3 files changed, 152 insertions, 0 deletions

diff --git a/spec/lib/gitlab/middleware/compressed_json_spec.rb b/spec/lib/gitlab/middleware/compressed_json_spec.rb
new file mode 100644
index 00000000000..c5efc568971
--- /dev/null
+++ b/spec/lib/gitlab/middleware/compressed_json_spec.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Middleware::CompressedJson do
+  let_it_be(:decompressed_input) { '{"foo": "bar"}' }
+  let_it_be(:input) { ActiveSupport::Gzip.compress(decompressed_input) }
+
+  let(:app) { double(:app) }
+  let(:middleware) { described_class.new(app) }
+  let(:env) do
+    {
+      'HTTP_CONTENT_ENCODING' => 'gzip',
+      'REQUEST_METHOD' => 'POST',
+      'CONTENT_TYPE' => 'application/json',
+      'PATH_INFO' => path,
+      'rack.input' => StringIO.new(input)
+    }
+  end
+
+  shared_examples 'decompress middleware' do
+    it 'replaces input with a decompressed content' do
+      expect(app).to receive(:call)
+
+      middleware.call(env)
+
+      expect(env['rack.input'].read).to eq(decompressed_input)
+      expect(env['CONTENT_LENGTH']).to eq(decompressed_input.length)
+      expect(env['HTTP_CONTENT_ENCODING']).to be_nil
+    end
+  end
+
+  describe '#call' do
+    context 'with collector route' do
+      let(:path) { '/api/v4/error_tracking/collector/1/store'}
+
+      it_behaves_like 'decompress middleware'
+    end
+
+    context 'with collector route under relative url' do
+      let(:path) { '/gitlab/api/v4/error_tracking/collector/1/store'}
+
+      before do
+        stub_config_setting(relative_url_root: '/gitlab')
+      end
+
+      it_behaves_like 'decompress middleware'
+    end
+
+    context 'with some other route' do
+      let(:path) { '/api/projects/123' }
+
+      it 'keeps the original input' do
+        expect(app).to receive(:call)
+
+        middleware.call(env)
+
+        expect(env['rack.input'].read).to eq(input)
+        expect(env['HTTP_CONTENT_ENCODING']).to eq('gzip')
+      end
+    end
+
+    context 'payload is too large' do
+      let(:body_limit) { Gitlab::Middleware::CompressedJson::MAXIMUM_BODY_SIZE }
+      let(:decompressed_input) { 'a' * (body_limit + 100) }
+      let(:input) { ActiveSupport::Gzip.compress(decompressed_input) }
+      let(:path) { '/api/v4/error_tracking/collector/1/envelope'}
+
+      it 'reads only limited size' do
+        expect(middleware.call(env))
+          .to eq([413, { 'Content-Type' => 'text/plain' }, ['Payload Too Large']])
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb
index 0ce95fdb5af..1ef548ab29b 100644
--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -147,6 +147,22 @@ RSpec.describe Gitlab::Middleware::Go do
                       end
                     end
                   end
+
+                  context 'when a personal access token is missing' do
+                    before do
+                      env['REMOTE_ADDR'] = '192.168.0.1'
+                      env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(current_user.username, 'dummy_password')
+                    end
+
+                    it 'returns unauthorized' do
+                      expect(Gitlab::Auth).to receive(:find_for_git_client).and_raise(Gitlab::Auth::MissingPersonalAccessTokenError)
+                      response = go
+
+                      expect(response[0]).to eq(401)
+                      expect(response[1]['Content-Length']).to be_nil
+                      expect(response[2]).to eq([''])
+                    end
+                  end
                 end
               end
             end
diff --git a/spec/lib/gitlab/middleware/query_analyzer_spec.rb b/spec/lib/gitlab/middleware/query_analyzer_spec.rb
new file mode 100644
index 00000000000..5ebe6a92da6
--- /dev/null
+++ b/spec/lib/gitlab/middleware/query_analyzer_spec.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Middleware::QueryAnalyzer, query_analyzers: false do
+  describe 'the PreventCrossDatabaseModification' do
+    describe '#call' do
+      let(:app) { double(:app) }
+      let(:middleware) { described_class.new(app) }
+      let(:env) { {} }
+
+      subject { middleware.call(env) }
+
+      context 'when there is a cross modification' do
+        before do
+          allow(app).to receive(:call) do
+            Project.transaction do
+              Project.where(id: -1).update_all(id: -1)
+              ::Ci::Pipeline.where(id: -1).update_all(id: -1)
+            end
+          end
+        end
+
+        it 'detects cross modifications and tracks exception' do
+          expect(::Gitlab::ErrorTracking).to receive(:track_and_raise_for_dev_exception)
+
+          expect { subject }.not_to raise_error
+        end
+
+        context 'when the detect_cross_database_modification is disabled' do
+          before do
+            stub_feature_flags(detect_cross_database_modification: false)
+          end
+
+          it 'does not detect cross modifications' do
+            expect(::Gitlab::ErrorTracking).not_to receive(:track_and_raise_for_dev_exception)
+
+            subject
+          end
+        end
+      end
+
+      context 'when there is no cross modification' do
+        before do
+          allow(app).to receive(:call) do
+            Project.transaction do
+              Project.where(id: -1).update_all(id: -1)
+              Namespace.where(id: -1).update_all(id: -1)
+            end
+          end
+        end
+
+        it 'does not log anything' do
+          expect(::Gitlab::ErrorTracking).not_to receive(:track_and_raise_for_dev_exception)
+
+          subject
+        end
+      end
+    end
+  end
+end