diff options
Diffstat (limited to 'spec')
27 files changed, 817 insertions, 203 deletions
diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 11c70d3aeca..22427f581d4 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -258,6 +258,18 @@ describe GroupsController do end end end + + context "malicious group name" do + subject { post :create, params: { group: { name: "<script>alert('Mayday!');</script>", path: "invalid_group_url" } } } + + before do + sign_in(user) + end + + it { expect { subject }.not_to change { Group.count } } + + it { expect(subject).to render_template(:new) } + end end describe 'GET #index' do @@ -836,6 +848,16 @@ describe GroupsController do put :update, params: { id: group.to_param, group: { name: 'world' } } end.to change { group.reload.name } end + + context "malicious group name" do + subject { put :update, params: { id: group.to_param, group: { name: "<script>alert('Attack!');</script>" } } } + + it { is_expected.to render_template(:edit) } + + it 'does not update name' do + expect { subject }.not_to change { group.reload.name } + end + end end describe 'DELETE #destroy' do diff --git a/spec/controllers/import/fogbugz_controller_spec.rb b/spec/controllers/import/fogbugz_controller_spec.rb index 9a647b8caae..c833fbfaea5 100644 --- a/spec/controllers/import/fogbugz_controller_spec.rb +++ b/spec/controllers/import/fogbugz_controller_spec.rb @@ -25,6 +25,35 @@ describe Import::FogbugzController do expect(session[:fogbugz_uri]).to eq(uri) expect(response).to redirect_to(new_user_map_import_fogbugz_path) end + + context 'verify url' do + shared_examples 'denies local request' do |reason| + it 'does not allow requests' do + post :callback, params: { uri: uri, email: 'test@example.com', password: 'mypassword' } + + expect(response).to redirect_to(new_import_fogbugz_url) + expect(flash[:alert]).to eq("Specified URL cannot be used: \"#{reason}\"") + end + end + + context 'when host is localhost' do + let(:uri) { 'https://localhost:3000' } + + include_examples 'denies local request', 'Requests to localhost are not allowed' + end + + context 'when host is on local network' do + let(:uri) { 'http://192.168.0.1/' } + + include_examples 'denies local request', 'Requests to the local network are not allowed' + end + + context 'when host is ftp protocol' do + let(:uri) { 'ftp://testing' } + + include_examples 'denies local request', 'Only allowed schemes are http, https' + end + end end describe 'POST #create_user_map' do diff --git a/spec/controllers/projects/mirrors_controller_spec.rb b/spec/controllers/projects/mirrors_controller_spec.rb index 4362febda5c..3579e4aa2cf 100644 --- a/spec/controllers/projects/mirrors_controller_spec.rb +++ b/spec/controllers/projects/mirrors_controller_spec.rb @@ -5,6 +5,72 @@ require 'spec_helper' describe Projects::MirrorsController do include ReactiveCachingHelpers + shared_examples 'only admin is allowed when mirroring is disabled' do + let(:subject_action) { raise 'subject_action is required' } + let(:user) { project.owner } + let(:project_settings_path) { project_settings_repository_path(project, anchor: 'js-push-remote-settings') } + + context 'when project mirroring is enabled' do + it 'allows requests from a maintainer' do + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + + it 'allows requests from an admin user' do + user.update!(admin: true) + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + end + + context 'when project mirroring is disabled' do + before do + stub_application_setting(mirror_available: false) + end + + it 'disallows requests from a maintainer' do + sign_in(user) + + subject_action + expect(response).to have_gitlab_http_status(:not_found) + end + + it 'allows requests from an admin user' do + user.update!(admin: true) + sign_in(user) + + subject_action + expect(response).to redirect_to(project_settings_path) + end + end + end + + describe 'Access control' do + let(:project) { create(:project, :repository) } + + describe '#update' do + include_examples 'only admin is allowed when mirroring is disabled' do + let(:subject_action) do + do_put(project, remote_mirrors_attributes: { '0' => { 'enabled' => 1, 'url' => 'http://foo.com' } }) + end + end + end + + describe '#update_now' do + include_examples 'only admin is allowed when mirroring is disabled' do + let(:options) { { namespace_id: project.namespace, project_id: project } } + + let(:subject_action) do + get :update_now, params: options.merge(sync_remote: true) + end + end + end + end + describe 'setting up a remote mirror' do let_it_be(:project) { create(:project, :repository) } diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb index 2d39f0afaee..42032b4cad0 100644 --- a/spec/controllers/projects/repositories_controller_spec.rb +++ b/spec/controllers/projects/repositories_controller_spec.rb @@ -28,6 +28,12 @@ describe Projects::RepositoriesController do sign_in(user) end + it_behaves_like "hotlink interceptor" do + let(:http_request) do + get :archive, params: { namespace_id: project.namespace, project_id: project, id: "master" }, format: "zip" + end + end + it "uses Gitlab::Workhorse" do get :archive, params: { namespace_id: project.namespace, project_id: project, id: "master" }, format: "zip" diff --git a/spec/features/projects/settings/repository_settings_spec.rb b/spec/features/projects/settings/repository_settings_spec.rb index 9030cd6a648..9b956dee089 100644 --- a/spec/features/projects/settings/repository_settings_spec.rb +++ b/spec/features/projects/settings/repository_settings_spec.rb @@ -26,11 +26,7 @@ describe 'Projects > Settings > Repository settings' do let(:role) { :maintainer } context 'remote mirror settings' do - let(:user2) { create(:user) } - before do - project.add_maintainer(user2) - visit project_settings_repository_path(project) end @@ -90,6 +86,18 @@ describe 'Projects > Settings > Repository settings' do expect(page).to have_selector('[title="Copy SSH public key"]') end + context 'when project mirroring is disabled' do + before do + stub_application_setting(mirror_available: false) + visit project_settings_repository_path(project) + end + + it 'hides remote mirror settings' do + expect(page.find('.project-mirror-settings')).not_to have_selector('form') + expect(page).to have_content('Mirror settings are only available to GitLab administrators.') + end + end + def select_direction(direction = 'push') direction_select = find('#mirror_direction') @@ -154,4 +162,31 @@ describe 'Projects > Settings > Repository settings' do expect(mirror).not_to have_selector('.rspec-update-now-button') end end + + context 'for admin' do + shared_examples_for 'shows mirror settings' do + it 'shows mirror settings' do + expect(page.find('.project-mirror-settings')).to have_selector('form') + expect(page).not_to have_content('Changing mirroring setting is disabled for non-admin users.') + end + end + + before do + stub_application_setting(mirror_available: mirror_available) + user.update!(admin: true) + visit project_settings_repository_path(project) + end + + context 'when project mirroring is enabled' do + let(:mirror_available) { true } + + include_examples 'shows mirror settings' + end + + context 'when project mirroring is disabled' do + let(:mirror_available) { false } + + include_examples 'shows mirror settings' + end + end end diff --git a/spec/javascripts/frequent_items/utils_spec.js b/spec/javascripts/frequent_items/utils_spec.js index fd5bd002428..2939b46bc31 100644 --- a/spec/javascripts/frequent_items/utils_spec.js +++ b/spec/javascripts/frequent_items/utils_spec.js @@ -108,5 +108,23 @@ describe('Frequent Items utils spec', () => { expect(sanitizeItem(input)).toEqual({ name: 'test', namespace: 'test', id: 1 }); }); + + it("skips `name` key if it doesn't exist on the item", () => { + const input = { + namespace: '<br>test', + id: 1, + }; + + expect(sanitizeItem(input)).toEqual({ namespace: 'test', id: 1 }); + }); + + it("skips `namespace` key if it doesn't exist on the item", () => { + const input = { + name: '<br><b>test</b>', + id: 1, + }; + + expect(sanitizeItem(input)).toEqual({ name: 'test', id: 1 }); + }); }); }); diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 5a672de13d7..de7a70db1ac 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -523,7 +523,12 @@ describe Banzai::Filter::LabelReferenceFilter do end context 'when group name has HTML entities' do - let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') } + let(:another_group) { create(:group, name: 'random', path: 'another_group') } + + before do + another_group.name = "<img src=x onerror=alert(1)>" + another_group.save!(validate: false) + end it 'escapes the HTML entities' do expect(result.text) diff --git a/spec/lib/banzai/filter/reference_redactor_filter_spec.rb b/spec/lib/banzai/filter/reference_redactor_filter_spec.rb index 9739afd3d57..a68581b3000 100644 --- a/spec/lib/banzai/filter/reference_redactor_filter_spec.rb +++ b/spec/lib/banzai/filter/reference_redactor_filter_spec.rb @@ -20,8 +20,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do it 'skips when the skip_redaction flag is set' do user = create(:user) project = create(:project) - link = reference_link(project: project.id, reference_type: 'test') + doc = filter(link, current_user: user, skip_redaction: true) expect(doc.css('a').length).to eq 1 @@ -51,8 +51,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do user = create(:user) project = create(:project) project.add_maintainer(user) - link = reference_link(project: project.id, reference_type: 'test') + doc = filter(link, current_user: user) expect(doc.css('a').length).to eq 1 @@ -69,8 +69,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do it 'removes unpermitted references' do user = create(:user) project = create(:project) - link = reference_link(project: project.id, reference_type: 'test') + doc = filter(link, current_user: user) expect(doc.css('a').length).to eq 0 @@ -90,8 +90,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do non_member = create(:user) project = create(:project, :public) issue = create(:issue, :confidential, project: project) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + doc = filter(link, current_user: non_member) expect(doc.css('a').length).to eq 0 @@ -124,8 +124,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do assignee = create(:user) project = create(:project, :public) issue = create(:issue, :confidential, project: project, assignees: [assignee]) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + doc = filter(link, current_user: assignee) expect(doc.css('a').length).to eq 1 @@ -136,8 +136,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do project = create(:project, :public) project.add_developer(member) issue = create(:issue, :confidential, project: project) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + doc = filter(link, current_user: member) expect(doc.css('a').length).to eq 1 @@ -147,20 +147,62 @@ describe Banzai::Filter::ReferenceRedactorFilter do admin = create(:admin) project = create(:project, :public) issue = create(:issue, :confidential, project: project) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + doc = filter(link, current_user: admin) expect(doc.css('a').length).to eq 1 end + + context "when a confidential issue is moved from a public project to a private one" do + let(:public_project) { create(:project, :public) } + let(:private_project) { create(:project, :private) } + + it 'removes references for author' do + author = create(:user) + issue = create(:issue, :confidential, project: public_project, author: author) + issue.update!(project: private_project) # move issue to private project + link = reference_link(project: private_project.id, issue: issue.id, reference_type: 'issue') + + doc = filter(link, current_user: author) + + expect(doc.css('a').length).to eq 0 + end + + it 'removes references for assignee' do + assignee = create(:user) + issue = create(:issue, :confidential, project: public_project, assignees: [assignee]) + issue.update!(project: private_project) # move issue to private project + link = reference_link(project: private_project.id, issue: issue.id, reference_type: 'issue') + + doc = filter(link, current_user: assignee) + + expect(doc.css('a').length).to eq 0 + end + + it 'allows references for project members' do + member = create(:user) + project = create(:project, :public) + project_2 = create(:project, :private) + project.add_developer(member) + project_2.add_developer(member) + issue = create(:issue, :confidential, project: project) + issue.update!(project: project_2) # move issue to private project + link = reference_link(project: project_2.id, issue: issue.id, reference_type: 'issue') + + doc = filter(link, current_user: member) + + expect(doc.css('a').length).to eq 1 + end + end end it 'allows references for non confidential issues' do user = create(:user) project = create(:project, :public) issue = create(:issue, project: project) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + doc = filter(link, current_user: user) expect(doc.css('a').length).to eq 1 @@ -172,8 +214,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do it 'removes unpermitted Group references' do user = create(:user) group = create(:group, :private) - link = reference_link(group: group.id, reference_type: 'user') + doc = filter(link, current_user: user) expect(doc.css('a').length).to eq 0 @@ -183,8 +225,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do user = create(:user) group = create(:group, :private) group.add_developer(user) - link = reference_link(group: group.id, reference_type: 'user') + doc = filter(link, current_user: user) expect(doc.css('a').length).to eq 1 @@ -200,8 +242,8 @@ describe Banzai::Filter::ReferenceRedactorFilter do context 'with data-user' do it 'allows any User reference' do user = create(:user) - link = reference_link(user: user.id, reference_type: 'user') + doc = filter(link) expect(doc.css('a').length).to eq 1 diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index e0c1f830165..528019bb9ff 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -164,6 +164,12 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, described_class.build_authentication_abilities)) end + + it 'fails with blocked user token' do + build.update(user: create(:user, :blocked)) + + expect(subject).to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) + end end (HasStatus::AVAILABLE_STATUSES - ['running']).each do |build_status| @@ -259,6 +265,15 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip') end + + context 'blocked user' do + let(:user) { create(:user, :blocked) } + + it 'fails' do + expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')) + .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) + end + end end context 'while using personal access tokens as passwords' do @@ -307,9 +322,35 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do it 'fails if password is nil' do expect_results_with_abilities(nil, nil, false) end + + context 'when user is blocked' do + let(:user) { create(:user, :blocked) } + let(:personal_access_token) { create(:personal_access_token, scopes: ['read_registry'], user: user) } + + before do + stub_container_registry_config(enabled: true) + end + + it 'fails if user is blocked' do + expect(gl_auth.find_for_git_client('', personal_access_token.token, project: nil, ip: 'ip')) + .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) + end + end end context 'while using regular user and password' do + it 'fails for a blocked user' do + user = create( + :user, + :blocked, + username: 'normal_user', + password: 'my-secret' + ) + + expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')) + .to eq(Gitlab::Auth::Result.new(nil, nil, nil, nil)) + end + it 'goes through lfs authentication' do user = create( :user, diff --git a/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb b/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb index 5a930d44dcb..ebd7c7af265 100644 --- a/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb +++ b/spec/lib/gitlab/gfm/uploads_rewriter_spec.rb @@ -68,6 +68,16 @@ describe Gitlab::Gfm::UploadsRewriter do expect(moved_text.scan(/\A\[.*?\]/).count).to eq(1) end + context 'path traversal in file name' do + let(:text) do + "" + end + + it 'throw an error' do + expect { rewriter.rewrite(new_project) }.to raise_error(an_instance_of(StandardError).and having_attributes(message: "Invalid path")) + end + end + context "file are stored locally" do include_examples "files are accessible" end diff --git a/spec/lib/gitlab/hotlinking_detector_spec.rb b/spec/lib/gitlab/hotlinking_detector_spec.rb new file mode 100644 index 00000000000..536d744c197 --- /dev/null +++ b/spec/lib/gitlab/hotlinking_detector_spec.rb @@ -0,0 +1,75 @@ +# frozen_string_literal: true + +require "spec_helper" + +RSpec.describe Gitlab::HotlinkingDetector do + describe ".intercept_hotlinking?" do + using RSpec::Parameterized::TableSyntax + + subject { described_class.intercept_hotlinking?(request) } + + let(:request) { double("request", headers: headers) } + let(:headers) { {} } + + context "hotlinked as media" do + where(:return_value, :accept_header) do + # These are default formats in modern browsers, and IE + false | "*/*" + false | "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + false | "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" + false | "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + false | "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" + false | "image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */*" + false | "text/html, application/xhtml+xml, image/jxr, */*" + false | "text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" + + # These are image request formats + true | "image/webp,*/*" + true | "image/png,image/*;q=0.8,*/*;q=0.5" + true | "image/webp,image/apng,image/*,*/*;q=0.8" + true | "image/png,image/svg+xml,image/*;q=0.8, */*;q=0.5" + + # Video request formats + true | "video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5" + + # Audio request formats + true | "audio/webm,audio/ogg,audio/wav,audio/*;q=0.9,application/ogg;q=0.7,video/*;q=0.6,*/*;q=0.5" + + # CSS request formats + true | "text/css,*/*;q=0.1" + true | "text/css" + true | "text/css,*/*;q=0.1" + end + + with_them do + let(:headers) do + { "Accept" => accept_header } + end + + it { is_expected.to be(return_value) } + end + end + + context "hotlinked as a script" do + where(:return_value, :fetch_mode) do + # Standard navigation fetch modes + false | "navigate" + false | "nested-navigate" + false | "same-origin" + + # Fetch modes when linking as JS + true | "cors" + true | "no-cors" + true | "websocket" + end + + with_them do + let(:headers) do + { "Sec-Fetch-Mode" => fetch_mode } + end + + it { is_expected.to be(return_value) } + end + end + end +end diff --git a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb index 12857f97f7c..65e99c0c3b8 100644 --- a/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb +++ b/spec/lib/gitlab/import_export/attribute_cleaner_spec.rb @@ -32,6 +32,9 @@ describe Gitlab::ImportExport::AttributeCleaner do 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], 'note_ids' => [1, 2, 3], + 'remote_attachment_url' => 'http://something.dodgy', + 'remote_attachment_request_header' => 'bad value', + 'remote_attachment_urls' => %w(http://something.dodgy http://something.okay), 'attributes' => { 'issue_ids' => [1, 2, 3], 'merge_request_ids' => [1, 2, 3], diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb index c580b46cf8d..f1b5393a2d8 100644 --- a/spec/lib/gitlab/regex_spec.rb +++ b/spec/lib/gitlab/regex_spec.rb @@ -3,9 +3,7 @@ require 'spec_helper' describe Gitlab::Regex do - describe '.project_name_regex' do - subject { described_class.project_name_regex } - + shared_examples_for 'project/group name regex' do it { is_expected.to match('gitlab-ce') } it { is_expected.to match('GitLab CE') } it { is_expected.to match('100 lines') } @@ -15,6 +13,34 @@ describe Gitlab::Regex do it { is_expected.not_to match('?gitlab') } end + shared_examples_for 'project/group name error message' do + it { is_expected.to eq("can contain only letters, digits, emojis, '_', '.', dash, space. It must start with letter, digit, emoji or '_'.") } + end + + describe '.project_name_regex' do + subject { described_class.project_name_regex } + + it_behaves_like 'project/group name regex' + end + + describe '.group_name_regex' do + subject { described_class.group_name_regex } + + it_behaves_like 'project/group name regex' + end + + describe '.project_name_regex_message' do + subject { described_class.project_name_regex_message } + + it_behaves_like 'project/group name error message' + end + + describe '.group_name_regex_message' do + subject { described_class.group_name_regex_message } + + it_behaves_like 'project/group name error message' + end + describe '.environment_name_regex' do subject { described_class.environment_name_regex } diff --git a/spec/lib/uploaded_file_spec.rb b/spec/lib/uploaded_file_spec.rb index 2bbbd67b13c..25536c07dd9 100644 --- a/spec/lib/uploaded_file_spec.rb +++ b/spec/lib/uploaded_file_spec.rb @@ -59,6 +59,16 @@ describe UploadedFile do expect(subject.sha256).to eq('sha256') expect(subject.remote_id).to eq('remote_id') end + + it 'handles a blank path' do + params['file.path'] = '' + + # Not a real file, so can't determine size itself + params['file.size'] = 1.byte + + expect { described_class.from_params(params, :file, upload_path) } + .not_to raise_error + end end end diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index 576ac4393ed..576ac880fca 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -48,6 +48,9 @@ describe Group do describe 'validations' do it { is_expected.to validate_presence_of :name } + it { is_expected.to allow_value('group test_4').for(:name) } + it { is_expected.not_to allow_value('test/../foo').for(:name) } + it { is_expected.not_to allow_value('<script>alert("Attack!")</script>').for(:name) } it { is_expected.to validate_presence_of :path } it { is_expected.not_to validate_presence_of :owner } it { is_expected.to validate_presence_of :two_factor_grace_period } diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb index 66b298bb36f..67aaf92b1e5 100644 --- a/spec/models/issue_spec.rb +++ b/spec/models/issue_spec.rb @@ -532,222 +532,258 @@ describe Issue do end describe '#visible_to_user?' do + let(:project) { build(:project) } + let(:issue) { build(:issue, project: project) } + let(:user) { create(:user) } + + subject { issue.visible_to_user?(user) } + + context 'with a project' do + it 'returns false when feature is disabled' do + project.project_feature.update_attribute(:issues_access_level, ProjectFeature::DISABLED) + + is_expected.to eq(false) + end + + it 'returns false when restricted for members' do + project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE) + + is_expected.to eq(false) + end + end + context 'without a user' do - let(:issue) { build(:issue) } + let(:user) { nil } it 'returns true when the issue is publicly visible' do expect(issue).to receive(:publicly_visible?).and_return(true) - expect(issue.visible_to_user?).to eq(true) + is_expected.to eq(true) end it 'returns false when the issue is not publicly visible' do expect(issue).to receive(:publicly_visible?).and_return(false) - expect(issue.visible_to_user?).to eq(false) + is_expected.to eq(false) end end context 'with a user' do - let(:user) { create(:user) } - let(:issue) { build(:issue) } - - it 'returns true when the issue is readable' do - expect(issue).to receive(:readable_by?).with(user).and_return(true) - - expect(issue.visible_to_user?(user)).to eq(true) + shared_examples 'issue readable by user' do + it { is_expected.to eq(true) } end - it 'returns false when the issue is not readable' do - expect(issue).to receive(:readable_by?).with(user).and_return(false) - - expect(issue.visible_to_user?(user)).to eq(false) + shared_examples 'issue not readable by user' do + it { is_expected.to eq(false) } end - it 'returns false when feature is disabled' do - expect(issue).not_to receive(:readable_by?) - - issue.project.project_feature.update_attribute(:issues_access_level, ProjectFeature::DISABLED) + shared_examples 'confidential issue readable by user' do + specify do + issue.confidential = true - expect(issue.visible_to_user?(user)).to eq(false) + is_expected.to eq(true) + end end - it 'returns false when restricted for members' do - expect(issue).not_to receive(:readable_by?) - - issue.project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE) + shared_examples 'confidential issue not readable by user' do + specify do + issue.confidential = true - expect(issue.visible_to_user?(user)).to eq(false) + is_expected.to eq(false) + end end - end - - describe 'with a regular user that is not a team member' do - let(:user) { create(:user) } - context 'using a public project' do - let(:project) { create(:project, :public) } + context 'with an admin user' do + let(:user) { build(:admin) } - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' + end - expect(issue.visible_to_user?(user)).to eq(true) + context 'with an owner' do + before do + project.add_maintainer(user) end - it 'returns false for a confidential issue' do - issue = build(:issue, project: project, confidential: true) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' + end - expect(issue.visible_to_user?(user)).to eq(false) + context 'with a reporter user' do + before do + project.add_reporter(user) end + + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' end - context 'using an internal project' do - let(:project) { create(:project, :internal) } + context 'with a guest user' do + before do + project.add_guest(user) + end - context 'using an internal user' do - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue not readable by user' - expect(issue.visible_to_user?(user)).to eq(true) + context 'when user is an assignee' do + before do + issue.update!(assignees: [user]) end - it 'returns false for a confidential issue' do - issue = build(:issue, :confidential, project: project) - - expect(issue.visible_to_user?(user)).to eq(false) - end + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' end - context 'using an external user' do + context 'when user is the author' do before do - allow(user).to receive(:external?).and_return(true) - end - - it 'returns false for a regular issue' do - issue = build(:issue, project: project) - - expect(issue.visible_to_user?(user)).to eq(false) + issue.update!(author: user) end - it 'returns false for a confidential issue' do - issue = build(:issue, :confidential, project: project) - - expect(issue.visible_to_user?(user)).to eq(false) - end + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' end end - context 'using a private project' do - let(:project) { create(:project, :private) } - - it 'returns false for a regular issue' do - issue = build(:issue, project: project) + context 'with a user that is not a member' do + context 'using a public project' do + let(:project) { build(:project, :public) } - expect(issue.visible_to_user?(user)).to eq(false) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue not readable by user' end - it 'returns false for a confidential issue' do - issue = build(:issue, :confidential, project: project) + context 'using an internal project' do + let(:project) { build(:project, :internal) } - expect(issue.visible_to_user?(user)).to eq(false) - end + context 'using an internal user' do + before do + allow(user).to receive(:external?).and_return(false) + end - context 'when the user is the project owner' do - before do - project.add_maintainer(user) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue not readable by user' end - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + context 'using an external user' do + before do + allow(user).to receive(:external?).and_return(true) + end - expect(issue.visible_to_user?(user)).to eq(true) + it_behaves_like 'issue not readable by user' + it_behaves_like 'confidential issue not readable by user' end + end - it 'returns true for a confidential issue' do - issue = build(:issue, :confidential, project: project) - - expect(issue.visible_to_user?(user)).to eq(true) + context 'using an external user' do + before do + allow(user).to receive(:external?).and_return(true) end + + it_behaves_like 'issue not readable by user' + it_behaves_like 'confidential issue not readable by user' end end - end - - context 'with a regular user that is a team member' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - context 'using a public project' do + context 'with an external authentication service' do before do - project.add_developer(user) + enable_external_authorization_service_check end - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + it 'is `false` when an external authorization service is enabled' do + issue = build(:issue, project: build(:project, :public)) - expect(issue.visible_to_user?(user)).to eq(true) + expect(issue).not_to be_visible_to_user end - it 'returns true for a confidential issue' do - issue = build(:issue, :confidential, project: project) - - expect(issue.visible_to_user?(user)).to eq(true) - end - end - - context 'using an internal project' do - let(:project) { create(:project, :internal) } + it 'checks the external service to determine if an issue is readable by a user' do + project = build(:project, :public, + external_authorization_classification_label: 'a-label') + issue = build(:issue, project: project) + user = build(:user) - before do - project.add_developer(user) + expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false } + expect(issue.visible_to_user?(user)).to be_falsy end - it 'returns true for a regular issue' do + it 'does not check the external service if a user does not have access to the project' do + project = build(:project, :private, + external_authorization_classification_label: 'a-label') issue = build(:issue, project: project) + user = build(:user) - expect(issue.visible_to_user?(user)).to eq(true) + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + expect(issue.visible_to_user?(user)).to be_falsy end - it 'returns true for a confidential issue' do - issue = build(:issue, :confidential, project: project) + it 'does not check the external webservice for admins' do + issue = build(:issue) + user = build(:admin) - expect(issue.visible_to_user?(user)).to eq(true) + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + + issue.visible_to_user?(user) end end - context 'using a private project' do - let(:project) { create(:project, :private) } + context 'when issue is moved to a private project' do + let(:private_project) { build(:project, :private)} before do - project.add_developer(user) + issue.update(project: private_project) # move issue to private project end - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + shared_examples 'issue visible if user has guest access' do + context 'when user is not a member' do + it_behaves_like 'issue not readable by user' + it_behaves_like 'confidential issue not readable by user' + end - expect(issue.visible_to_user?(user)).to eq(true) + context 'when user is a guest' do + before do + private_project.add_guest(user) + end + + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' + end end - it 'returns true for a confidential issue' do - issue = build(:issue, :confidential, project: project) + context 'when user is the author of the original issue' do + before do + issue.update!(author: user) + end - expect(issue.visible_to_user?(user)).to eq(true) + it_behaves_like 'issue visible if user has guest access' end - end - end - context 'with an admin user' do - let(:project) { create(:project) } - let(:user) { create(:admin) } + context 'when user is an assignee in the original issue' do + before do + issue.update!(assignees: [user]) + end - it 'returns true for a regular issue' do - issue = build(:issue, project: project) + it_behaves_like 'issue visible if user has guest access' + end - expect(issue.visible_to_user?(user)).to eq(true) - end + context 'when user is not the author or an assignee in original issue' do + context 'when user is a guest' do + before do + private_project.add_guest(user) + end - it 'returns true for a confidential issue' do - issue = build(:issue, :confidential, project: project) + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue not readable by user' + end - expect(issue.visible_to_user?(user)).to eq(true) + context 'when user is a reporter' do + before do + private_project.add_reporter(user) + end + + it_behaves_like 'issue readable by user' + it_behaves_like 'confidential issue readable by user' + end + end end end end @@ -871,49 +907,6 @@ describe Issue do subject { create(:issue, updated_at: 1.hour.ago) } end - context 'when an external authentication service' do - before do - enable_external_authorization_service_check - end - - describe '#visible_to_user?' do - it 'is `false` when an external authorization service is enabled' do - issue = build(:issue, project: build(:project, :public)) - - expect(issue).not_to be_visible_to_user - end - - it 'checks the external service to determine if an issue is readable by a user' do - project = build(:project, :public, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false } - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external service if a user does not have access to the project' do - project = build(:project, :private, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external webservice for admins' do - issue = build(:issue) - user = build(:admin) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - issue.visible_to_user?(user) - end - end - end - describe "#labels_hook_attrs" do let(:label) { create(:label) } let(:issue) { create(:labeled_issue, labels: [label]) } diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 89fcf3c10df..242a002bc23 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -103,12 +103,24 @@ describe IssuePolicy do expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) end + it 'does not allow issue author to read or update confidential issue moved to an private project' do + confidential_issue.project = build(:project, :private) + + expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) + end + it 'allows issue assignees to read and update their confidential issues' do expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue) expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue) expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue) end + + it 'does not allow issue assignees to read or update confidential issue moved to an private project' do + confidential_issue.project = build(:project, :private) + + expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue) + end end end diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 54bb2e670da..3888eb979b6 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -620,6 +620,20 @@ describe API::Groups do expect(json_response['default_branch_protection']).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS) end + context 'malicious group name' do + subject { put api("/groups/#{group1.id}", user1), params: { name: "<SCRIPT>alert('DOUBLE-ATTACK!')</SCRIPT>" } } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it 'does not update group name' do + expect { subject }.not_to change { group1.reload.name } + end + end + it 'returns 404 for a non existing group' do put api('/groups/1328', user1), params: { name: new_group_name } @@ -1061,6 +1075,20 @@ describe API::Groups do expect(json_response["parent_id"]).to eq(parent.id) end + context 'malicious group name' do + subject { post api("/groups", user3), params: group_params } + + let(:group_params) { attributes_for_group_api name: "<SCRIPT>alert('ATTACKED!')</SCRIPT>", path: "unique-url" } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it { expect { subject }.not_to change { Group.count } } + end + it "does not create group, duplicate" do post api("/groups", user3), params: { name: 'Duplicate Test', path: group2.path } diff --git a/spec/requests/api/project_snippets_spec.rb b/spec/requests/api/project_snippets_spec.rb index e018a4643db..e52eb6e1309 100644 --- a/spec/requests/api/project_snippets_spec.rb +++ b/spec/requests/api/project_snippets_spec.rb @@ -152,6 +152,30 @@ describe API::ProjectSnippets do end end + context 'with an external user' do + let(:user) { create(:user, :external) } + + context 'that belongs to the project' do + before do + project.add_developer(user) + end + + it 'creates a new snippet' do + post api("/projects/#{project.id}/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:created) + end + end + + context 'that does not belong to the project' do + it 'does not create a new snippet' do + post api("/projects/#{project.id}/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + end + context 'with a regular user' do let(:user) { create(:user) } diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 97dc3899d3f..b503c923037 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -275,6 +275,18 @@ describe API::Repositories do expect(response).to have_gitlab_http_status(:too_many_requests) end + + context "when hotlinking detection is enabled" do + before do + Feature.enable(:repository_archive_hotlinking_interception) + end + + it_behaves_like "hotlink interceptor" do + let(:http_request) do + get api(route, current_user), headers: headers + end + end + end end context 'when unauthenticated', 'and project is public' do diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb index 627611c10ce..2690d4a4a8b 100644 --- a/spec/requests/api/snippets_spec.rb +++ b/spec/requests/api/snippets_spec.rb @@ -254,6 +254,16 @@ describe API::Snippets do it_behaves_like 'snippet creation' + context 'with an external user' do + let(:user) { create(:user, :external) } + + it 'does not create a new snippet' do + post api("/snippets/", user), params: params + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + it 'returns 400 for missing parameters' do params.delete(:title) diff --git a/spec/requests/api/triggers_spec.rb b/spec/requests/api/triggers_spec.rb index bcc1c6bc4d4..19b01cb7913 100644 --- a/spec/requests/api/triggers_spec.rb +++ b/spec/requests/api/triggers_spec.rb @@ -238,24 +238,44 @@ describe API::Triggers do end describe 'PUT /projects/:id/triggers/:trigger_id' do - context 'authenticated user with valid permissions' do - let(:new_description) { 'new description' } + context 'user is maintainer of the project' do + context 'the trigger belongs to user' do + let(:new_description) { 'new description' } - it 'updates description' do - put api("/projects/#{project.id}/triggers/#{trigger.id}", user), - params: { description: new_description } + it 'updates description' do + put api("/projects/#{project.id}/triggers/#{trigger.id}", user), + params: { description: new_description } - expect(response).to have_gitlab_http_status(:ok) - expect(json_response).to include('description' => new_description) - expect(trigger.reload.description).to eq(new_description) + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('description' => new_description) + expect(trigger.reload.description).to eq(new_description) + end + end + + context 'the trigger does not belong to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger2.id}", user) + + expect(response).to have_gitlab_http_status(:forbidden) + end end end - context 'authenticated user with invalid permissions' do - it 'does not update trigger' do - put api("/projects/#{project.id}/triggers/#{trigger.id}", user2) + context 'user is developer of the project' do + context 'the trigger belongs to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger2.id}", user2) - expect(response).to have_gitlab_http_status(:forbidden) + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'the trigger does not belong to user' do + it 'does not update trigger' do + put api("/projects/#{project.id}/triggers/#{trigger.id}", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end end end diff --git a/spec/requests/jwt_controller_spec.rb b/spec/requests/jwt_controller_spec.rb index 754ab3e6a45..73dc9d8c63e 100644 --- a/spec/requests/jwt_controller_spec.rb +++ b/spec/requests/jwt_controller_spec.rb @@ -25,6 +25,17 @@ describe JwtController do end context 'when using authenticated request' do + shared_examples 'rejecting a blocked user' do + context 'with blocked user' do + let(:user) { create(:user, :blocked) } + + it 'rejects the request as unauthorized' do + expect(response).to have_gitlab_http_status(:unauthorized) + expect(response.body).to include('HTTP Basic: Access denied') + end + end + end + context 'using CI token' do let(:build) { create(:ci_build, :running) } let(:project) { build.project } @@ -61,6 +72,8 @@ describe JwtController do expect(response).to have_gitlab_http_status(:ok) expect(service_class).to have_received(:new).with(nil, user, ActionController::Parameters.new(parameters).permit!) end + + it_behaves_like 'rejecting a blocked user' end end @@ -72,6 +85,8 @@ describe JwtController do it { expect(service_class).to have_received(:new).with(nil, user, ActionController::Parameters.new(parameters).permit!) } + it_behaves_like 'rejecting a blocked user' + context 'when passing a flat array of scopes' do # We use this trick to make rails to generate a query_string: # scope=scope1&scope=scope2 diff --git a/spec/serializers/merge_request_poll_widget_entity_spec.rb b/spec/serializers/merge_request_poll_widget_entity_spec.rb index 0593dd527cc..29d35fdc811 100644 --- a/spec/serializers/merge_request_poll_widget_entity_spec.rb +++ b/spec/serializers/merge_request_poll_widget_entity_spec.rb @@ -138,7 +138,7 @@ describe MergeRequestPollWidgetEntity do end describe 'pipeline' do - let(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) } + let!(:pipeline) { create(:ci_empty_pipeline, project: project, ref: resource.source_branch, sha: resource.source_branch_sha, head_pipeline_of: resource) } before do allow_any_instance_of(MergeRequestPresenter).to receive(:can?).and_call_original @@ -158,6 +158,10 @@ describe MergeRequestPollWidgetEntity do expect(subject[:pipeline]).to eq(pipeline_payload) end + + it 'returns ci_status' do + expect(subject[:ci_status]).to eq('pending') + end end context 'when is not up to date' do @@ -171,10 +175,15 @@ describe MergeRequestPollWidgetEntity do context 'when user does not have access to pipelines' do let(:result) { false } + let(:req) { double('request', current_user: user, project: project) } it 'does not have pipeline' do expect(subject[:pipeline]).to eq(nil) end + + it 'does not return ci_status' do + expect(subject[:ci_status]).to eq(nil) + end end end end diff --git a/spec/support/helpers/workhorse_helpers.rb b/spec/support/helpers/workhorse_helpers.rb index 27d5083728d..de232da3c8c 100644 --- a/spec/support/helpers/workhorse_helpers.rb +++ b/spec/support/helpers/workhorse_helpers.rb @@ -76,7 +76,7 @@ module WorkhorseHelpers "#{key}.size" => file.size }.tap do |params| params["#{key}.path"] = file.path if file.path - params["#{key}.remote_id"] = file.remote_id if file.respond_to?(:remote_id) && file.remote_id + params["#{key}.remote_id"] = file.remote_id if file.respond_to?(:remote_id) && file.remote_id.present? end end diff --git a/spec/support/shared_examples/controllers/hotlink_interceptor_shared_examples.rb b/spec/support/shared_examples/controllers/hotlink_interceptor_shared_examples.rb new file mode 100644 index 00000000000..93a394387a3 --- /dev/null +++ b/spec/support/shared_examples/controllers/hotlink_interceptor_shared_examples.rb @@ -0,0 +1,87 @@ +# frozen_string_literal: true + +RSpec.shared_examples "hotlink interceptor" do + let(:http_request) { nil } + let(:headers) { nil } + + describe "DDOS prevention" do + using RSpec::Parameterized::TableSyntax + + context "hotlinked as media" do + where(:response_status, :accept_header) do + # These are default formats in modern browsers, and IE + :ok | "*/*" + :ok | "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + :ok | "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" + :ok | "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + :ok | "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" + :ok | "image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */*" + :ok | "text/html, application/xhtml+xml, image/jxr, */*" + :ok | "text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" + + # These are image request formats + :not_acceptable | "image/webp,*/*" + :not_acceptable | "image/png,image/*;q=0.8,*/*;q=0.5" + :not_acceptable | "image/webp,image/apng,image/*,*/*;q=0.8" + :not_acceptable | "image/png,image/svg+xml,image/*;q=0.8, */*;q=0.5" + + # Video request formats + :not_acceptable | "video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5" + + # Audio request formats + :not_acceptable | "audio/webm,audio/ogg,audio/wav,audio/*;q=0.9,application/ogg;q=0.7,video/*;q=0.6,*/*;q=0.5" + + # CSS request formats + :not_acceptable | "text/css,*/*;q=0.1" + :not_acceptable | "text/css" + :not_acceptable | "text/css,*/*;q=0.1" + end + + with_them do + let(:headers) do + { "Accept" => accept_header } + end + + before do + request.headers.merge!(headers) if request.present? + end + + it "renders the response" do + http_request + + expect(response).to have_gitlab_http_status(response_status) + end + end + end + + context "hotlinked as a script" do + where(:response_status, :fetch_mode) do + # Standard navigation fetch modes + :ok | "navigate" + :ok | "nested-navigate" + :ok | "same-origin" + + # Fetch modes when linking as JS + :not_acceptable | "cors" + :not_acceptable | "no-cors" + :not_acceptable | "websocket" + end + + with_them do + let(:headers) do + { "Sec-Fetch-Mode" => fetch_mode } + end + + before do + request.headers.merge!(headers) if request.present? + end + + it "renders the response" do + http_request + + expect(response).to have_gitlab_http_status(response_status) + end + end + end + end +end diff --git a/spec/uploaders/object_storage_spec.rb b/spec/uploaders/object_storage_spec.rb index 06116bd4737..e844b0ad799 100644 --- a/spec/uploaders/object_storage_spec.rb +++ b/spec/uploaders/object_storage_spec.rb @@ -714,6 +714,19 @@ describe ObjectStorage do end end + context 'when empty remote_id is specified' do + let(:uploaded_file) do + UploadedFile.new(temp_file.path, remote_id: '') + end + + it 'uses local storage' do + subject + + expect(uploader).to be_file_storage + expect(uploader.object_store).to eq(described_class::Store::LOCAL) + end + end + context 'when valid file is specified' do let(:uploaded_file) do UploadedFile.new(temp_file.path, filename: "my_file.txt", remote_id: "test/123123") |