diff options
Diffstat (limited to 'spec/controllers')
4 files changed, 123 insertions, 0 deletions
diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 11c70d3aeca..22427f581d4 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -258,6 +258,18 @@ describe GroupsController do end end end + + context "malicious group name" do + subject { post :create, params: { group: { name: "<script>alert('Mayday!');</script>", path: "invalid_group_url" } } } + + before do + sign_in(user) + end + + it { expect { subject }.not_to change { Group.count } } + + it { expect(subject).to render_template(:new) } + end end describe 'GET #index' do @@ -836,6 +848,16 @@ describe GroupsController do put :update, params: { id: group.to_param, group: { name: 'world' } } end.to change { group.reload.name } end + + context "malicious group name" do + subject { put :update, params: { id: group.to_param, group: { name: "<script>alert('Attack!');</script>" } } } + + it { is_expected.to render_template(:edit) } + + it 'does not update name' do + expect { subject }.not_to change { group.reload.name } + end + end end describe 'DELETE #destroy' do diff --git a/spec/controllers/import/fogbugz_controller_spec.rb b/spec/controllers/import/fogbugz_controller_spec.rb index 9a647b8caae..c833fbfaea5 100644 --- a/spec/controllers/import/fogbugz_controller_spec.rb +++ b/spec/controllers/import/fogbugz_controller_spec.rb @@ -25,6 +25,35 @@ describe Import::FogbugzController do expect(session[:fogbugz_uri]).to eq(uri) expect(response).to redirect_to(new_user_map_import_fogbugz_path) end + + context 'verify url' do + shared_examples 'denies local request' do |reason| + it 'does not allow requests' do + post :callback, params: { uri: uri, email: 'test@example.com', password: 'mypassword' } + + expect(response).to redirect_to(new_import_fogbugz_url) + expect(flash[:alert]).to eq("Specified URL cannot be used: \"#{reason}\"") + end + end + + context 'when host is localhost' do + let(:uri) { 'https://localhost:3000' } + + include_examples 'denies local request', 'Requests to localhost are not allowed' + end + + context 'when host is on local network' do + let(:uri) { 'http://192.168.0.1/' } + + include_examples 'denies local request', 'Requests to the local network are not allowed' + end + + context 'when host is ftp protocol' do + let(:uri) { 'ftp://testing' } + + include_examples 'denies local request', 'Only allowed schemes are http, https' + end + end end describe 'POST #create_user_map' do diff --git a/spec/controllers/projects/mirrors_controller_spec.rb b/spec/controllers/projects/mirrors_controller_spec.rb index 4362febda5c..3579e4aa2cf 100644 --- a/spec/controllers/projects/mirrors_controller_spec.rb +++ b/spec/controllers/projects/mirrors_controller_spec.rb @@ -5,6 +5,72 @@ require 'spec_helper' describe Projects::MirrorsController do include ReactiveCachingHelpers + shared_examples 'only admin is allowed when mirroring is disabled' do + let(:subject_action) { raise 'subject_action is required' } + let(:user) { project.owner } + let(:project_settings_path) { project_settings_repository_path(project, anchor: 'js-push-remote-settings') } + + context 'when project mirroring is enabled' do + it 'allows requests from a maintainer' do + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + + it 'allows requests from an admin user' do + user.update!(admin: true) + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + end + + context 'when project mirroring is disabled' do + before do + stub_application_setting(mirror_available: false) + end + + it 'disallows requests from a maintainer' do + sign_in(user) + + subject_action + expect(response).to have_gitlab_http_status(:not_found) + end + + it 'allows requests from an admin user' do + user.update!(admin: true) + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + end + end + + describe 'Access control' do + let(:project) { create(:project, :repository) } + + describe '#update' do + include_examples 'only admin is allowed when mirroring is disabled' do + let(:subject_action) do + do_put(project, remote_mirrors_attributes: { '0' => { 'enabled' => 1, 'url' => 'http://foo.com' } }) + end + end + end + + describe '#update_now' do + include_examples 'only admin is allowed when mirroring is disabled' do + let(:options) { { namespace_id: project.namespace, project_id: project } } + + let(:subject_action) do + get :update_now, params: options.merge(sync_remote: true) + end + end + end + end + describe 'setting up a remote mirror' do let_it_be(:project) { create(:project, :repository) } diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb index 2d39f0afaee..42032b4cad0 100644 --- a/spec/controllers/projects/repositories_controller_spec.rb +++ b/spec/controllers/projects/repositories_controller_spec.rb @@ -28,6 +28,12 @@ describe Projects::RepositoriesController do sign_in(user) end + it_behaves_like "hotlink interceptor" do + let(:http_request) do + get :archive, params: { namespace_id: project.namespace, project_id: project, id: "master" }, format: "zip" + end + end + it "uses Gitlab::Workhorse" do get :archive, params: { namespace_id: project.namespace, project_id: project, id: "master" }, format: "zip" |