From 2234b4382091add4dfe8d44f4e0764bf64ff8c5e Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 29 Apr 2022 08:23:17 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

---
 spec/models/issue_spec.rb                 | 40 +++++++++++++++++++---------
 spec/models/packages/package_file_spec.rb | 43 ++++++++++++++++++++++++++-----
 2 files changed, 64 insertions(+), 19 deletions(-)

(limited to 'spec/models')

diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb
index fe09dadd0db..bd75d95080f 100644
--- a/spec/models/issue_spec.rb
+++ b/spec/models/issue_spec.rb
@@ -742,14 +742,15 @@ RSpec.describe Issue do
 
   describe '#participants' do
     context 'using a public project' do
-      let_it_be(:issue) { create(:issue, project: reusable_project) }
+      let_it_be(:public_project) { create(:project, :public) }
+      let_it_be(:issue) { create(:issue, project: public_project) }
 
       let!(:note1) do
-        create(:note_on_issue, noteable: issue, project: reusable_project, note: 'a')
+        create(:note_on_issue, noteable: issue, project: public_project, note: 'a')
       end
 
       let!(:note2) do
-        create(:note_on_issue, noteable: issue, project: reusable_project, note: 'b')
+        create(:note_on_issue, noteable: issue, project: public_project, note: 'b')
       end
 
       it 'includes the issue author' do
@@ -819,20 +820,35 @@ RSpec.describe Issue do
     context 'without a user' do
       let(:user) { nil }
 
-      before do
-        project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC)
-      end
+      context 'with issue available as public' do
+        before do
+          project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PUBLIC)
+        end
+
+        it 'returns true when the issue is publicly visible' do
+          expect(issue).to receive(:publicly_visible?).and_return(true)
+
+          is_expected.to eq(true)
+        end
 
-      it 'returns true when the issue is publicly visible' do
-        expect(issue).to receive(:publicly_visible?).and_return(true)
+        it 'returns false when the issue is not publicly visible' do
+          expect(issue).to receive(:publicly_visible?).and_return(false)
 
-        is_expected.to eq(true)
+          is_expected.to eq(false)
+        end
       end
 
-      it 'returns false when the issue is not publicly visible' do
-        expect(issue).to receive(:publicly_visible?).and_return(false)
+      context 'with issues available only to team members in a public project' do
+        let(:public_project) { create(:project, :public) }
+        let(:issue) { build(:issue, project: public_project) }
 
-        is_expected.to eq(false)
+        before do
+          public_project.project_feature.update_attribute(:issues_access_level, ProjectFeature::PRIVATE)
+        end
+
+        it 'returns false' do
+          is_expected.to eq(false)
+        end
       end
     end
 
diff --git a/spec/models/packages/package_file_spec.rb b/spec/models/packages/package_file_spec.rb
index f6af8f6a951..82f5b44f38f 100644
--- a/spec/models/packages/package_file_spec.rb
+++ b/spec/models/packages/package_file_spec.rb
@@ -29,19 +29,48 @@ RSpec.describe Packages::PackageFile, type: :model do
 
       let(:package_file) { package.package_files.first }
       let(:status) { :default }
+      let(:file_name) { 'foo' }
       let(:file) { fixture_file_upload('spec/fixtures/dk.png') }
+      let(:params) { { file: file, file_name: file_name, status: status } }
 
-      subject { package.package_files.create!(file: file, file_name: package_file.file_name, status: status) }
+      subject { package.package_files.create!(params) }
 
-      it 'can not save a duplicated file' do
-        expect { subject }.to raise_error(ActiveRecord::RecordInvalid, "Validation failed: File name has already been taken")
+      context 'file_name' do
+        let(:file_name) { package_file.file_name }
+
+        it 'can not save a duplicated file' do
+          expect { subject }.to raise_error(ActiveRecord::RecordInvalid, "Validation failed: File name has already been taken")
+        end
+
+        context 'with a pending destruction package duplicated file' do
+          let(:status) { :pending_destruction }
+
+          it 'can save it' do
+            expect { subject }.to change { package.package_files.count }.from(1).to(2)
+          end
+        end
       end
 
-      context 'with a pending destruction package duplicated file' do
-        let(:status) { :pending_destruction }
+      context 'file_sha256' do
+        where(:sha256_value, :expected_success) do
+          'a' * 64       | true
+          nil            | true
+          'a' * 63       | false
+          'a' * 65       | false
+          'a' * 63 + '%' | false
+          ''             | false
+        end
+
+        with_them do
+          let(:params) { super().merge({ file_sha256: sha256_value }) }
 
-        it 'can save it' do
-          expect { subject }.to change { package.package_files.count }.from(1).to(2)
+          it 'does not allow invalid sha256 characters' do
+            if expected_success
+              expect { subject }.not_to raise_error
+            else
+              expect { subject }.to raise_error(ActiveRecord::RecordInvalid, "Validation failed: File sha256 is invalid")
+            end
+          end
         end
       end
     end
-- 
cgit v1.2.3