From 6aefeb24873b0957456ae0deacbb431fc79a6a28 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 3 Dec 2021 09:59:43 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

---
 spec/lib/gitlab/slash_commands/deploy_spec.rb | 59 +++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

(limited to 'spec/lib/gitlab/slash_commands')

diff --git a/spec/lib/gitlab/slash_commands/deploy_spec.rb b/spec/lib/gitlab/slash_commands/deploy_spec.rb
index 36f47c711bc..71fca1e1fc8 100644
--- a/spec/lib/gitlab/slash_commands/deploy_spec.rb
+++ b/spec/lib/gitlab/slash_commands/deploy_spec.rb
@@ -109,6 +109,21 @@ RSpec.describe Gitlab::SlashCommands::Deploy do
           end
         end
       end
+
+      context 'with extra spaces in the deploy command' do
+        let(:regex_match) { described_class.match('deploy    staging     to    production    ') }
+
+        before do
+          create(:ci_build, :manual, pipeline: pipeline, name: 'production', environment: 'production')
+          create(:ci_build, :manual, pipeline: pipeline, name: 'not prod', environment: 'not prod')
+        end
+
+        it 'deploys to production' do
+          expect(subject[:text])
+            .to start_with('Deployment started from staging to production')
+          expect(subject[:response_type]).to be(:in_channel)
+        end
+      end
     end
   end
 
@@ -119,5 +134,49 @@ RSpec.describe Gitlab::SlashCommands::Deploy do
       expect(match[:from]).to eq('staging')
       expect(match[:to]).to eq('production')
     end
+
+    it 'matches the environment with spaces in it' do
+      match = described_class.match('deploy staging env to production env')
+
+      expect(match[:from]).to eq('staging env')
+      expect(match[:to]).to eq('production env')
+    end
+
+    it 'matches the environment name with surrounding spaces' do
+      match = described_class.match('deploy    staging    to    production    ')
+
+      # The extra spaces are stripped later in the code
+      expect(match[:from]).to eq('staging')
+      expect(match[:to]).to eq('production')
+    end
+
+    it 'returns nil for text that is not a deploy command' do
+      match = described_class.match('foo bar')
+
+      expect(match).to be_nil
+    end
+
+    it 'returns nil for a partial command' do
+      match = described_class.match('deploy staging to   ')
+
+      expect(match).to be_nil
+    end
+
+    context 'with ReDoS attempts' do
+      def duration_for(&block)
+        start = Time.zone.now
+        yield if block_given?
+        Time.zone.now - start
+      end
+
+      it 'has smaller than linear execution time growth with a malformed "to"' do
+        Timeout.timeout(3.seconds) do
+          sample1 = duration_for { described_class.match("deploy abc t" + "o" * 1000 + "X") }
+          sample2 = duration_for { described_class.match("deploy abc t" + "o" * 4000 + "X") }
+
+          expect((sample2 / sample1) < 4).to be_truthy
+        end
+      end
+    end
   end
 end
-- 
cgit v1.2.3