From e6572d41b847c839ce49bc022a8cd1b99216798b Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 30 Nov 2022 04:50:46 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee --- spec/models/hooks/web_hook_log_spec.rb | 18 ++++++++++++++++++ spec/models/hooks/web_hook_spec.rb | 30 ++++++++++++++++++++++++++++++ spec/models/integrations/jira_spec.rb | 13 ++++++++----- spec/models/project_import_state_spec.rb | 2 +- spec/models/repository_spec.rb | 13 ++++++++++++- 5 files changed, 69 insertions(+), 7 deletions(-) (limited to 'spec/models') diff --git a/spec/models/hooks/web_hook_log_spec.rb b/spec/models/hooks/web_hook_log_spec.rb index fafca144cae..2f0bfbd4fed 100644 --- a/spec/models/hooks/web_hook_log_spec.rb +++ b/spec/models/hooks/web_hook_log_spec.rb @@ -188,4 +188,22 @@ RSpec.describe WebHookLog do it { expect(web_hook_log.internal_error?).to be_truthy } end end + + describe '#request_headers' do + let(:hook) { build(:project_hook, :token) } + let(:web_hook_log) { build(:web_hook_log, request_headers: request_headers) } + let(:expected_headers) { { 'X-Gitlab-Token' => _('[REDACTED]') } } + + context 'with redacted headers token' do + let(:request_headers) { { 'X-Gitlab-Token' => _('[REDACTED]') } } + + it { expect(web_hook_log.request_headers).to eq(expected_headers) } + end + + context 'with exposed headers token' do + let(:request_headers) { { 'X-Gitlab-Token' => hook.token } } + + it { expect(web_hook_log.request_headers).to eq(expected_headers) } + end + end end diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb index db854670cc3..9b55db15f3b 100644 --- a/spec/models/hooks/web_hook_spec.rb +++ b/spec/models/hooks/web_hook_spec.rb @@ -195,6 +195,36 @@ RSpec.describe WebHook do end end + describe 'before_validation :reset_token' do + subject(:hook) { build_stubbed(:project_hook, :token, project: project) } + + it 'resets token if url changed' do + hook.url = 'https://webhook.example.com/new-hook' + + expect(hook).to be_valid + expect(hook.token).to be_nil + end + + it 'does not reset token if new url is set together with the same token' do + hook.url = 'https://webhook.example.com/new-hook' + current_token = hook.token + hook.token = current_token + + expect(hook).to be_valid + expect(hook.token).to eq(current_token) + expect(hook.url).to eq('https://webhook.example.com/new-hook') + end + + it 'does not reset token if new url is set together with a new token' do + hook.url = 'https://webhook.example.com/new-hook' + hook.token = 'token' + + expect(hook).to be_valid + expect(hook.token).to eq('token') + expect(hook.url).to eq('https://webhook.example.com/new-hook') + end + end + it "only consider these branch filter strategies are valid" do expected_valid_types = %w[all_branches regex wildcard] expect(described_class.branch_filter_strategies.keys).to contain_exactly(*expected_valid_types) diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb index 819dad9d46d..af1112cf50d 100644 --- a/spec/models/integrations/jira_spec.rb +++ b/spec/models/integrations/jira_spec.rb @@ -230,9 +230,12 @@ RSpec.describe Integrations::Jira do where(:url, :result) do 'https://abc.atlassian.net' | true + 'http://abc.atlassian.net' | false 'abc.atlassian.net' | false # This is how it behaves currently, but we may need to consider adding scheme if missing 'https://somethingelse.com' | false - nil | false + 'javascript://test.atlassian.net/%250dalert(document.domain)' | false + 'https://example.com".atlassian.net' | false + nil | false end with_them do @@ -289,7 +292,7 @@ RSpec.describe Integrations::Jira do let(:server_info_results) { { 'deploymentType' => 'FutureCloud' } } context 'and URL ends in .atlassian.net' do - let(:api_url) { 'http://example-api.atlassian.net' } + let(:api_url) { 'https://example-api.atlassian.net' } it 'deployment_type is set to cloud' do expect(integration.jira_tracker_data).to be_deployment_cloud @@ -297,7 +300,7 @@ RSpec.describe Integrations::Jira do end context 'and URL is something else' do - let(:api_url) { 'http://my-jira-api.someserver.com' } + let(:api_url) { 'https://my-jira-api.someserver.com' } it 'deployment_type is set to server' do expect(integration.jira_tracker_data).to be_deployment_server @@ -309,7 +312,7 @@ RSpec.describe Integrations::Jira do let(:server_info_results) { {} } context 'and URL ends in .atlassian.net' do - let(:api_url) { 'http://example-api.atlassian.net' } + let(:api_url) { 'https://example-api.atlassian.net' } it 'deployment_type is set to cloud' do expect(Gitlab::AppLogger).to receive(:warn).with(message: "Jira API returned no ServerInfo, setting deployment_type from URL", server_info: server_info_results, url: api_url) @@ -318,7 +321,7 @@ RSpec.describe Integrations::Jira do end context 'and URL is something else' do - let(:api_url) { 'http://my-jira-api.someserver.com' } + let(:api_url) { 'https://my-jira-api.someserver.com' } it 'deployment_type is set to server' do expect(Gitlab::AppLogger).to receive(:warn).with(message: "Jira API returned no ServerInfo, setting deployment_type from URL", server_info: server_info_results, url: api_url) diff --git a/spec/models/project_import_state_spec.rb b/spec/models/project_import_state_spec.rb index db79185d759..ba1a29a8b27 100644 --- a/spec/models/project_import_state_spec.rb +++ b/spec/models/project_import_state_spec.rb @@ -22,7 +22,7 @@ RSpec.describe ProjectImportState, type: :model do before do allow_any_instance_of(Gitlab::GitalyClient::RepositoryService).to receive(:import_repository) - .with(project.import_url, http_authorization_header: '', mirror: false).and_return(true) + .with(project.import_url, http_authorization_header: '', mirror: false, resolved_address: '').and_return(true) # Works around https://github.com/rspec/rspec-mocks/issues/910 allow(Project).to receive(:find).with(project.id).and_return(project) diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb index 93872bcd827..c17e180f282 100644 --- a/spec/models/repository_spec.rb +++ b/spec/models/repository_spec.rb @@ -1223,11 +1223,22 @@ RSpec.describe Repository do it 'fetches the URL without creating a remote' do expect(repository) .to receive(:fetch_remote) - .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "") + .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "", resolved_address: '') .and_return(nil) repository.fetch_as_mirror(url) end + + context 'with http_host provided' do + it 'fetches the URL with resolved_address value' do + expect(repository) + .to receive(:fetch_remote) + .with(url, forced: false, prune: true, refmap: :all_refs, http_authorization_header: "", resolved_address: '172.16.123.1') + .and_return(nil) + + repository.fetch_as_mirror(url, resolved_address: '172.16.123.1') + end + end end describe '#fetch_ref' do -- cgit v1.2.3