diff options
Diffstat (limited to 'spec/lib/gitlab/utils_spec.rb')
-rw-r--r-- | spec/lib/gitlab/utils_spec.rb | 178 |
1 files changed, 3 insertions, 175 deletions
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb index 102d608072b..7b9504366ec 100644 --- a/spec/lib/gitlab/utils_spec.rb +++ b/spec/lib/gitlab/utils_spec.rb @@ -6,139 +6,9 @@ RSpec.describe Gitlab::Utils do using RSpec::Parameterized::TableSyntax delegate :to_boolean, :boolean_to_yes_no, :slugify, :which, - :ensure_array_from_string, :to_exclusive_sentence, :bytes_to_megabytes, - :append_path, :remove_leading_slashes, :check_path_traversal!, :allowlisted?, :check_allowed_absolute_path!, - :decode_path, :ms_to_round_sec, :check_allowed_absolute_path_and_path_traversal!, to: :described_class - - describe '.check_path_traversal!' do - it 'detects path traversal in string without any separators' do - expect { check_path_traversal!('.') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('..') }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the start of the string' do - expect { check_path_traversal!('../foo') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('..\\foo') }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the start of the string, even to just the subdirectory' do - expect { check_path_traversal!('../') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('..\\') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('/../') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('\\..\\') }.to raise_error(/Invalid path/) - end - - it 'detects path traversal in the middle of the string' do - expect { check_path_traversal!('foo/../../bar') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo\\..\\..\\bar') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo/..\\bar') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo\\../bar') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo/..\\..\\..\\..\\../bar') }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the end of the string when slash-terminates' do - expect { check_path_traversal!('foo/../') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo\\..\\') }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the end of the string' do - expect { check_path_traversal!('foo/..') }.to raise_error(/Invalid path/) - expect { check_path_traversal!('foo\\..') }.to raise_error(/Invalid path/) - end - - it 'does nothing for a safe string' do - expect(check_path_traversal!('./foo')).to eq('./foo') - expect(check_path_traversal!('.test/foo')).to eq('.test/foo') - expect(check_path_traversal!('..test/foo')).to eq('..test/foo') - expect(check_path_traversal!('dir/..foo.rb')).to eq('dir/..foo.rb') - expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb') - end - - it 'logs potential path traversal attempts' do - expect(Gitlab::AppLogger).to receive(:warn).with(message: "Potential path traversal attempt detected", path: "..") - expect { check_path_traversal!('..') }.to raise_error(/Invalid path/) - end - - it 'logs does nothing for a safe string' do - expect(Gitlab::AppLogger).not_to receive(:warn).with(message: "Potential path traversal attempt detected", path: "dir/.foo.rb") - expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb') - end - - it 'does nothing for nil' do - expect(check_path_traversal!(nil)).to be_nil - end - - it 'does nothing for safe HashedPath' do - expect(check_path_traversal!(Gitlab::HashedPath.new('tmp', root_hash: 1))).to eq '6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b/tmp' - end - - it 'raises for unsafe HashedPath' do - expect { check_path_traversal!(Gitlab::HashedPath.new('tmp', '..', 'etc', 'passwd', root_hash: 1)) }.to raise_error(/Invalid path/) - end - - it 'raises for other non-strings' do - expect { check_path_traversal!(%w[/tmp /tmp/../etc/passwd]) }.to raise_error(/Invalid path/) - end - end - - describe '.check_allowed_absolute_path_and_path_traversal!' do - let(:allowed_paths) { %w[/home/foo ./foo .test/foo ..test/foo dir/..foo.rb dir/.foo.rb] } - - it 'detects path traversal in string without any separators' do - expect { check_allowed_absolute_path_and_path_traversal!('.', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('..', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the start of the string' do - expect { check_allowed_absolute_path_and_path_traversal!('../foo', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('..\\foo', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the start of the string, even to just the subdirectory' do - expect { check_allowed_absolute_path_and_path_traversal!('../', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('..\\', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('/../', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('\\..\\', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'detects path traversal in the middle of the string' do - expect { check_allowed_absolute_path_and_path_traversal!('foo/../../bar', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo\\..\\..\\bar', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo/..\\bar', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo\\../bar', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo/..\\..\\..\\..\\../bar', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the end of the string when slash-terminates' do - expect { check_allowed_absolute_path_and_path_traversal!('foo/../', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo\\..\\', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'detects path traversal at the end of the string' do - expect { check_allowed_absolute_path_and_path_traversal!('foo/..', allowed_paths) }.to raise_error(/Invalid path/) - expect { check_allowed_absolute_path_and_path_traversal!('foo\\..', allowed_paths) }.to raise_error(/Invalid path/) - end - - it 'does not return errors for a safe string' do - expect(check_allowed_absolute_path_and_path_traversal!('./foo', allowed_paths)).to be_nil - expect(check_allowed_absolute_path_and_path_traversal!('.test/foo', allowed_paths)).to be_nil - expect(check_allowed_absolute_path_and_path_traversal!('..test/foo', allowed_paths)).to be_nil - expect(check_allowed_absolute_path_and_path_traversal!('dir/..foo.rb', allowed_paths)).to be_nil - expect(check_allowed_absolute_path_and_path_traversal!('dir/.foo.rb', allowed_paths)).to be_nil - end - - it 'raises error for a non-string' do - expect { check_allowed_absolute_path_and_path_traversal!(nil, allowed_paths) }.to raise_error(StandardError) - end - - it 'raises an exception if an absolute path is not allowed' do - expect { check_allowed_absolute_path!('/etc/passwd', allowed_paths) }.to raise_error(StandardError) - end - - it 'does nothing for an allowed absolute path' do - expect(check_allowed_absolute_path!('/home/foo', allowed_paths)).to be_nil - end - end + :ensure_array_from_string, :bytes_to_megabytes, + :append_path, :remove_leading_slashes, :allowlisted?, + :decode_path, :ms_to_round_sec, to: :described_class describe '.allowlisted?' do let(:allowed_paths) { ['/home/foo', '/foo/bar', '/etc/passwd'] } @@ -152,18 +22,6 @@ RSpec.describe Gitlab::Utils do end end - describe '.check_allowed_absolute_path!' do - let(:allowed_paths) { ['/home/foo'] } - - it 'raises an exception if an absolute path is not allowed' do - expect { check_allowed_absolute_path!('/etc/passwd', allowed_paths) }.to raise_error(StandardError) - end - - it 'does nothing for an allowed absolute path' do - expect(check_allowed_absolute_path!('/home/foo', allowed_paths)).to be_nil - end - end - describe '.decode_path' do it 'returns path unencoded for singled-encoded paths' do expect(decode_path('%2Fhome%2Fbar%3Fasd%3Dqwe')).to eq('/home/bar?asd=qwe') @@ -212,36 +70,6 @@ RSpec.describe Gitlab::Utils do end end - describe '.to_exclusive_sentence' do - it 'calls #to_sentence on the array' do - array = double - - expect(array).to receive(:to_sentence) - - to_exclusive_sentence(array) - end - - it 'joins arrays with two elements correctly' do - array = %w(foo bar) - - expect(to_exclusive_sentence(array)).to eq('foo or bar') - end - - it 'joins arrays with more than two elements correctly' do - array = %w(foo bar baz) - - expect(to_exclusive_sentence(array)).to eq('foo, bar, or baz') - end - - it 'localizes the connector words' do - array = %w(foo bar baz) - - expect(described_class).to receive(:_).with(' or ').and_return(' <1> ') - expect(described_class).to receive(:_).with(', or ').and_return(', <2> ') - expect(to_exclusive_sentence(array)).to eq('foo, bar, <2> baz') - end - end - describe '.nlbr' do it 'replaces new lines with <br>' do expect(described_class.nlbr("<b>hello</b>\n<i>world</i>")).to eq("hello<br>world") |