From c1c828ac7f7b3c2e51d81921bbef9d474cd4d0a4 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Oct 2021 12:41:41 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

---
 spec/lib/gitlab/unicode_spec.rb               | 33 +++++++++++++++++++++++++++
 spec/lib/rouge/formatters/html_gitlab_spec.rb | 21 +++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 spec/lib/gitlab/unicode_spec.rb

(limited to 'spec/lib')

diff --git a/spec/lib/gitlab/unicode_spec.rb b/spec/lib/gitlab/unicode_spec.rb
new file mode 100644
index 00000000000..68f3266ecc7
--- /dev/null
+++ b/spec/lib/gitlab/unicode_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Gitlab::Unicode do
+  describe described_class::BIDI_REGEXP do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:bidi_string, :match) do
+      "\u2066"       | true # left-to-right isolate
+      "\u2067"       | true # right-to-left isolate
+      "\u2068"       | true # first strong isolate
+      "\u2069"       | true # pop directional isolate
+      "\u202a"       | true # left-to-right embedding
+      "\u202b"       | true # right-to-left embedding
+      "\u202c"       | true # pop directional formatting
+      "\u202d"       | true # left-to-right override
+      "\u202e"       | true # right-to-left override
+      "\u2066foobar" | true
+      ""             | false
+      "foo"          | false
+      "\u2713"       | false # checkmark
+    end
+
+    with_them do
+      let(:utf8_string) { bidi_string.encode("utf-8") }
+
+      it "matches only the bidi characters" do
+        expect(utf8_string.match?(subject)).to eq(match)
+      end
+    end
+  end
+end
diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb
index 4bc9b256dce..7c92c62e30b 100644
--- a/spec/lib/rouge/formatters/html_gitlab_spec.rb
+++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb
@@ -36,5 +36,26 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do
         is_expected.to eq(code)
       end
     end
+
+    context 'when unicode control characters are used' do
+      let(:lang) { 'javascript' }
+      let(:tokens) { lexer.lex(code, continue: false) }
+      let(:code) do
+        <<~JS
+          #!/usr/bin/env node
+
+          var accessLevel = "user";
+          if (accessLevel != "user‮ ⁦// Check if admin⁩ ⁦") {
+              console.log("You are an admin.");
+          }
+        JS
+      end
+
+      it 'highlights the control characters' do
+        message = "Potentially unwanted character detected: Unicode BiDi Control"
+
+        is_expected.to include(%{<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{message}">}).exactly(4).times
+      end
+    end
   end
 end
-- 
cgit v1.2.3