]).to eq('production env') + end + + it 'matches the environment name with surrounding spaces' do + match = described_class.match('deploy staging to production ') + + # The extra spaces are stripped later in the code + expect(match[:from]).to eq('staging') + expect(match[:to]).to eq('production') + end + + it 'returns nil for text that is not a deploy command' do + match = described_class.match('foo bar') + + expect(match).to be_nil + end + + it 'returns nil for a partial command' do + match = described_class.match('deploy staging to ') + + expect(match).to be_nil + end + + context 'with ReDoS attempts' do + def duration_for(&block) + start = Time.zone.now + yield if block_given? + Time.zone.now - start + end + + it 'has smaller than linear execution time growth with a malformed "to"' do + Timeout.timeout(3.seconds) do + sample1 = duration_for { described_class.match("deploy abc t" + "o" * 1000 + "X") } + sample2 = duration_for { described_class.match("deploy abc t" + "o" * 4000 + "X") } + + expect((sample2 / sample1) < 4).to be_truthy + end + end + end end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index b94df4d4374..e05de25f182 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -5,10 +5,11 @@ require 'spec_helper' RSpec.describe MergeRequestPolicy do include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } - let(:author) { create(:user) } - let(:developer) { create(:user) } - let(:non_team_member) { create(:user) } + let_it_be(:guest) { create(:user) } + let_it_be(:author) { create(:user) } + let_it_be(:developer) { create(:user) } + let_it_be(:non_team_member) { create(:user) } + let(:project) { create(:project, :public) } def permissions(user, merge_request) @@ -50,15 +51,31 @@ RSpec.describe MergeRequestPolicy do end context 'when merge request is public' do - context 'and user is anonymous' do - let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) } + let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) } + context 'and user is anonymous' do subject { permissions(nil, merge_request) } it do is_expected.to be_disallowed(:create_todo, :update_subscription) end end + + describe 'the author, who became a guest' do + subject { permissions(author, merge_request) } + + it do + is_expected.to be_allowed(:update_merge_request) + end + + it do + is_expected.to be_allowed(:reopen_merge_request) + end + + it do + is_expected.to be_allowed(:approve_merge_request) + end + end end context 'when merge requests have been disabled' do @@ -107,6 +124,12 @@ RSpec.describe MergeRequestPolicy do it_behaves_like 'a denied user' end + describe 'the author' do + subject { author } + + it_behaves_like 'a denied user' + end + describe 'a developer' do subject { developer } diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb index d31f571e636..791db117809 100644 --- a/spec/requests/api/todos_spec.rb +++ b/spec/requests/api/todos_spec.rb @@ -372,30 +372,36 @@ RSpec.describe API::Todos do expect(response).to have_gitlab_http_status(:not_found) end end - - it 'returns an error if the issuable author does not have access' do - project_1.add_guest(issuable.author) - - post api("/projects/#{project_1.id}/#{issuable_type}/#{issuable.iid}/todo", issuable.author) - - expect(response).to have_gitlab_http_status(:not_found) - end end describe 'POST :id/issuable_type/:issueable_id/todo' do context 'for an issue' do - it_behaves_like 'an issuable', 'issues' do - let_it_be(:issuable) do - create(:issue, :confidential, author: author_1, project: project_1) - end + let_it_be(:issuable) do + create(:issue, :confidential, project: project_1) + end + + it_behaves_like 'an issuable', 'issues' + + it 'returns an error if the issue author does not have access' do + post api("/projects/#{project_1.id}/issues/#{issuable.iid}/todo", issuable.author) + + expect(response).to have_gitlab_http_status(:not_found) end end context 'for a merge request' do - it_behaves_like 'an issuable', 'merge_requests' do - let_it_be(:issuable) do - create(:merge_request, :simple, source_project: project_1) - end + let_it_be(:issuable) do + create(:merge_request, :simple, source_project: project_1) + end + + it_behaves_like 'an issuable', 'merge_requests' + + it 'returns an error if the merge request author does not have access' do + project_1.add_guest(issuable.author) + + post api("/projects/#{project_1.id}/merge_requests/#{issuable.iid}/todo", issuable.author) + + expect(response).to have_gitlab_http_status(:forbidden) end end end diff --git a/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb b/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb index e6f9e5a434c..28813a23fed 100644 --- a/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb @@ -14,10 +14,10 @@ RSpec.shared_examples 'rejects user from accessing merge request info' do project.add_guest(user) end - it 'returns a 404 error' do + it 'returns a 403 error' do get api(url, user) - expect(response).to have_gitlab_http_status(:not_found) - expect(json_response['message']).to eq('404 Merge Request Not Found') + expect(response).to have_gitlab_http_status(:forbidden) + expect(json_response['message']).to eq('403 Forbidden') end end |