From e9434e81199cbc350fb0405cf2c6e677fda6d61d Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 29 Nov 2023 16:23:56 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee

---
 .../packages/composer/packages_finder_spec.rb      | 15 ++++++++--
 .../finders/packages/group_packages_finder_spec.rb | 24 ++++++++++++++-
 spec/lib/gitlab/checks/branch_check_spec.rb        | 34 +++++++++++-----------
 spec/models/integrations/jira_spec.rb              |  2 +-
 4 files changed, 54 insertions(+), 21 deletions(-)

(limited to 'spec')

diff --git a/spec/finders/packages/composer/packages_finder_spec.rb b/spec/finders/packages/composer/packages_finder_spec.rb
index d4328827de3..1701243063b 100644
--- a/spec/finders/packages/composer/packages_finder_spec.rb
+++ b/spec/finders/packages/composer/packages_finder_spec.rb
@@ -1,18 +1,19 @@
 # frozen_string_literal: true
 require 'spec_helper'
 
-RSpec.describe ::Packages::Composer::PackagesFinder do
+RSpec.describe ::Packages::Composer::PackagesFinder, feature_category: :package_registry do
   let_it_be(:user) { create(:user) }
   let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, group: group) }
 
-  let(:params) { {} }
+  let(:params) { { package_type: :composer } }
 
   describe '#execute' do
     let_it_be(:composer_package) { create(:composer_package, project: project) }
     let_it_be(:composer_package2) { create(:composer_package, project: project) }
     let_it_be(:error_package) { create(:composer_package, :error, project: project) }
     let_it_be(:composer_package3) { create(:composer_package) }
+    let_it_be(:nuget_package) { create(:nuget_package, project: project) }
 
     subject { described_class.new(user, group, params).execute }
 
@@ -21,5 +22,15 @@ RSpec.describe ::Packages::Composer::PackagesFinder do
     end
 
     it { is_expected.to match_array([composer_package, composer_package2]) }
+
+    context 'when disabling the package registry for the project' do
+      let(:params) { super().merge(with_package_registry_enabled: true) }
+
+      before do
+        project.update!(package_registry_access_level: 'disabled', packages_enabled: false)
+      end
+
+      it { is_expected.to be_empty }
+    end
   end
 end
diff --git a/spec/finders/packages/group_packages_finder_spec.rb b/spec/finders/packages/group_packages_finder_spec.rb
index e4a944eb837..f78be857357 100644
--- a/spec/finders/packages/group_packages_finder_spec.rb
+++ b/spec/finders/packages/group_packages_finder_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require 'spec_helper'
 
-RSpec.describe Packages::GroupPackagesFinder do
+RSpec.describe Packages::GroupPackagesFinder, feature_category: :package_registry do
   using RSpec::Parameterized::TableSyntax
 
   let_it_be(:user) { create(:user) }
@@ -25,6 +25,16 @@ RSpec.describe Packages::GroupPackagesFinder do
       it { is_expected.to match_array([send("package_#{package_type}")]) }
     end
 
+    shared_examples 'disabling package registry for project' do
+      let(:params) { super().merge(with_package_registry_enabled: true) }
+
+      before do
+        project.update!(package_registry_access_level: 'disabled', packages_enabled: false)
+      end
+
+      it { is_expected.to match_array(packages_returned) }
+    end
+
     def self.package_types
       @package_types ||= Packages::Package.package_types.keys
     end
@@ -117,6 +127,10 @@ RSpec.describe Packages::GroupPackagesFinder do
             let(:user) { deploy_token_for_group }
 
             it { is_expected.to match_array([package1, package2, package4]) }
+
+            it_behaves_like 'disabling package registry for project' do
+              let(:packages_returned) { [package4] }
+            end
           end
 
           context 'project deploy token' do
@@ -126,6 +140,11 @@ RSpec.describe Packages::GroupPackagesFinder do
             let(:user) { deploy_token_for_project }
 
             it { is_expected.to match_array([package4]) }
+
+            it_behaves_like 'disabling package registry for project' do
+              let(:project) { subproject }
+              let(:packages_returned) { [] }
+            end
           end
         end
 
@@ -200,6 +219,9 @@ RSpec.describe Packages::GroupPackagesFinder do
 
       it_behaves_like 'concerning versionless param'
       it_behaves_like 'concerning package statuses'
+      it_behaves_like 'disabling package registry for project' do
+        let(:packages_returned) { [] }
+      end
     end
 
     context 'group has package of all types' do
diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb
index c3d6b9510e5..8772e8dd904 100644
--- a/spec/lib/gitlab/checks/branch_check_spec.rb
+++ b/spec/lib/gitlab/checks/branch_check_spec.rb
@@ -19,39 +19,39 @@ RSpec.describe Gitlab::Checks::BranchCheck, feature_category: :source_code_manag
       end
     end
 
-    context "prohibited branches check" do
-      it "prohibits 40-character hexadecimal branch names" do
+    describe "prohibited branches check" do
+      it "forbids SHA-1 values" do
         allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e")
 
-        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.")
       end
 
-      it "prohibits 40-character hexadecimal branch names as the start of a path" do
-        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e/test")
+      it "forbids SHA-256 values" do
+        allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
 
-        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.")
       end
 
-      it "prohibits 40-character hexadecimal branch names followed by a dash as the start of a path" do
-        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-/test")
+      it "forbids '{SHA-1}{+anything}' values" do
+        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-")
 
-        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.")
       end
 
-      it "prohibits 64-character hexadecimal branch names" do
-        allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
+      it "forbids '{SHA-256}{+anything} values" do
+        allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175-")
 
-        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a SHA-1 or SHA-256 branch name.")
       end
 
-      it "prohibits 64-character hexadecimal branch names as the start of a path" do
-        allow(subject).to receive(:branch_name).and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175/test")
+      it "allows SHA-1 values to be appended to the branch name" do
+        allow(subject).to receive(:branch_name).and_return("fix-267208abfe40e546f5e847444276f7d43a39503e")
 
-        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a branch with a 40-character hexadecimal branch name.")
+        expect { subject.validate! }.not_to raise_error
       end
 
-      it "doesn't prohibit a nested hexadecimal in a branch name" do
-        allow(subject).to receive(:branch_name).and_return("267208abfe40e546f5e847444276f7d43a39503e-fix")
+      it "allows SHA-256 values to be appended to the branch name" do
+        allow(subject).to receive(:branch_name).and_return("fix-09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175")
 
         expect { subject.validate! }.not_to raise_error
       end
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index c87128db221..115a587e3f6 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -251,7 +251,7 @@ RSpec.describe Integrations::Jira, feature_category: :integrations do
       'EXT_EXT-1234'       | 'EXT_EXT-1234'
       'EXT3_EXT-1234'      | 'EXT3_EXT-1234'
       '3EXT_EXT-1234'      | ''
-      'CVE-2022-123'       | ''
+      'CVE-2022-123'       | 'CVE-2022'
       'CVE-123'            | 'CVE-123'
       'abc-JIRA-1234'      | 'JIRA-1234'
     end
-- 
cgit v1.2.3