Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

9 files changed, 190 insertions, 33 deletions

diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb
index f0aa351bee0..c1ce32abb6f 100644
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -65,7 +65,7 @@ RSpec.describe Dashboard::TodosController do
         project_2 = create(:project)
         project_2.add_developer(user)
         merge_request_2 = create(:merge_request, source_project: project_2)
-        create(:todo, project: project, author: author, user: user, target: merge_request_2)
+        create(:todo, project: project_2, author: author, user: user, target: merge_request_2)
 
         expect { get :index }.not_to exceed_query_limit(control)
         expect(response).to have_gitlab_http_status(:ok)
diff --git a/spec/lib/gitlab/import_export/members_mapper_spec.rb b/spec/lib/gitlab/import_export/members_mapper_spec.rb
index 847d6b5d1ed..8b9ca90a280 100644
--- a/spec/lib/gitlab/import_export/members_mapper_spec.rb
+++ b/spec/lib/gitlab/import_export/members_mapper_spec.rb
@@ -267,6 +267,66 @@ RSpec.describe Gitlab::ImportExport::MembersMapper do
       end
     end
 
+    context 'when importer is not an admin' do
+      let(:user) { create(:user) }
+      let(:group) { create(:group) }
+      let(:members_mapper) do
+        described_class.new(
+          exported_members: [], user: user, importable: importable)
+      end
+
+      shared_examples_for 'it fetches the access level from parent group' do
+        before do
+          group.add_users([user], group_access_level)
+        end
+
+        it "and resolves it correctly" do
+          members_mapper.map
+          expect(member_class.find_by_user_id(user.id).access_level).to eq(resolved_access_level)
+        end
+      end
+
+      context 'and the imported project is part of a group' do
+        let(:importable) { create(:project, namespace: group) }
+        let(:member_class) { ProjectMember }
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::DEVELOPER }
+          let(:resolved_access_level) { ProjectMember::DEVELOPER }
+        end
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::MAINTAINER }
+          let(:resolved_access_level) { ProjectMember::MAINTAINER }
+        end
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::OWNER }
+          let(:resolved_access_level) { ProjectMember::MAINTAINER }
+        end
+      end
+
+      context 'and the imported group is part of another group' do
+        let(:importable) { create(:group, parent: group) }
+        let(:member_class) { GroupMember }
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::DEVELOPER }
+          let(:resolved_access_level) { GroupMember::DEVELOPER }
+        end
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::MAINTAINER }
+          let(:resolved_access_level) { GroupMember::MAINTAINER }
+        end
+
+        it_behaves_like 'it fetches the access level from parent group' do
+          let(:group_access_level) { GroupMember::OWNER }
+          let(:resolved_access_level) { GroupMember::OWNER }
+        end
+      end
+    end
+
     context 'when importable is Group' do
       include_examples 'imports exported members' do
         let(:source_type) { 'Namespace' }
diff --git a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
index 49df2313924..80ba50976af 100644
--- a/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
+++ b/spec/lib/gitlab/import_export/project/relation_factory_spec.rb
@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::ImportExport::Project::RelationFactory, :use_clean_rails_memory_store_caching do
-  let(:group) { create(:group) }
+  let(:group) { create(:group).tap { |g| g.add_maintainer(importer_user) } }
   let(:project) { create(:project, :repository, group: group) }
   let(:members_mapper) { double('members_mapper').as_null_object }
   let(:admin) { create(:admin) }
diff --git a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
index f512f49764d..79cf20fbaca 100644
--- a/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project/tree_restorer_spec.rb
@@ -675,6 +675,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
           # Project needs to be in a group for visibility level comparison
           # to happen
           group = create(:group)
+          group.add_maintainer(user)
           project.group = group
 
           project.create_import_data(data: { override_params: { visibility_level: Gitlab::VisibilityLevel::INTERNAL.to_s } })
@@ -716,13 +717,19 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
       end
 
       context 'with a project that has a group' do
+        let(:group) do
+          create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE).tap do |g|
+            g.add_maintainer(user)
+          end
+        end
+
         let!(:project) do
           create(:project,
                  :builds_disabled,
                  :issues_disabled,
                  name: 'project',
                  path: 'project',
-                 group: create(:group, visibility_level: Gitlab::VisibilityLevel::PRIVATE))
+                 group: group)
         end
 
         before do
@@ -751,13 +758,14 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
       end
 
       context 'with existing group models' do
+        let(:group) { create(:group).tap { |g| g.add_maintainer(user) } }
         let!(:project) do
           create(:project,
                  :builds_disabled,
                  :issues_disabled,
                  name: 'project',
                  path: 'project',
-                 group: create(:group))
+                 group: group)
         end
 
         before do
@@ -786,13 +794,14 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
       end
 
       context 'with clashing milestones on IID' do
+        let(:group) { create(:group).tap { |g| g.add_maintainer(user) } }
         let!(:project) do
           create(:project,
                  :builds_disabled,
                  :issues_disabled,
                  name: 'project',
                  path: 'project',
-                 group: create(:group))
+                 group: group)
         end
 
         before do
@@ -871,7 +880,7 @@ RSpec.describe Gitlab::ImportExport::Project::TreeRestorer do
       context 'with group visibility' do
         before do
           group = create(:group, visibility_level: group_visibility)
-
+          group.add_users([user], GroupMember::MAINTAINER)
           project.update(group: group)
         end
 
diff --git a/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb
index 9325cdac9ed..92ea2740ba5 100644
--- a/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/relation_tree_restorer_spec.rb
@@ -108,7 +108,7 @@ RSpec.describe Gitlab::ImportExport::RelationTreeRestorer do
       it_behaves_like 'import project successfully'
 
       context 'logging of relations creation' do
-        let(:group) { create(:group) }
+        let(:group) { create(:group).tap { |g| g.add_maintainer(user) } }
         let(:importable) { create(:project, :builds_enabled, :issues_disabled, name: 'project', path: 'project', group: group) }
 
         include_examples 'logging of relations creation'
@@ -145,7 +145,7 @@ RSpec.describe Gitlab::ImportExport::RelationTreeRestorer do
   context 'when restoring a group' do
     let(:path) { 'spec/fixtures/lib/gitlab/import_export/group_exports/no_children/group.json' }
     let(:group) { create(:group) }
-    let(:importable) { create(:group, parent: group) }
+    let(:importable) { create(:group, parent: group).tap { |g| g.add_owner(user) } }
     let(:importable_name) { nil }
     let(:importable_path) { nil }
     let(:object_builder) { Gitlab::ImportExport::Group::ObjectBuilder }
diff --git a/spec/lib/gitlab/slash_commands/deploy_spec.rb b/spec/lib/gitlab/slash_commands/deploy_spec.rb
index 36f47c711bc..71fca1e1fc8 100644
--- a/spec/lib/gitlab/slash_commands/deploy_spec.rb
+++ b/spec/lib/gitlab/slash_commands/deploy_spec.rb
@@ -109,6 +109,21 @@ RSpec.describe Gitlab::SlashCommands::Deploy do
           end
         end
       end
+
+      context 'with extra spaces in the deploy command' do
+        let(:regex_match) { described_class.match('deploy    staging     to    production    ') }
+
+        before do
+          create(:ci_build, :manual, pipeline: pipeline, name: 'production', environment: 'production')
+          create(:ci_build, :manual, pipeline: pipeline, name: 'not prod', environment: 'not prod')
+        end
+
+        it 'deploys to production' do
+          expect(subject[:text])
+            .to start_with('Deployment started from staging to production')
+          expect(subject[:response_type]).to be(:in_channel)
+        end
+      end
     end
   end
 
@@ -119,5 +134,49 @@ RSpec.describe Gitlab::SlashCommands::Deploy do
       expect(match[:from]).to eq('staging')
       expect(match[:to]).to eq('production')
     end
+
+    it 'matches the environment with spaces in it' do
+      match = described_class.match('deploy staging env to production env')
+
+      expect(match[:from]).to eq('staging env')
+      expect(match[:to]).to eq('production env')
+    end
+
+    it 'matches the environment name with surrounding spaces' do
+      match = described_class.match('deploy    staging    to    production    ')
+
+      # The extra spaces are stripped later in the code
+      expect(match[:from]).to eq('staging')
+      expect(match[:to]).to eq('production')
+    end
+
+    it 'returns nil for text that is not a deploy command' do
+      match = described_class.match('foo bar')
+
+      expect(match).to be_nil
+    end
+
+    it 'returns nil for a partial command' do
+      match = described_class.match('deploy staging to   ')
+
+      expect(match).to be_nil
+    end
+
+    context 'with ReDoS attempts' do
+      def duration_for(&block)
+        start = Time.zone.now
+        yield if block_given?
+        Time.zone.now - start
+      end
+
+      it 'has smaller than linear execution time growth with a malformed "to"' do
+        Timeout.timeout(3.seconds) do
+          sample1 = duration_for { described_class.match("deploy abc t" + "o" * 1000 + "X") }
+          sample2 = duration_for { described_class.match("deploy abc t" + "o" * 4000 + "X") }
+
+          expect((sample2 / sample1) < 4).to be_truthy
+        end
+      end
+    end
   end
 end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index b94df4d4374..e05de25f182 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -5,10 +5,11 @@ require 'spec_helper'
 RSpec.describe MergeRequestPolicy do
   include ExternalAuthorizationServiceHelpers
 
-  let(:guest) { create(:user) }
-  let(:author) { create(:user) }
-  let(:developer) { create(:user) }
-  let(:non_team_member) { create(:user) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:author) { create(:user) }
+  let_it_be(:developer) { create(:user) }
+  let_it_be(:non_team_member) { create(:user) }
+
   let(:project) { create(:project, :public) }
 
   def permissions(user, merge_request)
@@ -50,15 +51,31 @@ RSpec.describe MergeRequestPolicy do
   end
 
   context 'when merge request is public' do
-    context 'and user is anonymous' do
-      let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+    let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
 
+    context 'and user is anonymous' do
       subject { permissions(nil, merge_request) }
 
       it do
         is_expected.to be_disallowed(:create_todo, :update_subscription)
       end
     end
+
+    describe 'the author, who became a guest' do
+      subject { permissions(author, merge_request) }
+
+      it do
+        is_expected.to be_allowed(:update_merge_request)
+      end
+
+      it do
+        is_expected.to be_allowed(:reopen_merge_request)
+      end
+
+      it do
+        is_expected.to be_allowed(:approve_merge_request)
+      end
+    end
   end
 
   context 'when merge requests have been disabled' do
@@ -107,6 +124,12 @@ RSpec.describe MergeRequestPolicy do
       it_behaves_like 'a denied user'
     end
 
+    describe 'the author' do
+      subject { author }
+
+      it_behaves_like 'a denied user'
+    end
+
     describe 'a developer' do
       subject { developer }
 
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb
index d31f571e636..791db117809 100644
--- a/spec/requests/api/todos_spec.rb
+++ b/spec/requests/api/todos_spec.rb
@@ -372,30 +372,36 @@ RSpec.describe API::Todos do
         expect(response).to have_gitlab_http_status(:not_found)
       end
     end
-
-    it 'returns an error if the issuable author does not have access' do
-      project_1.add_guest(issuable.author)
-
-      post api("/projects/#{project_1.id}/#{issuable_type}/#{issuable.iid}/todo", issuable.author)
-
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
   end
 
   describe 'POST :id/issuable_type/:issueable_id/todo' do
     context 'for an issue' do
-      it_behaves_like 'an issuable', 'issues' do
-        let_it_be(:issuable) do
-          create(:issue, :confidential, author: author_1, project: project_1)
-        end
+      let_it_be(:issuable) do
+        create(:issue, :confidential, project: project_1)
+      end
+
+      it_behaves_like 'an issuable', 'issues'
+
+      it 'returns an error if the issue author does not have access' do
+        post api("/projects/#{project_1.id}/issues/#{issuable.iid}/todo", issuable.author)
+
+        expect(response).to have_gitlab_http_status(:not_found)
       end
     end
 
     context 'for a merge request' do
-      it_behaves_like 'an issuable', 'merge_requests' do
-        let_it_be(:issuable) do
-          create(:merge_request, :simple, source_project: project_1)
-        end
+      let_it_be(:issuable) do
+        create(:merge_request, :simple, source_project: project_1)
+      end
+
+      it_behaves_like 'an issuable', 'merge_requests'
+
+      it 'returns an error if the merge request author does not have access' do
+        project_1.add_guest(issuable.author)
+
+        post api("/projects/#{project_1.id}/merge_requests/#{issuable.iid}/todo", issuable.author)
+
+        expect(response).to have_gitlab_http_status(:forbidden)
       end
     end
   end
diff --git a/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb b/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb
index e6f9e5a434c..28813a23fed 100644
--- a/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/merge_requests_shared_examples.rb
@@ -14,10 +14,10 @@ RSpec.shared_examples 'rejects user from accessing merge request info' do
     project.add_guest(user)
   end
 
-  it 'returns a 404 error' do
+  it 'returns a 403 error' do
     get api(url, user)
 
-    expect(response).to have_gitlab_http_status(:not_found)
-    expect(json_response['message']).to eq('404 Merge Request Not Found')
+    expect(response).to have_gitlab_http_status(:forbidden)
+    expect(json_response['message']).to eq('403 Forbidden')
   end
 end