Skip to content

G
gitlab-ce
Commit fdcaeb38 authored by Yorick Peterse's avatar Yorick Peterse
Browse files
Options

Merge dev.gitlab.org master into GitLab.com master

parents 3164a4c7 2507ff49
Hide whitespace changes
Inline Side-by-side
Showing with 1351 additions and 214 deletions
CHANGELOG-EE.md
View file @ fdcaeb38
...@@ -250,6 +250,15 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -250,6 +250,15 @@ Please view this file on the master branch, on stable branches it's out of date.
- Improve project service desk settings. !10381 - Improve project service desk settings. !10381
## 11.9.12 (2019-05-30)
### Security (3 changes, 1 of them is from the community)
- Filter relative links in wiki for XSS. (kerrizor)
- Fix XSS in Ancestor tooltip title.
- Ignore out of range epic IDs.
## 11.9.10 (2019-04-26) ## 11.9.10 (2019-04-26)
### Security (1 change) ### Security (1 change)
......
CHANGELOG.md
View file @ fdcaeb38
...@@ -479,6 +479,24 @@ entry. ...@@ -479,6 +479,24 @@ entry.
- Removes EE differences for environment_item.vue. - Removes EE differences for environment_item.vue.
## 11.9.12 (2019-05-30)
### Security (12 changes, 1 of them is from the community)
- Protect Gitlab::HTTP against DNS rebinding attack.
- Fix project visibility level validation. (Peter Marko)
- Update Knative version.
- Add DNS rebinding protection settings.
- Prevent XSS injection in note imports.
- Prevent invalid branch for merge request.
- Filter relative links in wiki for XSS.
- Fix confidential issue label disclosure on milestone view.
- Fix url redaction for issue links.
- Resolve: Milestones leaked via search API.
- Prevent bypass of restriction disabling web password sign in.
- Hide confidential issue title on unsubscribe for anonymous users.
## 11.9.10 (2019-04-26) ## 11.9.10 (2019-04-26)
### Security (5 changes) ### Security (5 changes)
......
app/controllers/concerns/milestone_actions.rb
View file @ fdcaeb38
...@@ -26,16 +26,22 @@ module MilestoneActions ...@@ -26,16 +26,22 @@ module MilestoneActions
end end
end end
# rubocop:disable Gitlab/ModuleWithInstanceVariables
def labels def labels
respond_to do |format| respond_to do |format|
format.html { redirect_to milestone_redirect_path } format.html { redirect_to milestone_redirect_path }
format.json do format.json do
milestone_labels = @milestone.issue_labels_visible_by_user(current_user)
render json: tabs_json("shared/milestones/_labels_tab", { render json: tabs_json("shared/milestones/_labels_tab", {
labels: @milestone.labels.map { |label| label.present(issuable_subject: @milestone.parent) } # rubocop:disable Gitlab/ModuleWithInstanceVariables labels: milestone_labels.map do |label|
label.present(issuable_subject: @milestone.parent)
end
}) })
end end
end end
end end
# rubocop:enable Gitlab/ModuleWithInstanceVariables
private private
......
app/controllers/sessions_controller.rb
View file @ fdcaeb38
...@@ -18,6 +18,7 @@ class SessionsController < Devise::SessionsController ...@@ -18,6 +18,7 @@ class SessionsController < Devise::SessionsController
prepend_before_action :store_redirect_uri, only: [:new] prepend_before_action :store_redirect_uri, only: [:new]
prepend_before_action :ldap_servers, only: [:new, :create] prepend_before_action :ldap_servers, only: [:new, :create]
prepend_before_action :require_no_authentication_without_flash, only: [:new, :create] prepend_before_action :require_no_authentication_without_flash, only: [:new, :create]
prepend_before_action :ensure_password_authentication_enabled!, if: :password_based_login?, only: [:create]
before_action :auto_sign_in_with_provider, only: [:new] before_action :auto_sign_in_with_provider, only: [:new]
before_action :load_recaptcha before_action :load_recaptcha
...@@ -138,6 +139,14 @@ class SessionsController < Devise::SessionsController ...@@ -138,6 +139,14 @@ class SessionsController < Devise::SessionsController
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def ensure_password_authentication_enabled!
render_403 unless Gitlab::CurrentSettings.password_authentication_enabled_for_web?
end
def password_based_login?
user_params[:login].present? || user_params[:password].present?
end
def user_params def user_params
params.require(:user).permit(:login, :password, :remember_me, :otp_attempt, :device_response) params.require(:user).permit(:login, :password, :remember_me, :otp_attempt, :device_response)
end end
......
app/helpers/application_settings_helper.rb
View file @ fdcaeb38
...@@ -160,6 +160,7 @@ module ApplicationSettingsHelper ...@@ -160,6 +160,7 @@ module ApplicationSettingsHelper
:akismet_api_key, :akismet_api_key,
:akismet_enabled, :akismet_enabled,
:allow_local_requests_from_hooks_and_services, :allow_local_requests_from_hooks_and_services,
:dns_rebinding_protection_enabled,
:archive_builds_in_human_readable, :archive_builds_in_human_readable,
:authorized_keys_enabled, :authorized_keys_enabled,
:auto_devops_enabled, :auto_devops_enabled,
......
app/helpers/notifications_helper.rb
View file @ fdcaeb38
...@@ -100,4 +100,8 @@ module NotificationsHelper ...@@ -100,4 +100,8 @@ module NotificationsHelper
css_class: "icon notifications-icon js-notifications-icon" css_class: "icon notifications-icon js-notifications-icon"
) )
end end
def show_unsubscribe_title?(noteable)
can?(current_user, "read_#{noteable.to_ability_name}".to_sym, noteable)
end
end end
app/models/application_setting_implementation.rb
View file @ fdcaeb38
...@@ -21,6 +21,7 @@ module ApplicationSettingImplementation ...@@ -21,6 +21,7 @@ module ApplicationSettingImplementation
after_sign_up_text: nil, after_sign_up_text: nil,
akismet_enabled: false, akismet_enabled: false,
allow_local_requests_from_hooks_and_services: false, allow_local_requests_from_hooks_and_services: false,
dns_rebinding_protection_enabled: true,
authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand
container_registry_token_expire_delay: 5, container_registry_token_expire_delay: 5,
default_artifacts_expire_in: '30 days', default_artifacts_expire_in: '30 days',
......
app/models/merge_request.rb
View file @ fdcaeb38
...@@ -591,6 +591,8 @@ class MergeRequest < ApplicationRecord ...@@ -591,6 +591,8 @@ class MergeRequest < ApplicationRecord
return return
end end
[:source_branch, :target_branch].each { |attr| validate_branch_name(attr) }
if opened? if opened?
similar_mrs = target_project similar_mrs = target_project
.merge_requests .merge_requests
...@@ -611,6 +613,16 @@ class MergeRequest < ApplicationRecord ...@@ -611,6 +613,16 @@ class MergeRequest < ApplicationRecord
end end
end end
def validate_branch_name(attr)
return unless changes_include?(attr)
branch = read_attribute(attr)
return unless branch
errors.add(attr) unless Gitlab::GitRefValidator.validate_merge_request_branch(branch)
end
def validate_target_project def validate_target_project
return true if target_project.merge_requests_enabled? return true if target_project.merge_requests_enabled?
......
app/models/project.rb
View file @ fdcaeb38
...@@ -407,6 +407,7 @@ class Project < ApplicationRecord ...@@ -407,6 +407,7 @@ class Project < ApplicationRecord
scope :with_builds_enabled, -> { with_feature_enabled(:builds) } scope :with_builds_enabled, -> { with_feature_enabled(:builds) }
scope :with_issues_enabled, -> { with_feature_enabled(:issues) } scope :with_issues_enabled, -> { with_feature_enabled(:issues) }
scope :with_issues_available_for_user, ->(current_user) { with_feature_available_for_user(:issues, current_user) } scope :with_issues_available_for_user, ->(current_user) { with_feature_available_for_user(:issues, current_user) }
scope :with_merge_requests_available_for_user, ->(current_user) { with_feature_available_for_user(:merge_requests, current_user) }
scope :with_merge_requests_enabled, -> { with_feature_enabled(:merge_requests) } scope :with_merge_requests_enabled, -> { with_feature_enabled(:merge_requests) }
scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct } scope :with_remote_mirrors, -> { joins(:remote_mirrors).where(remote_mirrors: { enabled: true }).distinct }
...@@ -597,6 +598,17 @@ class Project < ApplicationRecord ...@@ -597,6 +598,17 @@ class Project < ApplicationRecord
def group_ids def group_ids
joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id) joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id)
end end
# Returns ids of projects with milestones available for given user
#
# Used on queries to find milestones which user can see
# For example: Milestone.where(project_id: ids_with_milestone_available_for(user))
def ids_with_milestone_available_for(user)
with_issues_enabled = with_issues_available_for_user(user).select(:id)
with_merge_requests_enabled = with_merge_requests_available_for_user(user).select(:id)
from_union([with_issues_enabled, with_merge_requests_enabled]).select(:id)
end
end end
def all_pipelines def all_pipelines
......
app/views/admin/application_settings/_outbound.html.haml
View file @ fdcaeb38
...@@ -8,4 +8,12 @@ ...@@ -8,4 +8,12 @@
= f.label :allow_local_requests_from_hooks_and_services, class: 'form-check-label' do = f.label :allow_local_requests_from_hooks_and_services, class: 'form-check-label' do
Allow requests to the local network from hooks and services Allow requests to the local network from hooks and services
.form-group
.form-check
= f.check_box :dns_rebinding_protection_enabled, class: 'form-check-input'
= f.label :dns_rebinding_protection_enabled, class: 'form-check-label' do
= _('Enforce DNS rebinding attack protection')
%span.form-text.text-muted
= _('Resolves IP addresses once and uses them to submit requests')
= f.submit 'Save changes', class: "btn btn-success" = f.submit 'Save changes', class: "btn btn-success"
app/views/sent_notifications/unsubscribe.html.haml
View file @ fdcaeb38
- noteable = @sent_notification.noteable - noteable = @sent_notification.noteable
- noteable_type = @sent_notification.noteable_type.titleize.downcase - noteable_type = @sent_notification.noteable_type.titleize.downcase
- noteable_text = %(#{noteable.title} (#{noteable.to_reference})) - noteable_text = show_unsubscribe_title?(noteable) ? %(#{noteable.title} (#{noteable.to_reference})) : %(#{noteable.to_reference})
- page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name - page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name
%h3.page-title %h3.page-title
......
changelogs/unreleased/dm-http-hostname-override.yml 0 → 100644
View file @ fdcaeb38
---
title: Protect Gitlab::HTTP against DNS rebinding attack
merge_request:
author:
type: security
changelogs/unreleased/security-58856-persistent-xss-in-note-objects.yml 0 → 100644
View file @ fdcaeb38
---
title: Prevent XSS injection in note imports
merge_request:
author:
type: security
changelogs/unreleased/security-60039.yml 0 → 100644
View file @ fdcaeb38
---
title: Prevent invalid branch for merge request
merge_request:
author:
type: security
changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml 0 → 100644
View file @ fdcaeb38
---
title: Fix confidential issue label disclosure on milestone view
merge_request:
author:
type: security
changelogs/unreleased/security-fix-project-existence-disclosure-master.yml 0 → 100644
View file @ fdcaeb38
---
title: Fix url redaction for issue links
merge_request:
author:
type: security
changelogs/unreleased/security-fix_milestones_search_api_leak.yml 0 → 100644
View file @ fdcaeb38
---
title: 'Resolve: Milestones leaked via search API'
merge_request:
author:
type: security
changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml 0 → 100644
View file @ fdcaeb38
---
title: Prevent bypass of restriction disabling web password sign in
merge_request:
author:
type: security
changelogs/unreleased/security-unsubscribing-from-issue.yml 0 → 100644
View file @ fdcaeb38
---
title: Hide confidential issue title on unsubscribe for anonymous users
merge_request:
author:
type: security
config/initializers/hipchat_client_patch.rb
View file @ fdcaeb38
...@@ -2,14 +2,14 @@ ...@@ -2,14 +2,14 @@
# This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb. # This monkey patches the HTTParty used in https://github.com/hipchat/hipchat-rb.
module HipChat module HipChat
class Client class Client
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter connection_adapter ::Gitlab::HTTPConnectionAdapter
end end
class Room class Room
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter connection_adapter ::Gitlab::HTTPConnectionAdapter
end end
class User class User
connection_adapter ::Gitlab::ProxyHTTPConnectionAdapter connection_adapter ::Gitlab::HTTPConnectionAdapter
end end
end end
config/initializers/http_hostname_override.rb 0 → 100644
View file @ fdcaeb38
# This override allows passing `@hostname_override` to the SNI protocol,
# which is used to lookup the correct SSL certificate in the
# request handshake process.
#
# Given we've forced the HTTP request to be sent to the resolved
# IP address in a few scenarios (e.g.: `Gitlab::HTTP` through
# `Gitlab::UrlBlocker.validate!`), we need to provide the _original_
# hostname via SNI in order to have a clean connection setup.
#
# This is ultimately needed in order to avoid DNS rebinding attacks
# through HTTP requests.
#
class OpenSSL::SSL::SSLContext
attr_accessor :hostname_override
end
class OpenSSL::SSL::SSLSocket
module HostnameOverride
# rubocop: disable Gitlab/ModuleWithInstanceVariables
def hostname=(hostname)
super(@context.hostname_override || hostname)
end
def post_connection_check(hostname)
super(@context.hostname_override || hostname)
end
# rubocop: enable Gitlab/ModuleWithInstanceVariables
end
prepend HostnameOverride
end
class Net::HTTP
attr_accessor :hostname_override
SSL_IVNAMES << :@hostname_override
SSL_ATTRIBUTES << :hostname_override
module HostnameOverride
def addr_port
return super unless hostname_override
addr = hostname_override
default_port = use_ssl? ? Net::HTTP.https_default_port : Net::HTTP.http_default_port
default_port == port ? addr : "#{addr}:#{port}"
end
end
prepend HostnameOverride
end
db/migrate/20190529142545_add_dns_rebinding_protection_enabled_to_application_settings.rb 0 → 100644
View file @ fdcaeb38
# frozen_string_literal: true
# See http://doc.gitlab.com/ce/development/migration_style_guide.html
# for more information on how to write migrations for GitLab.
class AddDnsRebindingProtectionEnabledToApplicationSettings < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_column_with_default(:application_settings, :dns_rebinding_protection_enabled,
:boolean,
default: true,
allow_null: false)
end
def down
remove_column(:application_settings, :dns_rebinding_protection_enabled)
end
end
db/schema.rb
View file @ fdcaeb38
...@@ -225,6 +225,7 @@ ActiveRecord::Schema.define(version: 20190530154715) do ...@@ -225,6 +225,7 @@ ActiveRecord::Schema.define(version: 20190530154715) do
t.integer "elasticsearch_replicas", default: 1, null: false t.integer "elasticsearch_replicas", default: 1, null: false
t.text "encrypted_lets_encrypt_private_key" t.text "encrypted_lets_encrypt_private_key"
t.text "encrypted_lets_encrypt_private_key_iv" t.text "encrypted_lets_encrypt_private_key_iv"
t.boolean "dns_rebinding_protection_enabled", default: true, null: false
t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id", using: :btree t.index ["custom_project_templates_group_id"], name: "index_application_settings_on_custom_project_templates_group_id", using: :btree
t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id", using: :btree t.index ["file_template_project_id"], name: "index_application_settings_on_file_template_project_id", using: :btree
t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
......
ee/app/assets/javascripts/sidebar/components/ancestors_tree/ancestors_tree.vue
View file @ fdcaeb38
<script> <script>
import { GlLoadingIcon, GlLink, GlTooltip } from '@gitlab/ui'; import { GlLoadingIcon, GlLink, GlTooltip } from '@gitlab/ui';
import { escape } from 'underscore';
import { __ } from '~/locale'; import { __ } from '~/locale';
import Icon from '~/vue_shared/components/icon.vue'; import Icon from '~/vue_shared/components/icon.vue';
...@@ -38,6 +39,8 @@ export default { ...@@ -38,6 +39,8 @@ export default {
// Fallback to None if immediate parent is unavailable. // Fallback to None if immediate parent is unavailable.
let { title } = immediateParent; let { title } = immediateParent;
title = escape(title);
const { humanReadableEndDate, humanReadableTimestamp } = immediateParent; const { humanReadableEndDate, humanReadableTimestamp } = immediateParent;
if (humanReadableEndDate || humanReadableTimestamp) { if (humanReadableEndDate || humanReadableTimestamp) {
......
ee/app/models/concerns/elastic/application_search.rb
View file @ fdcaeb38
...@@ -371,7 +371,7 @@ module Elastic ...@@ -371,7 +371,7 @@ module Elastic
options[:current_user], options[:current_user],
options[:project_ids], options[:project_ids],
options[:public_and_internal_projects], options[:public_and_internal_projects],
options[:feature] options[:features]
) )
query_hash[:query][:bool][:filter] ||= [] query_hash[:query][:bool][:filter] ||= []
...@@ -390,10 +390,10 @@ module Elastic ...@@ -390,10 +390,10 @@ module Elastic
# Builds an elasticsearch query that will select projects the user is # Builds an elasticsearch query that will select projects the user is
# granted access to. # granted access to.
# #
# If a project feature is specified, it indicates interest in child # If a project feature(s) is specified, it indicates interest in child
# documents gated by that project feature - e.g., "issues". The feature's # documents gated by that project feature - e.g., "issues". The feature's
# visibility level must be taken into account. # visibility level must be taken into account.
def project_ids_query(user, project_ids, public_and_internal_projects, feature = nil) def project_ids_query(user, project_ids, public_and_internal_projects, features = nil)
# When reading cross project is not allowed, only allow searching a # When reading cross project is not allowed, only allow searching a
# a single project, so the `:read_*` ability is only checked once. # a single project, so the `:read_*` ability is only checked once.
unless Ability.allowed?(user, :read_cross_project) unless Ability.allowed?(user, :read_cross_project)
...@@ -404,18 +404,18 @@ module Elastic ...@@ -404,18 +404,18 @@ module Elastic
# anonymous users. # anonymous users.
# Pick private, internal and public projects the user is a member of. # Pick private, internal and public projects the user is a member of.
# Pick all private projects for admins & auditors. # Pick all private projects for admins & auditors.
conditions = [pick_projects_by_membership(project_ids, feature)] conditions = [pick_projects_by_membership(project_ids, features)]
if public_and_internal_projects if public_and_internal_projects
# Skip internal projects for anonymous and external users. # Skip internal projects for anonymous and external users.
# Others are given access to all internal projects. Admins & auditors # Others are given access to all internal projects. Admins & auditors
# get access to internal projects where the feature is private. # get access to internal projects where the feature is private.
conditions << pick_projects_by_visibility(Project::INTERNAL, user, feature) if user && !user.external? conditions << pick_projects_by_visibility(Project::INTERNAL, user, features) if user && !user.external?
# All users, including anonymous, can access public projects. # All users, including anonymous, can access public projects.
# Admins & auditors get access to public projects where the feature is # Admins & auditors get access to public projects where the feature is
# private. # private.
conditions << pick_projects_by_visibility(Project::PUBLIC, user, feature) conditions << pick_projects_by_visibility(Project::PUBLIC, user, features)
end end
{ should: conditions } { should: conditions }
...@@ -430,7 +430,7 @@ module Elastic ...@@ -430,7 +430,7 @@ module Elastic
# Admins & auditors are given access to all private projects. Access to # Admins & auditors are given access to all private projects. Access to
# internal or public projects where the project feature is private is not # internal or public projects where the project feature is private is not
# granted here. # granted here.
def pick_projects_by_membership(project_ids, feature = nil) def pick_projects_by_membership(project_ids, features = nil)
condition = condition =
if project_ids == :any if project_ids == :any
{ term: { visibility_level: Project::PRIVATE } } { term: { visibility_level: Project::PRIVATE } }
...@@ -438,37 +438,43 @@ module Elastic ...@@ -438,37 +438,43 @@ module Elastic
{ terms: { id: project_ids } } { terms: { id: project_ids } }
end end
limit_by_feature(condition, feature, include_members_only: true) limit_by_feature(condition, features, include_members_only: true)
end end
# Grant access to projects of the specified visibility level to the user. # Grant access to projects of the specified visibility level to the user.
# #
# If a project feature is specified, access is only granted if the feature # If a project feature is specified, access is only granted if the feature
# is enabled or, for admins & auditors, private. # is enabled or, for admins & auditors, private.
def pick_projects_by_visibility(visibility, user, feature) def pick_projects_by_visibility(visibility, user, features)
condition = { term: { visibility_level: visibility } } condition = { term: { visibility_level: visibility } }
limit_by_feature(condition, feature, include_members_only: user&.full_private_access?) limit_by_feature(condition, features, include_members_only: user&.full_private_access?)
end end
# If a project feature is specified, access is dependent on its visibility # If a project feature(s) is specified, access is dependent on its visibility
# level being enabled (or private if `include_members_only: true`). # level being enabled (or private if `include_members_only: true`).
# #
# This method is a no-op if no project feature is specified. # This method is a no-op if no project feature is specified.
# It accepts an array of features or a single feature, when an array is provided
# it queries if any of the features is enabled.
# #
# Always denies access to projects when the feature is disabled - even to # Always denies access to projects when the features are disabled - even to
# admins & auditors - as stale child documents may be present. # admins & auditors - as stale child documents may be present.
def limit_by_feature(condition, feature, include_members_only:) def limit_by_feature(condition, features, include_members_only:)
return condition unless feature return condition unless features
limit = features = Array(features)
if include_members_only
{ terms: { "#{feature}_access_level" => [::ProjectFeature::ENABLED, ::ProjectFeature::PRIVATE] } }
else
{ term: { "#{feature}_access_level" => ::ProjectFeature::ENABLED } }
end
{ bool: { filter: [condition, limit] } } features.map do |feature|
limit =
if include_members_only
{ terms: { "#{feature}_access_level" => [::ProjectFeature::ENABLED, ::ProjectFeature::PRIVATE] } }
else
{ term: { "#{feature}_access_level" => ::ProjectFeature::ENABLED } }
end
{ bool: { filter: [condition, limit] } }
end
end end
end end
end end
......
ee/app/models/concerns/elastic/issues_search.rb
View file @ fdcaeb38
...@@ -33,7 +33,7 @@ module Elastic ...@@ -33,7 +33,7 @@ module Elastic
basic_query_hash(%w(title^2 description), query) basic_query_hash(%w(title^2 description), query)
end end
options[:feature] = 'issues' options[:features] = 'issues'
query_hash = project_ids_filter(query_hash, options) query_hash = project_ids_filter(query_hash, options)
query_hash = confidentiality_filter(query_hash, options[:current_user]) query_hash = confidentiality_filter(query_hash, options[:current_user])
......
ee/app/models/concerns/elastic/merge_requests_search.rb
View file @ fdcaeb38
...@@ -49,7 +49,7 @@ module Elastic ...@@ -49,7 +49,7 @@ module Elastic
basic_query_hash(%w(title^2 description), query) basic_query_hash(%w(title^2 description), query)
end end
options[:feature] = 'merge_requests' options[:features] = 'merge_requests'
query_hash = project_ids_filter(query_hash, options) query_hash = project_ids_filter(query_hash, options)
self.__elasticsearch__.search(query_hash) self.__elasticsearch__.search(query_hash)
......
ee/changelogs/unreleased/security-rs-milestone-xss-12-0.yml 0 → 100644
View file @ fdcaeb38
---
title: Fix XSS in Ancestor tooltip title
merge_request:
author:
type: security
ee/lib/gitlab/elastic/search_results.rb
View file @ fdcaeb38
...@@ -150,7 +150,14 @@ module Gitlab ...@@ -150,7 +150,14 @@ module Gitlab
end end
def milestones def milestones
Milestone.elastic_search(query, options: base_options) # Must pass 'issues' and 'merge_requests' to check
# if any of the features is available for projects in Elastic::ApplicationSearch#project_ids_query
# Otherwise it will ignore project_ids and return milestones
# from projects with milestones disabled.
options = base_options
options[:features] = [:issues, :merge_requests]
Milestone.elastic_search(query, options: options)
end end
def merge_requests def merge_requests
......
ee/spec/features/groups/billing_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe 'Groups > Billing', :js do describe 'Groups > Billing', :js do
include StubRequests
let!(:user) { create(:user) } let!(:user) { create(:user) }
let!(:group) { create(:group) } let!(:group) { create(:group) }
let!(:bronze_plan) { create(:bronze_plan) } let!(:bronze_plan) { create(:bronze_plan) }
before do before do
stub_request(:get, %r{https://customers.gitlab.com/gitlab_plans}) stub_full_request("https://customers.gitlab.com/gitlab_plans?plan=#{plan}")
.to_return(status: 200, body: File.new(Rails.root.join('ee/spec/fixtures/gitlab_com_plans.json'))) .to_return(status: 200, body: File.new(Rails.root.join('ee/spec/fixtures/gitlab_com_plans.json')))
stub_application_setting(check_namespace_plan: true) stub_application_setting(check_namespace_plan: true)
...@@ -16,6 +18,8 @@ describe 'Groups > Billing', :js do ...@@ -16,6 +18,8 @@ describe 'Groups > Billing', :js do
end end
context 'with a free plan' do context 'with a free plan' do
let(:plan) { 'free' }
before do before do
create(:gitlab_subscription, namespace: group, hosted_plan: nil, seats: 15) create(:gitlab_subscription, namespace: group, hosted_plan: nil, seats: 15)
end end
...@@ -28,6 +32,8 @@ describe 'Groups > Billing', :js do ...@@ -28,6 +32,8 @@ describe 'Groups > Billing', :js do
end end
context 'with a paid plan' do context 'with a paid plan' do
let(:plan) { 'bronze' }
before do before do
create(:gitlab_subscription, namespace: group, hosted_plan: bronze_plan, seats: 15) create(:gitlab_subscription, namespace: group, hosted_plan: bronze_plan, seats: 15)
end end
...@@ -40,6 +46,8 @@ describe 'Groups > Billing', :js do ...@@ -40,6 +46,8 @@ describe 'Groups > Billing', :js do
end end
context 'with a legacy paid plan' do context 'with a legacy paid plan' do
let(:plan) { 'bronze' }
before do before do
group.update_attribute(:plan, bronze_plan) group.update_attribute(:plan, bronze_plan)
end end
......
ee/spec/javascripts/sidebar/ee_ancestor_tree_spec.js
View file @ fdcaeb38
import Vue from 'vue'; import Vue from 'vue';
import { escape } from 'underscore';
import ancestorsTree from 'ee/sidebar/components/ancestors_tree/ancestors_tree.vue'; import ancestorsTree from 'ee/sidebar/components/ancestors_tree/ancestors_tree.vue';
import mountComponent from 'spec/helpers/vue_mount_component_helper'; import mountComponent from 'spec/helpers/vue_mount_component_helper';
...@@ -59,4 +60,19 @@ describe('AncestorsTreeContainer', () => { ...@@ -59,4 +60,19 @@ describe('AncestorsTreeContainer', () => {
.then(done) .then(done)
.catch(done.fail); .catch(done.fail);
}); });
it('escapes html in the tooltip', done => {
const title = '<script>alert(1);</script>';
const escapedTitle = escape(title);
vm.$props.ancestors = [{ id: 1, url: '', title, state: 'open' }];
vm.$nextTick()
.then(() => {
const tooltip = vm.$el.querySelector('.collapse-truncated-title');
expect(tooltip.innerText).toBe(escapedTitle);
})
.then(done)
.catch(done.fail);
});
}); });
ee/spec/lib/gitlab/elastic/search_results_spec.rb
View file @ fdcaeb38
...@@ -379,6 +379,7 @@ describe Gitlab::Elastic::SearchResults do ...@@ -379,6 +379,7 @@ describe Gitlab::Elastic::SearchResults do
describe 'project scoping' do describe 'project scoping' do
it "returns items for project" do it "returns items for project" do
project = create :project, :repository, name: "term" project = create :project, :repository, name: "term"
project.add_developer(user)
# Create issue # Create issue
create :issue, title: 'bla-bla term', project: project create :issue, title: 'bla-bla term', project: project
...@@ -686,29 +687,118 @@ describe Gitlab::Elastic::SearchResults do ...@@ -686,29 +687,118 @@ describe Gitlab::Elastic::SearchResults do
end end
context 'Milestones' do context 'Milestones' do
it 'finds right set of milestine' do let!(:milestone_1) { create(:milestone, project: internal_project, title: "Internal project") }
milestone_1 = create :milestone, project: internal_project, title: "Internal project" let!(:milestone_2) { create(:milestone, project: private_project1, title: "Private project") }
create :milestone, project: private_project1, title: "Private project" let!(:milestone_3) { create(:milestone, project: private_project2, title: "Private project which user is member") }
milestone_3 = create :milestone, project: private_project2, title: "Private project where I'm a member" let!(:milestone_4) { create(:milestone, project: public_project, title: "Public project") }
milestone_4 = create :milestone, project: public_project, title: "Public project"
before do
Gitlab::Elastic::Helper.refresh_index Gitlab::Elastic::Helper.refresh_index
end
# Authenticated search context 'when project ids are present' do
results = described_class.new(user, 'project', limit_project_ids) context 'when authenticated' do
milestones = results.objects('milestones') context 'when user and merge requests are disabled in a project' do
it 'returns right set of milestones' do
private_project2.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
private_project2.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
public_project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
internal_project.project_feature.update!(issues_access_level: ProjectFeature::DISABLED)
Gitlab::Elastic::Helper.refresh_index
project_ids = user.authorized_projects.pluck(:id)
results = described_class.new(user, 'project', project_ids)
milestones = results.objects('milestones')
expect(milestones).to match_array([milestone_1, milestone_3])
end
end
context 'when user is admin' do
it 'returns right set of milestones' do
user.update(admin: true)
public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
public_project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
internal_project.project_feature.update!(issues_access_level: ProjectFeature::DISABLED)
internal_project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
Gitlab::Elastic::Helper.refresh_index
results = described_class.new(user, 'project', :any)
milestones = results.objects('milestones')
expect(milestones).to match_array([milestone_2, milestone_3, milestone_4])
end
end
context 'when user can read milestones' do
it 'returns right set of milestones' do
# Authenticated search
project_ids = user.authorized_projects.pluck(:id)
results = described_class.new(user, 'project', project_ids)
milestones = results.objects('milestones')
expect(milestones).to match_array([milestone_1, milestone_3, milestone_4])
end
end
end
end
expect(milestones).to include milestone_1 context 'when not authenticated' do
expect(milestones).to include milestone_3 it 'returns right set of milestones' do
expect(milestones).to include milestone_4 results = described_class.new(nil, 'project', [])
expect(results.milestones_count).to eq 3 milestones = results.objects('milestones')
# Unauthenticated search expect(milestones).to include milestone_4
results = described_class.new(nil, 'project', []) expect(results.milestones_count).to eq 1
milestones = results.objects('milestones') end
end
context 'when project_ids is not present' do
context 'when project_ids is :any' do
it 'returns all milestones' do
results = described_class.new(user, 'project', :any)
milestones = results.objects('milestones')
expect(milestones).to include(milestone_1)
expect(milestones).to include(milestone_2)
expect(milestones).to include(milestone_3)
expect(milestones).to include(milestone_4)
expect(results.milestones_count).to eq(4)
end
end
expect(milestones).to include milestone_4 context 'when authenticated' do
expect(results.milestones_count).to eq 1 it 'returns right set of milestones' do
results = described_class.new(user, 'project', [])
milestones = results.objects('milestones')
expect(milestones).to include(milestone_1)
expect(milestones).to include(milestone_4)
expect(results.milestones_count).to eq(2)
end
end
context 'when not authenticated' do
it 'returns right set of milestones' do
# Should not be returned because issues and merge requests feature are disabled
other_public_project = create(:project, :public)
create(:milestone, project: other_public_project, title: 'Public project milestone 1')
other_public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
other_public_project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
# Should be returned because only issues is disabled
other_public_project_1 = create(:project, :public)
milestone_5 = create(:milestone, project: other_public_project_1, title: 'Public project milestone 2')
other_public_project_1.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
Gitlab::Elastic::Helper.refresh_index
results = described_class.new(nil, 'project', [])
milestones = results.objects('milestones')
expect(milestones).to match_array([milestone_4, milestone_5])
expect(results.milestones_count).to eq(2)
end
end
end end
end end
......
ee/spec/lib/gitlab/geo/oauth/session_spec.rb
View file @ fdcaeb38
...@@ -52,12 +52,14 @@ describe Gitlab::Geo::Oauth::Session, :geo do ...@@ -52,12 +52,14 @@ describe Gitlab::Geo::Oauth::Session, :geo do
context 'primary is configured with relative URL' do context 'primary is configured with relative URL' do
it 'includes primary relative URL path' do it 'includes primary relative URL path' do
primary_node.update(url: 'http:://localhost/relative-path/') api_url = 'http://localhost/relative-path/'
primary_node.update(url: api_url)
api_response = double(parsed: true) api_response = double(parsed: true)
expect_any_instance_of(OAuth2::AccessToken) expect_any_instance_of(OAuth2::AccessToken)
.to receive(:get).with(%r{^http:://localhost/relative-path/}).and_return(api_response) .to receive(:get).with(%r{^#{api_url}}).and_return(api_response)
subject.authenticate('any token') subject.authenticate('any token')
end end
......
ee/spec/services/dependency_proxy/download_blob_service_spec.rb
View file @ fdcaeb38
...@@ -34,7 +34,7 @@ describe DependencyProxy::DownloadBlobService do ...@@ -34,7 +34,7 @@ describe DependencyProxy::DownloadBlobService do
before do before do
blob_url = DependencyProxy::Registry.blob_url(image, blob_sha) blob_url = DependencyProxy::Registry.blob_url(image, blob_sha)
stub_request(:get, blob_url).to_timeout stub_full_request(blob_url).to_timeout
end end
it { expect(subject[:status]).to eq(:error) } it { expect(subject[:status]).to eq(:error) }
......
ee/spec/services/dependency_proxy/pull_manifest_service_spec.rb
View file @ fdcaeb38
...@@ -34,7 +34,7 @@ describe DependencyProxy::PullManifestService do ...@@ -34,7 +34,7 @@ describe DependencyProxy::PullManifestService do
before do before do
manifest_link = DependencyProxy::Registry.manifest_url(image, tag) manifest_link = DependencyProxy::Registry.manifest_url(image, tag)
stub_request(:get, manifest_link).to_timeout stub_full_request(manifest_link).to_timeout
end end
it { expect(subject[:status]).to eq(:error) } it { expect(subject[:status]).to eq(:error) }
......
ee/spec/services/dependency_proxy/request_token_service_spec.rb
View file @ fdcaeb38
...@@ -42,7 +42,7 @@ describe DependencyProxy::RequestTokenService do ...@@ -42,7 +42,7 @@ describe DependencyProxy::RequestTokenService do
before do before do
auth_link = DependencyProxy::Registry.auth_url(image) auth_link = DependencyProxy::Registry.auth_url(image)
stub_request(:any, auth_link).to_timeout stub_full_request(auth_link, method: :any).to_timeout
end end
it { expect(subject[:status]).to eq(:error) } it { expect(subject[:status]).to eq(:error) }
......
ee/spec/spec_helper.rb
View file @ fdcaeb38
require Rails.root.join("spec/support/helpers/stub_requests.rb")
Dir[Rails.root.join("ee/spec/support/helpers/*.rb")].each { |f| require f } Dir[Rails.root.join("ee/spec/support/helpers/*.rb")].each { |f| require f }
Dir[Rails.root.join("ee/spec/support/shared_contexts/*.rb")].each { |f| require f } Dir[Rails.root.join("ee/spec/support/shared_contexts/*.rb")].each { |f| require f }
Dir[Rails.root.join("ee/spec/support/shared_examples/*.rb")].each { |f| require f } Dir[Rails.root.join("ee/spec/support/shared_examples/*.rb")].each { |f| require f }
......
ee/spec/support/helpers/ee/dependency_proxy_helpers.rb
View file @ fdcaeb38
...@@ -2,25 +2,27 @@ ...@@ -2,25 +2,27 @@
module EE module EE
module DependencyProxyHelpers module DependencyProxyHelpers
include StubRequests
def stub_registry_auth(image, token, status = 200, body = nil) def stub_registry_auth(image, token, status = 200, body = nil)
auth_body = { 'token' => token }.to_json auth_body = { 'token' => token }.to_json
auth_link = registry.auth_url(image) auth_link = registry.auth_url(image)
stub_request(:get, auth_link) stub_full_request(auth_link)
.to_return(status: status, body: body || auth_body) .to_return(status: status, body: body || auth_body)
end end
def stub_manifest_download(image, tag, status = 200, body = nil) def stub_manifest_download(image, tag, status = 200, body = nil)
manifest_url = registry.manifest_url(image, tag) manifest_url = registry.manifest_url(image, tag)
stub_request(:get, manifest_url) stub_full_request(manifest_url)
.to_return(status: status, body: body || manifest) .to_return(status: status, body: body || manifest)
end end
def stub_blob_download(image, blob_sha, status = 200, body = '123456') def stub_blob_download(image, blob_sha, status = 200, body = '123456')
download_link = registry.blob_url(image, blob_sha) download_link = registry.blob_url(image, blob_sha)
stub_request(:get, download_link) stub_full_request(download_link)
.to_return(status: status, body: body) .to_return(status: status, body: body)
end end
......
lib/banzai/redactor.rb
View file @ fdcaeb38
...@@ -70,8 +70,11 @@ module Banzai ...@@ -70,8 +70,11 @@ module Banzai
# Build the raw <a> tag just with a link as href and content if # Build the raw <a> tag just with a link as href and content if
# it's originally a link pattern. We shouldn't return a plain text href. # it's originally a link pattern. We shouldn't return a plain text href.
original_link = original_link =
if link_reference == 'true' && href = original_content if link_reference == 'true'
%(<a href="#{href}">#{href}</a>) href = node.attr('href')
content = original_content
%(<a href="#{href}">#{content}</a>)
end end
# The reference should be replaced by the original link's content, # The reference should be replaced by the original link's content,
......
lib/gitlab.rb
View file @ fdcaeb38
...@@ -40,6 +40,7 @@ module Gitlab ...@@ -40,6 +40,7 @@ module Gitlab
SUBDOMAIN_REGEX = %r{\Ahttps://[a-z0-9]+\.gitlab\.com\z}.freeze SUBDOMAIN_REGEX = %r{\Ahttps://[a-z0-9]+\.gitlab\.com\z}.freeze
VERSION = File.read(root.join("VERSION")).strip.freeze VERSION = File.read(root.join("VERSION")).strip.freeze
INSTALLATION_TYPE = File.read(root.join("INSTALLATION_TYPE")).strip.freeze INSTALLATION_TYPE = File.read(root.join("INSTALLATION_TYPE")).strip.freeze
HTTP_PROXY_ENV_VARS = %w(http_proxy https_proxy HTTP_PROXY HTTPS_PROXY).freeze
def self.com? def self.com?
# Check `gl_subdomain?` as well to keep parity with gitlab.com # Check `gl_subdomain?` as well to keep parity with gitlab.com
...@@ -66,6 +67,10 @@ module Gitlab ...@@ -66,6 +67,10 @@ module Gitlab
end end
end end
def self.http_proxy_env?
HTTP_PROXY_ENV_VARS.any? { |name| ENV[name] }
end
def self.process_name def self.process_name
return 'sidekiq' if Sidekiq.server? return 'sidekiq' if Sidekiq.server?
return 'console' if defined?(Rails::Console) return 'console' if defined?(Rails::Console)
......
lib/gitlab/git_ref_validator.rb
View file @ fdcaeb38
...@@ -5,12 +5,16 @@ ...@@ -5,12 +5,16 @@
module Gitlab module Gitlab
module GitRefValidator module GitRefValidator
extend self extend self
EXPANDED_PREFIXES = %w(refs/heads/ refs/remotes/).freeze
DISALLOWED_PREFIXES = %w(-).freeze
# Validates a given name against the git reference specification # Validates a given name against the git reference specification
# #
# Returns true for a valid reference name, false otherwise # Returns true for a valid reference name, false otherwise
def validate(ref_name) def validate(ref_name)
not_allowed_prefixes = %w(refs/heads/ refs/remotes/ -) return false if ref_name.start_with?(*EXPANDED_PREFIXES)
return false if ref_name.start_with?(*not_allowed_prefixes) return false if ref_name.start_with?(*DISALLOWED_PREFIXES)
return false if ref_name == 'HEAD' return false if ref_name == 'HEAD'
begin begin
...@@ -19,5 +23,21 @@ module Gitlab ...@@ -19,5 +23,21 @@ module Gitlab
return false return false
end end
end end
def validate_merge_request_branch(ref_name)
return false if ref_name.start_with?(*DISALLOWED_PREFIXES)
expanded_name = if ref_name.start_with?(*EXPANDED_PREFIXES)
ref_name
else
"refs/heads/#{ref_name}"
end
begin
Rugged::Reference.valid_name?(expanded_name)
rescue ArgumentError
return false
end
end
end end
end end
lib/gitlab/http.rb
View file @ fdcaeb38
...@@ -18,7 +18,7 @@ module Gitlab ...@@ -18,7 +18,7 @@ module Gitlab
include HTTParty # rubocop:disable Gitlab/HTTParty include HTTParty # rubocop:disable Gitlab/HTTParty
connection_adapter ProxyHTTPConnectionAdapter connection_adapter HTTPConnectionAdapter
def self.perform_request(http_method, path, options, &block) def self.perform_request(http_method, path, options, &block)
super super
......
lib/gitlab/proxy_http_connection_adapter.rb lib/gitlab/http_connection_adapter.rb
View file @ fdcaeb38
...@@ -10,17 +10,19 @@ ...@@ -10,17 +10,19 @@
# #
# This option will take precedence over the global setting. # This option will take precedence over the global setting.
module Gitlab module Gitlab
class ProxyHTTPConnectionAdapter < HTTParty::ConnectionAdapter class HTTPConnectionAdapter < HTTParty::ConnectionAdapter
def connection def connection
unless allow_local_requests? begin
begin @uri, hostname = Gitlab::UrlBlocker.validate!(uri, allow_local_network: allow_local_requests?,
Gitlab::UrlBlocker.validate!(uri, allow_local_network: false) allow_localhost: allow_local_requests?,
rescue Gitlab::UrlBlocker::BlockedUrlError => e dns_rebind_protection: dns_rebind_protection?)
raise Gitlab::HTTP::BlockedUrlError, "URL '#{uri}' is blocked: #{e.message}" rescue Gitlab::UrlBlocker::BlockedUrlError => e
end raise Gitlab::HTTP::BlockedUrlError, "URL '#{uri}' is blocked: #{e.message}"
end end
super super.tap do |http|
http.hostname_override = hostname if hostname
end
end end
private private
...@@ -29,6 +31,12 @@ module Gitlab ...@@ -29,6 +31,12 @@ module Gitlab
options.fetch(:allow_local_requests, allow_settings_local_requests?) options.fetch(:allow_local_requests, allow_settings_local_requests?)
end end
def dns_rebind_protection?
return false if Gitlab.http_proxy_env?
Gitlab::CurrentSettings.dns_rebinding_protection_enabled?
end
def allow_settings_local_requests? def allow_settings_local_requests?
Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services?
end end
......
lib/gitlab/import_export/attribute_cleaner.rb
View file @ fdcaeb38
...@@ -4,6 +4,7 @@ module Gitlab ...@@ -4,6 +4,7 @@ module Gitlab
module ImportExport module ImportExport
class AttributeCleaner class AttributeCleaner
ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + ['group_id'] ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + ['group_id']
PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
def self.clean(*args) def self.clean(*args)
new(*args).clean new(*args).clean
...@@ -24,7 +25,11 @@ module Gitlab ...@@ -24,7 +25,11 @@ module Gitlab
private private
def prohibited_key?(key) def prohibited_key?(key)
key.end_with?('_id') && !ALLOWED_REFERENCES.include?(key) key =~ PROHIBITED_REFERENCES && !permitted_key?(key)
end
def permitted_key?(key)
ALLOWED_REFERENCES.include?(key)
end end
def excluded_key?(key) def excluded_key?(key)
......
lib/gitlab/project_search_results.rb
View file @ fdcaeb38
...@@ -134,8 +134,16 @@ module Gitlab ...@@ -134,8 +134,16 @@ module Gitlab
project.repository.commit(key) if Commit.valid_hash?(key) project.repository.commit(key) if Commit.valid_hash?(key)
end end
# rubocop: disable CodeReuse/ActiveRecord
def project_ids_relation def project_ids_relation
project Project.where(id: project).select(:id).reorder(nil)
end
# rubocop: enabled CodeReuse/ActiveRecord
def filter_milestones_by_project(milestones)
return Milestone.none unless Ability.allowed?(@current_user, :read_milestone, @project)
milestones.where(project_id: project.id) # rubocop: disable CodeReuse/ActiveRecord
end end
def repository_project_ref def repository_project_ref
......
lib/gitlab/search_results.rb
View file @ fdcaeb38
...@@ -103,9 +103,11 @@ module Gitlab ...@@ -103,9 +103,11 @@ module Gitlab
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def milestones def milestones
milestones = Milestone.where(project_id: project_ids_relation) milestones = Milestone.search(query)
milestones = milestones.search(query)
milestones.reorder('milestones.updated_at DESC') milestones = filter_milestones_by_project(milestones)
milestones.reorder('updated_at DESC')
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
...@@ -123,6 +125,26 @@ module Gitlab ...@@ -123,6 +125,26 @@ module Gitlab
'projects' 'projects'
end end
# Filter milestones by authorized projects.
# For performance reasons project_id is being plucked
# to be used on a smaller query.
#
# rubocop: disable CodeReuse/ActiveRecord
def filter_milestones_by_project(milestones)
project_ids =
milestones.where(project_id: project_ids_relation)
.select(:project_id).distinct
.pluck(:project_id)
return Milestone.none if project_ids.nil?
authorized_project_ids_relation =
Project.where(id: project_ids).ids_with_milestone_available_for(current_user)
milestones.where(project_id: authorized_project_ids_relation)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
def project_ids_relation def project_ids_relation
limit_projects.select(:id).reorder(nil) limit_projects.select(:id).reorder(nil)
......
lib/gitlab/url_blocker.rb
View file @ fdcaeb38
...@@ -8,38 +8,68 @@ module Gitlab ...@@ -8,38 +8,68 @@ module Gitlab
BlockedUrlError = Class.new(StandardError) BlockedUrlError = Class.new(StandardError)
class << self class << self
def validate!(url, ports: [], schemes: [], allow_localhost: false, allow_local_network: true, ascii_only: false, enforce_user: false, enforce_sanitization: false) # Validates the given url according to the constraints specified by arguments.
return true if url.nil? #
# ports - Raises error if the given URL port does is not between given ports.
# allow_localhost - Raises error if URL resolves to a localhost IP address and argument is true.
# allow_local_network - Raises error if URL resolves to a link-local address and argument is true.
# ascii_only - Raises error if URL has unicode characters and argument is true.
# enforce_user - Raises error if URL user doesn't start with alphanumeric characters and argument is true.
# enforce_sanitization - Raises error if URL includes any HTML/CSS/JS tags and argument is true.
#
# Returns an array with [<uri>, <original-hostname>].
# rubocop:disable Metrics/CyclomaticComplexity
# rubocop:disable Metrics/ParameterLists
def validate!(
url,
ports: [],
schemes: [],
allow_localhost: false,
allow_local_network: true,
ascii_only: false,
enforce_user: false,
enforce_sanitization: false,
dns_rebind_protection: true)
# rubocop:enable Metrics/CyclomaticComplexity
# rubocop:enable Metrics/ParameterLists
return [nil, nil] if url.nil?
# Param url can be a string, URI or Addressable::URI # Param url can be a string, URI or Addressable::URI
uri = parse_url(url) uri = parse_url(url)
validate_html_tags!(uri) if enforce_sanitization validate_html_tags!(uri) if enforce_sanitization
# Allow imports from the GitLab instance itself but only from the configured ports hostname = uri.hostname
return true if internal?(uri)
port = get_port(uri) port = get_port(uri)
validate_scheme!(uri.scheme, schemes)
validate_port!(port, ports) if ports.any? unless internal?(uri)
validate_user!(uri.user) if enforce_user validate_scheme!(uri.scheme, schemes)
validate_hostname!(uri.hostname) validate_port!(port, ports) if ports.any?
validate_unicode_restriction!(uri) if ascii_only validate_user!(uri.user) if enforce_user
validate_hostname!(hostname)
validate_unicode_restriction!(uri) if ascii_only
end
begin begin
addrs_info = Addrinfo.getaddrinfo(uri.hostname, port, nil, :STREAM).map do |addr| addrs_info = Addrinfo.getaddrinfo(hostname, port, nil, :STREAM).map do |addr|
addr.ipv6_v4mapped? ? addr.ipv6_to_ipv4 : addr addr.ipv6_v4mapped? ? addr.ipv6_to_ipv4 : addr
end end
rescue SocketError rescue SocketError
return true return [uri, nil]
end end
protected_uri_with_hostname = enforce_uri_hostname(addrs_info, uri, hostname, dns_rebind_protection)
# Allow url from the GitLab instance itself but only for the configured hostname and ports
return protected_uri_with_hostname if internal?(uri)
validate_localhost!(addrs_info) unless allow_localhost validate_localhost!(addrs_info) unless allow_localhost
validate_loopback!(addrs_info) unless allow_localhost validate_loopback!(addrs_info) unless allow_localhost
validate_local_network!(addrs_info) unless allow_local_network validate_local_network!(addrs_info) unless allow_local_network
validate_link_local!(addrs_info) unless allow_local_network validate_link_local!(addrs_info) unless allow_local_network
true protected_uri_with_hostname
end end
def blocked_url?(*args) def blocked_url?(*args)
...@@ -52,6 +82,25 @@ module Gitlab ...@@ -52,6 +82,25 @@ module Gitlab
private private
# Returns the given URI with IP address as hostname and the original hostname respectively
# in an Array.
#
# It checks whether the resolved IP address matches with the hostname. If not, it changes
# the hostname to the resolved IP address.
#
# The original hostname is used to validate the SSL, given in that scenario
# we'll be making the request to the IP address, instead of using the hostname.
def enforce_uri_hostname(addrs_info, uri, hostname, dns_rebind_protection)
address = addrs_info.first
ip_address = address&.ip_address
return [uri, nil] unless dns_rebind_protection && ip_address && ip_address != hostname
uri = uri.dup
uri.hostname = ip_address
[uri, hostname]
end
def get_port(uri) def get_port(uri)
uri.port || uri.default_port uri.port || uri.default_port
end end
......
locale/gitlab.pot
View file @ fdcaeb38
...@@ -4699,6 +4699,9 @@ msgstr "" ...@@ -4699,6 +4699,9 @@ msgstr ""
msgid "Ends at (UTC)" msgid "Ends at (UTC)"
msgstr "" msgstr ""
msgid "Enforce DNS rebinding attack protection"
msgstr ""
msgid "Enter at least three characters to search" msgid "Enter at least three characters to search"
msgstr "" msgstr ""
...@@ -10998,6 +11001,9 @@ msgstr "" ...@@ -10998,6 +11001,9 @@ msgstr ""
msgid "Resolved by %{resolvedByName}" msgid "Resolved by %{resolvedByName}"
msgstr "" msgstr ""
msgid "Resolves IP addresses once and uses them to submit requests"
msgstr ""
msgid "Response" msgid "Response"
msgstr "" msgstr ""
......
spec/controllers/projects/ci/lints_controller_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe Projects::Ci::LintsController do describe Projects::Ci::LintsController do
include StubRequests
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -70,7 +72,7 @@ describe Projects::Ci::LintsController do ...@@ -70,7 +72,7 @@ describe Projects::Ci::LintsController do
context 'with a valid gitlab-ci.yml' do context 'with a valid gitlab-ci.yml' do
before do before do
WebMock.stub_request(:get, remote_file_path).to_return(body: remote_file_content) stub_full_request(remote_file_path).to_return(body: remote_file_content)
project.add_developer(user) project.add_developer(user)
post :create, params: { namespace_id: project.namespace, project_id: project, content: content } post :create, params: { namespace_id: project.namespace, project_id: project, content: content }
......
spec/controllers/projects/milestones_controller_spec.rb
View file @ fdcaeb38
...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do ...@@ -175,6 +175,40 @@ describe Projects::MilestonesController do
end end
end end
describe '#labels' do
render_views
context 'as json' do
let!(:guest) { create(:user, username: 'guest1') }
let!(:group) { create(:group, :public) }
let!(:project) { create(:project, :public, group: group) }
let!(:label) { create(:label, title: 'test_label_on_private_issue', project: project) }
let!(:confidential_issue) { create(:labeled_issue, confidential: true, project: project, milestone: milestone, labels: [label]) }
it 'does not render labels of private issues if user has no access' do
sign_in(guest)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).not_to include(label.title)
end
it 'does render labels of private issues if user has access' do
sign_in(user)
get :labels, params: { namespace_id: group.id, project_id: project.id, id: milestone.iid }, format: :json
expect(response).to have_gitlab_http_status(200)
expect(response.content_type).to eq 'application/json'
expect(json_response['html']).to include(label.title)
end
end
end
context 'promotion succeeds' do context 'promotion succeeds' do
before do before do
group.add_developer(user) group.add_developer(user)
......
spec/controllers/sent_notifications_controller_spec.rb
View file @ fdcaeb38
...@@ -4,15 +4,31 @@ require 'rails_helper' ...@@ -4,15 +4,31 @@ require 'rails_helper'
describe SentNotificationsController do describe SentNotificationsController do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project) } let(:project) { create(:project, :public) }
let(:sent_notification) { create(:sent_notification, project: project, noteable: issue, recipient: user) } let(:private_project) { create(:project, :private) }
let(:sent_notification) { create(:sent_notification, project: target_project, noteable: noteable, recipient: user) }
let(:issue) do let(:issue) do
create(:issue, project: project, author: user) do |issue| create(:issue, project: target_project) do |issue|
issue.subscriptions.create(user: user, project: project, subscribed: true) issue.subscriptions.create(user: user, project: target_project, subscribed: true)
end end
end end
let(:confidential_issue) do
create(:issue, project: target_project, confidential: true) do |issue|
issue.subscriptions.create(user: user, project: target_project, subscribed: true)
end
end
let(:merge_request) do
create(:merge_request, source_project: target_project, target_project: target_project) do |mr|
mr.subscriptions.create(user: user, project: target_project, subscribed: true)
end
end
let(:noteable) { issue }
let(:target_project) { project }
describe 'GET unsubscribe' do describe 'GET unsubscribe' do
context 'when the user is not logged in' do context 'when the user is not logged in' do
context 'when the force param is passed' do context 'when the force param is passed' do
...@@ -34,20 +50,93 @@ describe SentNotificationsController do ...@@ -34,20 +50,93 @@ describe SentNotificationsController do
end end
context 'when the force param is not passed' do context 'when the force param is not passed' do
render_views
before do before do
get(:unsubscribe, params: { id: sent_notification.reply_key }) get(:unsubscribe, params: { id: sent_notification.reply_key })
end end
it 'does not unsubscribe the user' do shared_examples 'unsubscribing as anonymous' do
expect(issue.subscribed?(user, project)).to be_truthy it 'does not unsubscribe the user' do
expect(noteable.subscribed?(user, target_project)).to be_truthy
end
it 'does not set the flash message' do
expect(controller).not_to set_flash[:notice]
end
it 'renders unsubscribe page' do
expect(response.status).to eq(200)
expect(response).to render_template :unsubscribe
end
end end
it 'does not set the flash message' do context 'when project is public' do
expect(controller).not_to set_flash[:notice] context 'when unsubscribing from issue' do
let(:noteable) { issue }
it 'shows issue title' do
expect(response.body).to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from confidential issue' do
let(:noteable) { confidential_issue }
it 'does not show issue title' do
expect(response.body).not_to include(confidential_issue.title)
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from merge request' do
let(:noteable) { merge_request }
it 'shows merge request title' do
expect(response.body).to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
end end
it 'redirects to the login page' do context 'when project is not public' do
expect(response).to render_template :unsubscribe let(:target_project) { private_project }
context 'when unsubscribing from issue' do
let(:noteable) { issue }
it 'shows issue title' do
expect(response.body).not_to include(issue.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from confidential issue' do
let(:noteable) { confidential_issue }
it 'does not show issue title' do
expect(response.body).not_to include(confidential_issue.title)
expect(response.body).to include(confidential_issue.to_reference)
end
it_behaves_like 'unsubscribing as anonymous'
end
context 'when unsubscribing from merge request' do
let(:noteable) { merge_request }
it 'shows merge request title' do
expect(response.body).not_to include(merge_request.title)
end
it_behaves_like 'unsubscribing as anonymous'
end
end end
end end
end end
......
spec/controllers/sessions_controller_spec.rb
View file @ fdcaeb38
...@@ -58,7 +58,26 @@ describe SessionsController do ...@@ -58,7 +58,26 @@ describe SessionsController do
it 'authenticates user correctly' do it 'authenticates user correctly' do
post(:create, params: { user: user_params }) post(:create, params: { user: user_params })
expect(subject.current_user). to eq user expect(subject.current_user).to eq user
end
context 'with password authentication disabled' do
before do
stub_application_setting(password_authentication_enabled_for_web: false)
end
it 'does not sign in the user' do
post(:create, params: { user: user_params })
expect(@request.env['warden']).not_to be_authenticated
expect(subject.current_user).to be_nil
end
it 'returns status 403' do
post(:create, params: { user: user_params })
expect(response.status).to eq 403
end
end end
it 'creates an audit log record' do it 'creates an audit log record' do
...@@ -153,6 +172,19 @@ describe SessionsController do ...@@ -153,6 +172,19 @@ describe SessionsController do
end end
end end
context 'with password authentication disabled' do
before do
stub_application_setting(password_authentication_enabled_for_web: false)
end
it 'allows 2FA stage of non-password login' do
authenticate_2fa(otp_attempt: user.current_otp)
expect(@request.env['warden']).to be_authenticated
expect(subject.current_user).to eq user
end
end
## ##
# See #14900 issue # See #14900 issue
# #
......
spec/features/admin/admin_settings_spec.rb
View file @ fdcaeb38
...@@ -332,16 +332,19 @@ describe 'Admin updates settings' do ...@@ -332,16 +332,19 @@ describe 'Admin updates settings' do
end end
context 'Network page' do context 'Network page' do
it 'Enable outbound requests' do it 'Changes Outbound requests settings' do
visit network_admin_application_settings_path visit network_admin_application_settings_path
page.within('.as-outbound') do page.within('.as-outbound') do
check 'Allow requests to the local network from hooks and services' check 'Allow requests to the local network from hooks and services'
# Enabled by default
uncheck 'Enforce DNS rebinding attack protection'
click_button 'Save changes' click_button 'Save changes'
end end
expect(page).to have_content "Application settings saved successfully" expect(page).to have_content "Application settings saved successfully"
expect(Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services).to be true expect(Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services).to be true
expect(Gitlab::CurrentSettings.dns_rebinding_protection_enabled).to be false
end end
end end
......
spec/features/issuables/issuable_list_spec.rb
View file @ fdcaeb38
...@@ -76,7 +76,7 @@ describe 'issuable list' do ...@@ -76,7 +76,7 @@ describe 'issuable list' do
create(:issue, project: project, author: user) create(:issue, project: project, author: user)
else else
create(:merge_request, source_project: project, source_branch: generate(:branch)) create(:merge_request, source_project: project, source_branch: generate(:branch))
source_branch = FFaker::Name.name source_branch = FFaker::Lorem.characters(8)
pipeline = create(:ci_empty_pipeline, project: project, ref: source_branch, status: %w(running failed success).sample, sha: 'any') pipeline = create(:ci_empty_pipeline, project: project, ref: source_branch, status: %w(running failed success).sample, sha: 'any')
create(:merge_request, title: FFaker::Lorem.sentence, source_project: project, source_branch: source_branch, head_pipeline: pipeline) create(:merge_request, title: FFaker::Lorem.sentence, source_project: project, source_branch: source_branch, head_pipeline: pipeline)
end end
......
spec/features/projects/import_export/export_file_spec.rb
View file @ fdcaeb38
...@@ -12,7 +12,7 @@ describe 'Import/Export - project export integration test', :js do ...@@ -12,7 +12,7 @@ describe 'Import/Export - project export integration test', :js do
let(:export_path) { "#{Dir.tmpdir}/import_file_spec" } let(:export_path) { "#{Dir.tmpdir}/import_file_spec" }
let(:config_hash) { YAML.load_file(Gitlab::ImportExport.config_file).deep_stringify_keys } let(:config_hash) { YAML.load_file(Gitlab::ImportExport.config_file).deep_stringify_keys }
let(:sensitive_words) { %w[pass secret token key encrypted] } let(:sensitive_words) { %w[pass secret token key encrypted html] }
let(:safe_list) do let(:safe_list) do
{ {
token: [ProjectHook, Ci::Trigger, CommitStatus], token: [ProjectHook, Ci::Trigger, CommitStatus],
......
spec/lib/banzai/redactor_spec.rb
View file @ fdcaeb38
...@@ -13,10 +13,10 @@ describe Banzai::Redactor do ...@@ -13,10 +13,10 @@ describe Banzai::Redactor do
it 'redacts an array of documents' do it 'redacts an array of documents' do
doc1 = Nokogiri::HTML doc1 = Nokogiri::HTML
.fragment('<a class="gfm" data-reference-type="issue">foo</a>') .fragment('<a class="gfm" href="https://www.gitlab.com" data-reference-type="issue">foo</a>')
doc2 = Nokogiri::HTML doc2 = Nokogiri::HTML
.fragment('<a class="gfm" data-reference-type="issue">bar</a>') .fragment('<a class="gfm" href="https://www.gitlab.com" data-reference-type="issue">bar</a>')
redacted_data = redactor.redact([doc1, doc2]) redacted_data = redactor.redact([doc1, doc2])
...@@ -27,7 +27,7 @@ describe Banzai::Redactor do ...@@ -27,7 +27,7 @@ describe Banzai::Redactor do
end end
it 'replaces redacted reference with inner HTML' do it 'replaces redacted reference with inner HTML' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
expect(doc.to_html).to eq('foo') expect(doc.to_html).to eq('foo')
end end
...@@ -35,20 +35,24 @@ describe Banzai::Redactor do ...@@ -35,20 +35,24 @@ describe Banzai::Redactor do
context 'when data-original attribute provided' do context 'when data-original attribute provided' do
let(:original_content) { '<code>foo</code>' } let(:original_content) { '<code>foo</code>' }
it 'replaces redacted reference with original content' do it 'replaces redacted reference with original content' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-original='#{original_content}'>bar</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-original='#{original_content}'>bar</a>")
redactor.redact([doc]) redactor.redact([doc])
expect(doc.to_html).to eq(original_content) expect(doc.to_html).to eq(original_content)
end end
end
it 'returns <a> tag with original href if it is originally a link reference' do
href = 'http://localhost:3000'
doc = Nokogiri::HTML
.fragment("<a class='gfm' data-reference-type='issue' data-original=#{href} data-link-reference='true'>#{href}</a>")
redactor.redact([doc]) it 'does not replace redacted reference with original content if href is given' do
html = "<a href='https://www.gitlab.com' data-link-reference='true' class='gfm' data-reference-type='issue' data-reference-type='issue' data-original='Marge'>Marge</a>"
doc = Nokogiri::HTML.fragment(html)
redactor.redact([doc])
expect(doc.to_html).to eq('<a href="https://www.gitlab.com">Marge</a>')
end
expect(doc.to_html).to eq('<a href="http://localhost:3000">http://localhost:3000</a>') it 'uses the original content as the link content if given' do
html = "<a href='https://www.gitlab.com' data-link-reference='true' class='gfm' data-reference-type='issue' data-reference-type='issue' data-original='Homer'>Marge</a>"
doc = Nokogiri::HTML.fragment(html)
redactor.redact([doc])
expect(doc.to_html).to eq('<a href="https://www.gitlab.com">Homer</a>')
end
end end
end end
...@@ -61,7 +65,7 @@ describe Banzai::Redactor do ...@@ -61,7 +65,7 @@ describe Banzai::Redactor do
end end
it 'redacts an issue attached' do it 'redacts an issue attached' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-issue='#{issue.id}'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-issue='#{issue.id}'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
...@@ -69,7 +73,7 @@ describe Banzai::Redactor do ...@@ -69,7 +73,7 @@ describe Banzai::Redactor do
end end
it 'redacts an external issue' do it 'redacts an external issue' do
doc = Nokogiri::HTML.fragment("<a class='gfm' data-reference-type='issue' data-external-issue='#{issue.id}' data-project='#{project.id}'>foo</a>") doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-external-issue='#{issue.id}' data-project='#{project.id}'>foo</a>")
redactor.redact([doc]) redactor.redact([doc])
......
spec/lib/gitlab/bitbucket_import/importer_spec.rb
View file @ fdcaeb38
...@@ -5,6 +5,7 @@ describe Gitlab::BitbucketImport::Importer do ...@@ -5,6 +5,7 @@ describe Gitlab::BitbucketImport::Importer do
before do before do
stub_omniauth_provider('bitbucket') stub_omniauth_provider('bitbucket')
stub_feature_flags(stricter_mr_branch_name: false)
end end
let(:statuses) do let(:statuses) do
......
spec/lib/gitlab/ci/config/external/file/remote_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::Ci::Config::External::File::Remote do describe Gitlab::Ci::Config::External::File::Remote do
include StubRequests
let(:context) { described_class::Context.new(nil, '12345', nil, Set.new) } let(:context) { described_class::Context.new(nil, '12345', nil, Set.new) }
let(:params) { { remote: location } } let(:params) { { remote: location } }
let(:remote_file) { described_class.new(params, context) } let(:remote_file) { described_class.new(params, context) }
...@@ -46,7 +48,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -46,7 +48,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
describe "#valid?" do describe "#valid?" do
context 'when is a valid remote url' do context 'when is a valid remote url' do
before do before do
WebMock.stub_request(:get, location).to_return(body: remote_file_content) stub_full_request(location).to_return(body: remote_file_content)
end end
it 'returns true' do it 'returns true' do
...@@ -92,7 +94,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -92,7 +94,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
describe "#content" do describe "#content" do
context 'with a valid remote file' do context 'with a valid remote file' do
before do before do
WebMock.stub_request(:get, location).to_return(body: remote_file_content) stub_full_request(location).to_return(body: remote_file_content)
end end
it 'returns the content of the file' do it 'returns the content of the file' do
...@@ -114,7 +116,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -114,7 +116,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
let(:location) { 'https://asdasdasdaj48ggerexample.com' } let(:location) { 'https://asdasdasdaj48ggerexample.com' }
before do before do
WebMock.stub_request(:get, location).to_raise(SocketError.new('Some HTTP error')) stub_full_request(location).to_raise(SocketError.new('Some HTTP error'))
end end
it 'is nil' do it 'is nil' do
...@@ -144,7 +146,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -144,7 +146,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
context 'when timeout error has been raised' do context 'when timeout error has been raised' do
before do before do
WebMock.stub_request(:get, location).to_timeout stub_full_request(location).to_timeout
end end
it 'returns error message about a timeout' do it 'returns error message about a timeout' do
...@@ -154,7 +156,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -154,7 +156,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
context 'when HTTP error has been raised' do context 'when HTTP error has been raised' do
before do before do
WebMock.stub_request(:get, location).to_raise(Gitlab::HTTP::Error) stub_full_request(location).to_raise(Gitlab::HTTP::Error)
end end
it 'returns error message about a HTTP error' do it 'returns error message about a HTTP error' do
...@@ -164,7 +166,7 @@ describe Gitlab::Ci::Config::External::File::Remote do ...@@ -164,7 +166,7 @@ describe Gitlab::Ci::Config::External::File::Remote do
context 'when response has 404 status' do context 'when response has 404 status' do
before do before do
WebMock.stub_request(:get, location).to_return(body: remote_file_content, status: 404) stub_full_request(location).to_return(body: remote_file_content, status: 404)
end end
it 'returns error message about a timeout' do it 'returns error message about a timeout' do
......
spec/lib/gitlab/ci/config/external/mapper_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::Ci::Config::External::Mapper do describe Gitlab::Ci::Config::External::Mapper do
include StubRequests
set(:project) { create(:project, :repository) } set(:project) { create(:project, :repository) }
set(:user) { create(:user) } set(:user) { create(:user) }
...@@ -18,7 +20,7 @@ describe Gitlab::Ci::Config::External::Mapper do ...@@ -18,7 +20,7 @@ describe Gitlab::Ci::Config::External::Mapper do
end end
before do before do
WebMock.stub_request(:get, remote_url).to_return(body: file_content) stub_full_request(remote_url).to_return(body: file_content)
end end
describe '#process' do describe '#process' do
......
spec/lib/gitlab/ci/config/external/processor_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::Ci::Config::External::Processor do describe Gitlab::Ci::Config::External::Processor do
include StubRequests
set(:project) { create(:project, :repository) } set(:project) { create(:project, :repository) }
set(:another_project) { create(:project, :repository) } set(:another_project) { create(:project, :repository) }
set(:user) { create(:user) } set(:user) { create(:user) }
...@@ -42,7 +44,7 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -42,7 +44,7 @@ describe Gitlab::Ci::Config::External::Processor do
let(:values) { { include: remote_file, image: 'ruby:2.2' } } let(:values) { { include: remote_file, image: 'ruby:2.2' } }
before do before do
WebMock.stub_request(:get, remote_file).to_raise(SocketError.new('Some HTTP error')) stub_full_request(remote_file).and_raise(SocketError.new('Some HTTP error'))
end end
it 'raises an error' do it 'raises an error' do
...@@ -75,7 +77,7 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -75,7 +77,7 @@ describe Gitlab::Ci::Config::External::Processor do
end end
before do before do
WebMock.stub_request(:get, remote_file).to_return(body: external_file_content) stub_full_request(remote_file).to_return(body: external_file_content)
end end
it 'appends the file to the values' do it 'appends the file to the values' do
...@@ -145,7 +147,7 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -145,7 +147,7 @@ describe Gitlab::Ci::Config::External::Processor do
allow_any_instance_of(Gitlab::Ci::Config::External::File::Local) allow_any_instance_of(Gitlab::Ci::Config::External::File::Local)
.to receive(:fetch_local_content).and_return(local_file_content) .to receive(:fetch_local_content).and_return(local_file_content)
WebMock.stub_request(:get, remote_file).to_return(body: remote_file_content) stub_full_request(remote_file).to_return(body: remote_file_content)
end end
it 'appends the files to the values' do it 'appends the files to the values' do
...@@ -191,7 +193,8 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -191,7 +193,8 @@ describe Gitlab::Ci::Config::External::Processor do
end end
it 'takes precedence' do it 'takes precedence' do
WebMock.stub_request(:get, remote_file).to_return(body: remote_file_content) stub_full_request(remote_file).to_return(body: remote_file_content)
expect(processor.perform[:image]).to eq('ruby:2.2') expect(processor.perform[:image]).to eq('ruby:2.2')
end end
end end
...@@ -231,7 +234,8 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -231,7 +234,8 @@ describe Gitlab::Ci::Config::External::Processor do
HEREDOC HEREDOC
end end
WebMock.stub_request(:get, 'http://my.domain.com/config.yml').to_return(body: 'remote_build: { script: echo Hello World }') stub_full_request('http://my.domain.com/config.yml')
.to_return(body: 'remote_build: { script: echo Hello World }')
end end
context 'when project is public' do context 'when project is public' do
...@@ -273,8 +277,10 @@ describe Gitlab::Ci::Config::External::Processor do ...@@ -273,8 +277,10 @@ describe Gitlab::Ci::Config::External::Processor do
context 'when config includes an external configuration file via SSL web request' do context 'when config includes an external configuration file via SSL web request' do
before do before do
stub_request(:get, 'https://sha256.badssl.com/fake.yml').to_return(body: 'image: ruby:2.6', status: 200) stub_full_request('https://sha256.badssl.com/fake.yml', ip_address: '8.8.8.8')
stub_request(:get, 'https://self-signed.badssl.com/fake.yml') .to_return(body: 'image: ruby:2.6', status: 200)
stub_full_request('https://self-signed.badssl.com/fake.yml', ip_address: '8.8.8.9')
.to_raise(OpenSSL::SSL::SSLError.new('SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)')) .to_raise(OpenSSL::SSL::SSLError.new('SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate)'))
end end
......
spec/lib/gitlab/ci/config_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe Gitlab::Ci::Config do describe Gitlab::Ci::Config do
include StubRequests
set(:user) { create(:user) } set(:user) { create(:user) }
let(:config) do let(:config) do
...@@ -216,8 +218,7 @@ describe Gitlab::Ci::Config do ...@@ -216,8 +218,7 @@ describe Gitlab::Ci::Config do
end end
before do before do
WebMock.stub_request(:get, remote_location) stub_full_request(remote_location).to_return(body: remote_file_content)
.to_return(body: remote_file_content)
allow(project.repository) allow(project.repository)
.to receive(:blob_data_at).and_return(local_file_content) .to receive(:blob_data_at).and_return(local_file_content)
......
spec/lib/gitlab/ci/yaml_processor_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ require 'spec_helper' ...@@ -3,6 +3,8 @@ require 'spec_helper'
module Gitlab module Gitlab
module Ci module Ci
describe YamlProcessor do describe YamlProcessor do
include StubRequests
subject { described_class.new(config, user: nil) } subject { described_class.new(config, user: nil) }
describe '#build_attributes' do describe '#build_attributes' do
...@@ -648,7 +650,7 @@ module Gitlab ...@@ -648,7 +650,7 @@ module Gitlab
end end
before do before do
WebMock.stub_request(:get, 'https://gitlab.com/awesome-project/raw/master/.before-script-template.yml') stub_full_request('https://gitlab.com/awesome-project/raw/master/.before-script-template.yml')
.to_return( .to_return(
status: 200, status: 200,
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
......
spec/lib/gitlab/git_ref_validator_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe Gitlab::GitRefValidator do describe Gitlab::GitRefValidator do
it { expect(described_class.validate('feature/new')).to be_truthy } using RSpec::Parameterized::TableSyntax
it { expect(described_class.validate('implement_@all')).to be_truthy }
it { expect(described_class.validate('my_new_feature')).to be_truthy } context '.validate' do
it { expect(described_class.validate('my-branch')).to be_truthy } it { expect(described_class.validate('feature/new')).to be_truthy }
it { expect(described_class.validate('#1')).to be_truthy } it { expect(described_class.validate('implement_@all')).to be_truthy }
it { expect(described_class.validate('feature/refs/heads/foo')).to be_truthy } it { expect(described_class.validate('my_new_feature')).to be_truthy }
it { expect(described_class.validate('feature/~new/')).to be_falsey } it { expect(described_class.validate('my-branch')).to be_truthy }
it { expect(described_class.validate('feature/^new/')).to be_falsey } it { expect(described_class.validate('#1')).to be_truthy }
it { expect(described_class.validate('feature/:new/')).to be_falsey } it { expect(described_class.validate('feature/refs/heads/foo')).to be_truthy }
it { expect(described_class.validate('feature/?new/')).to be_falsey } it { expect(described_class.validate('feature/~new/')).to be_falsey }
it { expect(described_class.validate('feature/*new/')).to be_falsey } it { expect(described_class.validate('feature/^new/')).to be_falsey }
it { expect(described_class.validate('feature/[new/')).to be_falsey } it { expect(described_class.validate('feature/:new/')).to be_falsey }
it { expect(described_class.validate('feature/new/')).to be_falsey } it { expect(described_class.validate('feature/?new/')).to be_falsey }
it { expect(described_class.validate('feature/new.')).to be_falsey } it { expect(described_class.validate('feature/*new/')).to be_falsey }
it { expect(described_class.validate('feature\@{')).to be_falsey } it { expect(described_class.validate('feature/[new/')).to be_falsey }
it { expect(described_class.validate('feature\new')).to be_falsey } it { expect(described_class.validate('feature/new/')).to be_falsey }
it { expect(described_class.validate('feature//new')).to be_falsey } it { expect(described_class.validate('feature/new.')).to be_falsey }
it { expect(described_class.validate('feature new')).to be_falsey } it { expect(described_class.validate('feature\@{')).to be_falsey }
it { expect(described_class.validate('refs/heads/')).to be_falsey } it { expect(described_class.validate('feature\new')).to be_falsey }
it { expect(described_class.validate('refs/remotes/')).to be_falsey } it { expect(described_class.validate('feature//new')).to be_falsey }
it { expect(described_class.validate('refs/heads/feature')).to be_falsey } it { expect(described_class.validate('feature new')).to be_falsey }
it { expect(described_class.validate('refs/remotes/origin')).to be_falsey } it { expect(described_class.validate('refs/heads/')).to be_falsey }
it { expect(described_class.validate('-')).to be_falsey } it { expect(described_class.validate('refs/remotes/')).to be_falsey }
it { expect(described_class.validate('-branch')).to be_falsey } it { expect(described_class.validate('refs/heads/feature')).to be_falsey }
it { expect(described_class.validate('.tag')).to be_falsey } it { expect(described_class.validate('refs/remotes/origin')).to be_falsey }
it { expect(described_class.validate('my branch')).to be_falsey } it { expect(described_class.validate('-')).to be_falsey }
it { expect(described_class.validate("\xA0\u0000\xB0")).to be_falsey } it { expect(described_class.validate('-branch')).to be_falsey }
it { expect(described_class.validate('+foo:bar')).to be_falsey }
it { expect(described_class.validate('foo:bar')).to be_falsey }
it { expect(described_class.validate('.tag')).to be_falsey }
it { expect(described_class.validate('my branch')).to be_falsey }
it { expect(described_class.validate("\xA0\u0000\xB0")).to be_falsey }
end
context '.validate_merge_request_branch' do
it { expect(described_class.validate_merge_request_branch('HEAD')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('feature/new')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('implement_@all')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('my_new_feature')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('my-branch')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('#1')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('feature/refs/heads/foo')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('feature/~new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/^new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/:new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/?new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/*new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/[new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/new/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature/new.')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature\@{')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature\new')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature//new')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('feature new')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('refs/heads/master')).to be_truthy }
it { expect(described_class.validate_merge_request_branch('refs/heads/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('refs/remotes/')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('-')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('-branch')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('+foo:bar')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('foo:bar')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('.tag')).to be_falsey }
it { expect(described_class.validate_merge_request_branch('my branch')).to be_falsey }
it { expect(described_class.validate_merge_request_branch("\xA0\u0000\xB0")).to be_falsey }
end
end end
spec/lib/gitlab/http_connection_adapter_spec.rb 0 → 100644
View file @ fdcaeb38
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::HTTPConnectionAdapter do
describe '#connection' do
context 'when local requests are not allowed' do
it 'sets up the connection' do
uri = URI('https://example.org')
connection = described_class.new(uri).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('93.184.216.34')
expect(connection.hostname_override).to eq('example.org')
expect(connection.addr_port).to eq('example.org')
expect(connection.port).to eq(443)
end
it 'raises error when it is a request to local address' do
uri = URI('http://172.16.0.0/12')
expect { described_class.new(uri).connection }
.to raise_error(Gitlab::HTTP::BlockedUrlError,
"URL 'http://172.16.0.0/12' is blocked: Requests to the local network are not allowed")
end
it 'raises error when it is a request to localhost address' do
uri = URI('http://127.0.0.1')
expect { described_class.new(uri).connection }
.to raise_error(Gitlab::HTTP::BlockedUrlError,
"URL 'http://127.0.0.1' is blocked: Requests to localhost are not allowed")
end
context 'when port different from URL scheme is used' do
it 'sets up the addr_port accordingly' do
uri = URI('https://example.org:8080')
connection = described_class.new(uri).connection
expect(connection.address).to eq('93.184.216.34')
expect(connection.hostname_override).to eq('example.org')
expect(connection.addr_port).to eq('example.org:8080')
expect(connection.port).to eq(8080)
end
end
end
context 'when DNS rebinding protection is disabled' do
it 'sets up the connection' do
stub_application_setting(dns_rebinding_protection_enabled: false)
uri = URI('https://example.org')
connection = described_class.new(uri).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('example.org')
expect(connection.hostname_override).to eq(nil)
expect(connection.addr_port).to eq('example.org')
expect(connection.port).to eq(443)
end
end
context 'when http(s) environment variable is set' do
it 'sets up the connection' do
stub_env('https_proxy' => 'https://my.proxy')
uri = URI('https://example.org')
connection = described_class.new(uri).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('example.org')
expect(connection.hostname_override).to eq(nil)
expect(connection.addr_port).to eq('example.org')
expect(connection.port).to eq(443)
end
end
context 'when local requests are allowed' do
it 'sets up the connection' do
uri = URI('https://example.org')
connection = described_class.new(uri, allow_local_requests: true).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('93.184.216.34')
expect(connection.hostname_override).to eq('example.org')
expect(connection.addr_port).to eq('example.org')
expect(connection.port).to eq(443)
end
it 'sets up the connection when it is a local network' do
uri = URI('http://172.16.0.0/12')
connection = described_class.new(uri, allow_local_requests: true).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('172.16.0.0')
expect(connection.hostname_override).to be(nil)
expect(connection.addr_port).to eq('172.16.0.0')
expect(connection.port).to eq(80)
end
it 'sets up the connection when it is localhost' do
uri = URI('http://127.0.0.1')
connection = described_class.new(uri, allow_local_requests: true).connection
expect(connection).to be_a(Net::HTTP)
expect(connection.address).to eq('127.0.0.1')
expect(connection.hostname_override).to be(nil)
expect(connection.addr_port).to eq('127.0.0.1')
expect(connection.port).to eq(80)
end
end
end
end
spec/lib/gitlab/http_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe Gitlab::HTTP do describe Gitlab::HTTP do
include StubRequests
context 'when allow_local_requests' do
it 'sends the request to the correct URI' do
stub_full_request('https://example.org:8080', ip_address: '8.8.8.8').to_return(status: 200)
described_class.get('https://example.org:8080', allow_local_requests: false)
expect(WebMock).to have_requested(:get, 'https://8.8.8.8:8080').once
end
end
context 'when not allow_local_requests' do
it 'sends the request to the correct URI' do
stub_full_request('https://example.org:8080')
described_class.get('https://example.org:8080', allow_local_requests: true)
expect(WebMock).to have_requested(:get, 'https://8.8.8.9:8080').once
end
end
describe 'allow_local_requests_from_hooks_and_services is' do describe 'allow_local_requests_from_hooks_and_services is' do
before do before do
WebMock.stub_request(:get, /.*/).to_return(status: 200, body: 'Success') WebMock.stub_request(:get, /.*/).to_return(status: 200, body: 'Success')
...@@ -21,6 +43,8 @@ describe Gitlab::HTTP do ...@@ -21,6 +43,8 @@ describe Gitlab::HTTP do
context 'if allow_local_requests set to true' do context 'if allow_local_requests set to true' do
it 'override the global value and allow requests to localhost or private network' do it 'override the global value and allow requests to localhost or private network' do
stub_full_request('http://localhost:3003')
expect { described_class.get('http://localhost:3003', allow_local_requests: true) }.not_to raise_error expect { described_class.get('http://localhost:3003', allow_local_requests: true) }.not_to raise_error
end end
end end
...@@ -32,6 +56,8 @@ describe Gitlab::HTTP do ...@@ -32,6 +56,8 @@ describe Gitlab::HTTP do
end end
it 'allow requests to localhost' do it 'allow requests to localhost' do
stub_full_request('http://localhost:3003')
expect { described_class.get('http://localhost:3003') }.not_to raise_error expect { described_class.get('http://localhost:3003') }.not_to raise_error
end end
...@@ -49,7 +75,7 @@ describe Gitlab::HTTP do ...@@ -49,7 +75,7 @@ describe Gitlab::HTTP do
describe 'handle redirect loops' do describe 'handle redirect loops' do
before do before do
WebMock.stub_request(:any, "http://example.org").to_raise(HTTParty::RedirectionTooDeep.new("Redirection Too Deep")) stub_full_request("http://example.org", method: :any).to_raise(HTTParty::RedirectionTooDeep.new("Redirection Too Deep"))
end end
it 'handles GET requests' do it 'handles GET requests' do
......
spec/lib/gitlab/import_export/after_export_strategies/web_upload_strategy_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe Gitlab::ImportExport::AfterExportStrategies::WebUploadStrategy do describe Gitlab::ImportExport::AfterExportStrategies::WebUploadStrategy do
include StubRequests
let(:example_url) { 'http://www.example.com' } let(:example_url) { 'http://www.example.com' }
let(:strategy) { subject.new(url: example_url, http_method: 'post') } let(:strategy) { subject.new(url: example_url, http_method: 'post') }
let!(:project) { create(:project, :with_export) } let!(:project) { create(:project, :with_export) }
...@@ -35,7 +37,7 @@ describe Gitlab::ImportExport::AfterExportStrategies::WebUploadStrategy do ...@@ -35,7 +37,7 @@ describe Gitlab::ImportExport::AfterExportStrategies::WebUploadStrategy do
context 'when upload fails' do context 'when upload fails' do
it 'stores the export error' do it 'stores the export error' do
stub_request(:post, example_url).to_return(status: [404, 'Page not found']) stub_full_request(example_url, method: :post).to_return(status: [404, 'Page not found'])
strategy.execute(user, project) strategy.execute(user, project)
......
spec/lib/gitlab/import_export/attribute_cleaner_spec.rb
View file @ fdcaeb38
...@@ -18,7 +18,11 @@ describe Gitlab::ImportExport::AttributeCleaner do ...@@ -18,7 +18,11 @@ describe Gitlab::ImportExport::AttributeCleaner do
'notid' => 99, 'notid' => 99,
'import_source' => 'whatever', 'import_source' => 'whatever',
'import_type' => 'whatever', 'import_type' => 'whatever',
'non_existent_attr' => 'whatever' 'non_existent_attr' => 'whatever',
'some_html' => '<p>dodgy html</p>',
'legit_html' => '<p>legit html</p>',
'_html' => '<p>perfectly ordinary html</p>',
'cached_markdown_version' => 12345
} }
end end
......
spec/lib/gitlab/import_export/project.json
View file @ fdcaeb38
...@@ -158,6 +158,8 @@ ...@@ -158,6 +158,8 @@
{ {
"id": 351, "id": 351,
"note": "Quo reprehenderit aliquam qui dicta impedit cupiditate eligendi.", "note": "Quo reprehenderit aliquam qui dicta impedit cupiditate eligendi.",
"note_html": "<p>something else entirely</p>",
"cached_markdown_version": 917504,
"noteable_type": "Issue", "noteable_type": "Issue",
"author_id": 26, "author_id": 26,
"created_at": "2016-06-14T15:02:47.770Z", "created_at": "2016-06-14T15:02:47.770Z",
...@@ -2363,6 +2365,8 @@ ...@@ -2363,6 +2365,8 @@
{ {
"id": 671, "id": 671,
"note": "Sit voluptatibus eveniet architecto quidem.", "note": "Sit voluptatibus eveniet architecto quidem.",
"note_html": "<p>something else entirely</p>",
"cached_markdown_version": 917504,
"noteable_type": "MergeRequest", "noteable_type": "MergeRequest",
"author_id": 26, "author_id": 26,
"created_at": "2016-06-14T15:02:56.632Z", "created_at": "2016-06-14T15:02:56.632Z",
......
spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
View file @ fdcaeb38
...@@ -58,6 +58,26 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do ...@@ -58,6 +58,26 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
expect(Milestone.find_by_description('test milestone').issues.count).to eq(2) expect(Milestone.find_by_description('test milestone').issues.count).to eq(2)
end end
context 'when importing a project with cached_markdown_version and note_html' do
context 'for an Issue' do
it 'does not import note_html' do
note_content = 'Quo reprehenderit aliquam qui dicta impedit cupiditate eligendi'
issue_note = Issue.find_by(description: 'Aliquam enim illo et possimus.').notes.select { |n| n.note.match(/#{note_content}/)}.first
expect(issue_note.note_html).to match(/#{note_content}/)
end
end
context 'for a Merge Request' do
it 'does not import note_html' do
note_content = 'Sit voluptatibus eveniet architecto quidem'
merge_request_note = MergeRequest.find_by(title: 'MR1').notes.select { |n| n.note.match(/#{note_content}/)}.first
expect(merge_request_note.note_html).to match(/#{note_content}/)
end
end
end
it 'creates a valid pipeline note' do it 'creates a valid pipeline note' do
expect(Ci::Pipeline.find_by_sha('sha-notes').notes).not_to be_empty expect(Ci::Pipeline.find_by_sha('sha-notes').notes).not_to be_empty
end end
......
spec/lib/gitlab/search_results_spec.rb
View file @ fdcaeb38
...@@ -256,4 +256,27 @@ describe Gitlab::SearchResults do ...@@ -256,4 +256,27 @@ describe Gitlab::SearchResults do
expect(results.objects('merge_requests')).not_to include merge_request expect(results.objects('merge_requests')).not_to include merge_request
end end
context 'milestones' do
it 'returns correct set of milestones' do
private_project_1 = create(:project, :private)
private_project_2 = create(:project, :private)
internal_project = create(:project, :internal)
public_project_1 = create(:project, :public)
public_project_2 = create(:project, :public, :issues_disabled, :merge_requests_disabled)
private_project_1.add_developer(user)
# milestones that should not be visible
create(:milestone, project: private_project_2, title: 'Private project without access milestone')
create(:milestone, project: public_project_2, title: 'Public project with milestones disabled milestone')
# milestones that should be visible
milestone_1 = create(:milestone, project: private_project_1, title: 'Private project with access milestone', state: 'closed')
milestone_2 = create(:milestone, project: internal_project, title: 'Internal project milestone')
milestone_3 = create(:milestone, project: public_project_1, title: 'Public project with milestones enabled milestone')
limit_projects = ProjectsFinder.new(current_user: user).execute
milestones = described_class.new(user, limit_projects, 'milestone').objects('milestones')
expect(milestones).to match_array([milestone_1, milestone_2, milestone_3])
end
end
end end
spec/lib/gitlab/url_blocker_spec.rb
View file @ fdcaeb38
...@@ -2,6 +2,87 @@ ...@@ -2,6 +2,87 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::UrlBlocker do describe Gitlab::UrlBlocker do
describe '#validate!' do
context 'when URI is nil' do
let(:import_url) { nil }
it 'returns no URI and hostname' do
uri, hostname = described_class.validate!(import_url)
expect(uri).to be(nil)
expect(hostname).to be(nil)
end
end
context 'when URI is internal' do
let(:import_url) { 'http://localhost' }
it 'returns URI and no hostname' do
uri, hostname = described_class.validate!(import_url)
expect(uri).to eq(Addressable::URI.parse('http://[::1]'))
expect(hostname).to eq('localhost')
end
end
context 'when the URL hostname is a domain' do
let(:import_url) { 'https://example.org' }
it 'returns URI and hostname' do
uri, hostname = described_class.validate!(import_url)
expect(uri).to eq(Addressable::URI.parse('https://93.184.216.34'))
expect(hostname).to eq('example.org')
end
end
context 'when the URL hostname is an IP address' do
let(:import_url) { 'https://93.184.216.34' }
it 'returns URI and no hostname' do
uri, hostname = described_class.validate!(import_url)
expect(uri).to eq(Addressable::URI.parse('https://93.184.216.34'))
expect(hostname).to be(nil)
end
end
context 'disabled DNS rebinding protection' do
context 'when URI is internal' do
let(:import_url) { 'http://localhost' }
it 'returns URI and no hostname' do
uri, hostname = described_class.validate!(import_url, dns_rebind_protection: false)
expect(uri).to eq(Addressable::URI.parse('http://localhost'))
expect(hostname).to be(nil)
end
end
context 'when the URL hostname is a domain' do
let(:import_url) { 'https://example.org' }
it 'returns URI and no hostname' do
uri, hostname = described_class.validate!(import_url, dns_rebind_protection: false)
expect(uri).to eq(Addressable::URI.parse('https://example.org'))
expect(hostname).to eq(nil)
end
end
context 'when the URL hostname is an IP address' do
let(:import_url) { 'https://93.184.216.34' }
it 'returns URI and no hostname' do
uri, hostname = described_class.validate!(import_url, dns_rebind_protection: false)
expect(uri).to eq(Addressable::URI.parse('https://93.184.216.34'))
expect(hostname).to be(nil)
end
end
end
end
describe '#blocked_url?' do describe '#blocked_url?' do
let(:ports) { Project::VALID_IMPORT_PORTS } let(:ports) { Project::VALID_IMPORT_PORTS }
...@@ -208,7 +289,7 @@ describe Gitlab::UrlBlocker do ...@@ -208,7 +289,7 @@ describe Gitlab::UrlBlocker do
end end
def stub_domain_resolv(domain, ip) def stub_domain_resolv(domain, ip)
address = double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false, ipv4_loopback?: false, ipv6_loopback?: false) address = double(ip_address: ip, ipv4_private?: true, ipv6_link_local?: false, ipv4_loopback?: false, ipv6_loopback?: false, ipv4?: false)
allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([address]) allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([address])
allow(address).to receive(:ipv6_v4mapped?).and_return(false) allow(address).to receive(:ipv6_v4mapped?).and_return(false)
end end
......
spec/lib/gitlab_spec.rb
View file @ fdcaeb38
...@@ -109,4 +109,34 @@ describe Gitlab do ...@@ -109,4 +109,34 @@ describe Gitlab do
expect(described_class.ee?).to eq(false) expect(described_class.ee?).to eq(false)
end end
end end
describe '.http_proxy_env?' do
it 'returns true when lower case https' do
stub_env('https_proxy', 'https://my.proxy')
expect(described_class.http_proxy_env?).to eq(true)
end
it 'returns true when upper case https' do
stub_env('HTTPS_PROXY', 'https://my.proxy')
expect(described_class.http_proxy_env?).to eq(true)
end
it 'returns true when lower case http' do
stub_env('http_proxy', 'http://my.proxy')
expect(described_class.http_proxy_env?).to eq(true)
end
it 'returns true when upper case http' do
stub_env('HTTP_PROXY', 'http://my.proxy')
expect(described_class.http_proxy_env?).to eq(true)
end
it 'returns false when not set' do
expect(described_class.http_proxy_env?).to eq(false)
end
end
end end
spec/lib/mattermost/session_spec.rb
View file @ fdcaeb38
...@@ -2,6 +2,7 @@ require 'spec_helper' ...@@ -2,6 +2,7 @@ require 'spec_helper'
describe Mattermost::Session, type: :request do describe Mattermost::Session, type: :request do
include ExclusiveLeaseHelpers include ExclusiveLeaseHelpers
include StubRequests
let(:user) { create(:user) } let(:user) { create(:user) }
...@@ -24,7 +25,7 @@ describe Mattermost::Session, type: :request do ...@@ -24,7 +25,7 @@ describe Mattermost::Session, type: :request do
let(:location) { 'http://location.tld' } let(:location) { 'http://location.tld' }
let(:cookie_header) {'MMOAUTH=taskik8az7rq8k6rkpuas7htia; Path=/;'} let(:cookie_header) {'MMOAUTH=taskik8az7rq8k6rkpuas7htia; Path=/;'}
let!(:stub) do let!(:stub) do
WebMock.stub_request(:get, "#{mattermost_url}/oauth/gitlab/login") stub_full_request("#{mattermost_url}/oauth/gitlab/login")
.to_return(headers: { 'location' => location, 'Set-Cookie' => cookie_header }, status: 302) .to_return(headers: { 'location' => location, 'Set-Cookie' => cookie_header }, status: 302)
end end
...@@ -63,7 +64,7 @@ describe Mattermost::Session, type: :request do ...@@ -63,7 +64,7 @@ describe Mattermost::Session, type: :request do
end end
before do before do
WebMock.stub_request(:get, "#{mattermost_url}/signup/gitlab/complete") stub_full_request("#{mattermost_url}/signup/gitlab/complete")
.with(query: hash_including({ 'state' => state })) .with(query: hash_including({ 'state' => state }))
.to_return do |request| .to_return do |request|
post "/oauth/token", post "/oauth/token",
...@@ -80,7 +81,7 @@ describe Mattermost::Session, type: :request do ...@@ -80,7 +81,7 @@ describe Mattermost::Session, type: :request do
end end
end end
WebMock.stub_request(:post, "#{mattermost_url}/api/v4/users/logout") stub_full_request("#{mattermost_url}/api/v4/users/logout", method: :post)
.to_return(headers: { Authorization: 'token thisworksnow' }, status: 200) .to_return(headers: { Authorization: 'token thisworksnow' }, status: 200)
end end
......
spec/models/merge_request_spec.rb
View file @ fdcaeb38
...@@ -173,6 +173,40 @@ describe MergeRequest do ...@@ -173,6 +173,40 @@ describe MergeRequest do
end end
end end
context 'for branch' do
before do
stub_feature_flags(stricter_mr_branch_name: false)
end
using RSpec::Parameterized::TableSyntax
where(:branch_name, :valid) do
'foo' | true
'foo:bar' | false
'+foo:bar' | false
'foo bar' | false
'-foo' | false
'HEAD' | true
'refs/heads/master' | true
end
with_them do
it "validates source_branch" do
subject = build(:merge_request, source_branch: branch_name, target_branch: 'master')
subject.valid?
expect(subject.errors.added?(:source_branch)).to eq(!valid)
end
it "validates target_branch" do
subject = build(:merge_request, source_branch: 'master', target_branch: branch_name)
subject.valid?
expect(subject.errors.added?(:target_branch)).to eq(!valid)
end
end
end
context 'for forks' do context 'for forks' do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:fork1) { fork_project(project) } let(:fork1) { fork_project(project) }
......
spec/models/project_services/assembla_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe AssemblaService do describe AssemblaService do
include StubRequests
describe "Associations" do describe "Associations" do
it { is_expected.to belong_to :project } it { is_expected.to belong_to :project }
it { is_expected.to have_one :service_hook } it { is_expected.to have_one :service_hook }
...@@ -23,12 +25,12 @@ describe AssemblaService do ...@@ -23,12 +25,12 @@ describe AssemblaService do
) )
@sample_data = Gitlab::DataBuilder::Push.build_sample(project, user) @sample_data = Gitlab::DataBuilder::Push.build_sample(project, user)
@api_url = 'https://atlas.assembla.com/spaces/project_name/github_tool?secret_key=verySecret' @api_url = 'https://atlas.assembla.com/spaces/project_name/github_tool?secret_key=verySecret'
WebMock.stub_request(:post, @api_url) stub_full_request(@api_url, method: :post)
end end
it "calls Assembla API" do it "calls Assembla API" do
@assembla_service.execute(@sample_data) @assembla_service.execute(@sample_data)
expect(WebMock).to have_requested(:post, @api_url).with( expect(WebMock).to have_requested(:post, stubbed_hostname(@api_url)).with(
body: /#{@sample_data[:before]}.*#{@sample_data[:after]}.*#{project.path}/ body: /#{@sample_data[:before]}.*#{@sample_data[:after]}.*#{project.path}/
).once ).once
end end
......
spec/models/project_services/bamboo_service_spec.rb
View file @ fdcaeb38
...@@ -4,6 +4,7 @@ require 'spec_helper' ...@@ -4,6 +4,7 @@ require 'spec_helper'
describe BambooService, :use_clean_rails_memory_store_caching do describe BambooService, :use_clean_rails_memory_store_caching do
include ReactiveCachingHelpers include ReactiveCachingHelpers
include StubRequests
let(:bamboo_url) { 'http://gitlab.com/bamboo' } let(:bamboo_url) { 'http://gitlab.com/bamboo' }
...@@ -257,7 +258,7 @@ describe BambooService, :use_clean_rails_memory_store_caching do ...@@ -257,7 +258,7 @@ describe BambooService, :use_clean_rails_memory_store_caching do
end end
def stub_bamboo_request(url, status, body) def stub_bamboo_request(url, status, body)
WebMock.stub_request(:get, url).to_return( stub_full_request(url).to_return(
status: status, status: status,
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
body: body body: body
......
spec/models/project_services/buildkite_service_spec.rb
View file @ fdcaeb38
...@@ -4,6 +4,7 @@ require 'spec_helper' ...@@ -4,6 +4,7 @@ require 'spec_helper'
describe BuildkiteService, :use_clean_rails_memory_store_caching do describe BuildkiteService, :use_clean_rails_memory_store_caching do
include ReactiveCachingHelpers include ReactiveCachingHelpers
include StubRequests
let(:project) { create(:project) } let(:project) { create(:project) }
...@@ -110,10 +111,9 @@ describe BuildkiteService, :use_clean_rails_memory_store_caching do ...@@ -110,10 +111,9 @@ describe BuildkiteService, :use_clean_rails_memory_store_caching do
body ||= %q({"status":"success"}) body ||= %q({"status":"success"})
buildkite_full_url = 'https://gitlab.buildkite.com/status/secret-sauce-status-token.json?commit=123' buildkite_full_url = 'https://gitlab.buildkite.com/status/secret-sauce-status-token.json?commit=123'
WebMock.stub_request(:get, buildkite_full_url).to_return( stub_full_request(buildkite_full_url)
status: status, .to_return(status: status,
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
body: body body: body)
)
end end
end end
spec/models/project_services/campfire_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe CampfireService do describe CampfireService do
include StubRequests
describe 'Associations' do describe 'Associations' do
it { is_expected.to belong_to :project } it { is_expected.to belong_to :project }
it { is_expected.to have_one :service_hook } it { is_expected.to have_one :service_hook }
...@@ -49,39 +51,37 @@ describe CampfireService do ...@@ -49,39 +51,37 @@ describe CampfireService do
it "calls Campfire API to get a list of rooms and speak in a room" do it "calls Campfire API to get a list of rooms and speak in a room" do
# make sure a valid list of rooms is returned # make sure a valid list of rooms is returned
body = File.read(Rails.root + 'spec/fixtures/project_services/campfire/rooms.json') body = File.read(Rails.root + 'spec/fixtures/project_services/campfire/rooms.json')
WebMock.stub_request(:get, @rooms_url).with(basic_auth: @auth).to_return(
stub_full_request(@rooms_url).with(basic_auth: @auth).to_return(
body: body, body: body,
status: 200, status: 200,
headers: @headers headers: @headers
) )
# stub the speak request with the room id found in the previous request's response # stub the speak request with the room id found in the previous request's response
speak_url = 'https://project-name.campfirenow.com/room/123/speak.json' speak_url = 'https://project-name.campfirenow.com/room/123/speak.json'
WebMock.stub_request(:post, speak_url).with(basic_auth: @auth) stub_full_request(speak_url, method: :post).with(basic_auth: @auth)
@campfire_service.execute(@sample_data) @campfire_service.execute(@sample_data)
expect(WebMock).to have_requested(:get, @rooms_url).once expect(WebMock).to have_requested(:get, stubbed_hostname(@rooms_url)).once
expect(WebMock).to have_requested(:post, speak_url).with( expect(WebMock).to have_requested(:post, stubbed_hostname(speak_url))
body: /#{project.path}.*#{@sample_data[:before]}.*#{@sample_data[:after]}/ .with(body: /#{project.path}.*#{@sample_data[:before]}.*#{@sample_data[:after]}/).once
).once
end end
it "calls Campfire API to get a list of rooms but shouldn't speak in a room" do it "calls Campfire API to get a list of rooms but shouldn't speak in a room" do
# return a list of rooms that do not contain a room named 'test-room' # return a list of rooms that do not contain a room named 'test-room'
body = File.read(Rails.root + 'spec/fixtures/project_services/campfire/rooms2.json') body = File.read(Rails.root + 'spec/fixtures/project_services/campfire/rooms2.json')
WebMock.stub_request(:get, @rooms_url).with(basic_auth: @auth).to_return( stub_full_request(@rooms_url).with(basic_auth: @auth).to_return(
body: body, body: body,
status: 200, status: 200,
headers: @headers headers: @headers
) )
# we want to make sure no request is sent to the /speak endpoint, here is a basic
# regexp that matches this endpoint
speak_url = 'https://verySecret:X@project-name.campfirenow.com/room/.*/speak.json'
@campfire_service.execute(@sample_data) @campfire_service.execute(@sample_data)
expect(WebMock).to have_requested(:get, @rooms_url).once expect(WebMock).to have_requested(:get, 'https://8.8.8.9/rooms.json').once
expect(WebMock).not_to have_requested(:post, /#{speak_url}/) expect(WebMock).not_to have_requested(:post, '*/room/.*/speak.json')
end end
end end
end end
spec/models/project_services/pivotaltracker_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe PivotaltrackerService do describe PivotaltrackerService do
include StubRequests
describe 'Associations' do describe 'Associations' do
it { is_expected.to belong_to :project } it { is_expected.to belong_to :project }
it { is_expected.to have_one :service_hook } it { is_expected.to have_one :service_hook }
...@@ -53,12 +55,12 @@ describe PivotaltrackerService do ...@@ -53,12 +55,12 @@ describe PivotaltrackerService do
end end
before do before do
WebMock.stub_request(:post, url) stub_full_request(url, method: :post)
end end
it 'posts correct message' do it 'posts correct message' do
service.execute(push_data) service.execute(push_data)
expect(WebMock).to have_requested(:post, url).with( expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
body: { body: {
'source_commit' => { 'source_commit' => {
'commit_id' => '21c12ea', 'commit_id' => '21c12ea',
...@@ -85,14 +87,14 @@ describe PivotaltrackerService do ...@@ -85,14 +87,14 @@ describe PivotaltrackerService do
service.execute(push_data(branch: 'master')) service.execute(push_data(branch: 'master'))
service.execute(push_data(branch: 'v10')) service.execute(push_data(branch: 'v10'))
expect(WebMock).to have_requested(:post, url).twice expect(WebMock).to have_requested(:post, stubbed_hostname(url)).twice
end end
it 'does not post message if branch is not in the list' do it 'does not post message if branch is not in the list' do
service.execute(push_data(branch: 'mas')) service.execute(push_data(branch: 'mas'))
service.execute(push_data(branch: 'v11')) service.execute(push_data(branch: 'v11'))
expect(WebMock).not_to have_requested(:post, url) expect(WebMock).not_to have_requested(:post, stubbed_hostname(url))
end end
end end
end end
......
spec/models/project_services/pushover_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe PushoverService do describe PushoverService do
include StubRequests
describe 'Associations' do describe 'Associations' do
it { is_expected.to belong_to :project } it { is_expected.to belong_to :project }
it { is_expected.to have_one :service_hook } it { is_expected.to have_one :service_hook }
...@@ -57,13 +59,13 @@ describe PushoverService do ...@@ -57,13 +59,13 @@ describe PushoverService do
sound: sound sound: sound
) )
WebMock.stub_request(:post, api_url) stub_full_request(api_url, method: :post, ip_address: '8.8.8.8')
end end
it 'calls Pushover API' do it 'calls Pushover API' do
pushover.execute(sample_data) pushover.execute(sample_data)
expect(WebMock).to have_requested(:post, api_url).once expect(WebMock).to have_requested(:post, 'https://8.8.8.8/1/messages.json').once
end end
end end
end end
spec/models/project_services/teamcity_service_spec.rb
View file @ fdcaeb38
...@@ -4,6 +4,7 @@ require 'spec_helper' ...@@ -4,6 +4,7 @@ require 'spec_helper'
describe TeamcityService, :use_clean_rails_memory_store_caching do describe TeamcityService, :use_clean_rails_memory_store_caching do
include ReactiveCachingHelpers include ReactiveCachingHelpers
include StubRequests
let(:teamcity_url) { 'http://gitlab.com/teamcity' } let(:teamcity_url) { 'http://gitlab.com/teamcity' }
...@@ -212,7 +213,7 @@ describe TeamcityService, :use_clean_rails_memory_store_caching do ...@@ -212,7 +213,7 @@ describe TeamcityService, :use_clean_rails_memory_store_caching do
body ||= %Q({"build":{"status":"#{build_status}","id":"666"}}) body ||= %Q({"build":{"status":"#{build_status}","id":"666"}})
WebMock.stub_request(:get, teamcity_full_url).with(basic_auth: auth).to_return( stub_full_request(teamcity_full_url).with(basic_auth: auth).to_return(
status: status, status: status,
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
body: body body: body
......
spec/models/project_spec.rb
View file @ fdcaeb38
...@@ -3170,6 +3170,23 @@ describe Project do ...@@ -3170,6 +3170,23 @@ describe Project do
end end
end end
describe '.ids_with_milestone_available_for' do
let!(:user) { create(:user) }
it 'returns project ids with milestones available for user' do
project_1 = create(:project, :public, :merge_requests_disabled, :issues_disabled)
project_2 = create(:project, :public, :merge_requests_disabled)
project_3 = create(:project, :public, :issues_disabled)
project_4 = create(:project, :public)
project_4.project_feature.update(issues_access_level: ProjectFeature::PRIVATE, merge_requests_access_level: ProjectFeature::PRIVATE )
project_ids = described_class.ids_with_milestone_available_for(user).pluck(:id)
expect(project_ids).to include(project_2.id, project_3.id)
expect(project_ids).not_to include(project_1.id, project_4.id)
end
end
describe '.with_feature_available_for_user' do describe '.with_feature_available_for_user' do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:feature) { MergeRequest } let(:feature) { MergeRequest }
......
spec/requests/api/search_spec.rb
View file @ fdcaeb38
...@@ -70,11 +70,30 @@ describe API::Search do ...@@ -70,11 +70,30 @@ describe API::Search do
context 'for milestones scope' do context 'for milestones scope' do
before do before do
create(:milestone, project: project, title: 'awesome milestone') create(:milestone, project: project, title: 'awesome milestone')
end
context 'when user can read project milestones' do
before do
get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
end
get api('/search', user), params: { scope: 'milestones', search: 'awesome' } it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
end end
it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' context 'when user cannot read project milestones' do
before do
project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
end
it 'returns empty array' do
get api('/search', user), params: { scope: 'milestones', search: 'awesome' }
milestones = JSON.parse(response.body)
expect(milestones).to be_empty
end
end
end end
context 'for users scope' do context 'for users scope' do
...@@ -318,11 +337,30 @@ describe API::Search do ...@@ -318,11 +337,30 @@ describe API::Search do
context 'for milestones scope' do context 'for milestones scope' do
before do before do
create(:milestone, project: project, title: 'awesome milestone') create(:milestone, project: project, title: 'awesome milestone')
end
context 'when user can read milestones' do
before do
get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
end
get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' } it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
end end
it_behaves_like 'response is correct', schema: 'public_api/v4/milestones' context 'when user cannot read project milestones' do
before do
project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
end
it 'returns empty array' do
get api("/projects/#{project.id}/search", user), params: { scope: 'milestones', search: 'awesome' }
milestones = JSON.parse(response.body)
expect(milestones).to be_empty
end
end
end end
context 'for users scope' do context 'for users scope' do
......
spec/requests/api/system_hooks_spec.rb
View file @ fdcaeb38
require 'spec_helper' require 'spec_helper'
describe API::SystemHooks do describe API::SystemHooks do
include StubRequests
let(:user) { create(:user) } let(:user) { create(:user) }
let(:admin) { create(:admin) } let(:admin) { create(:admin) }
let!(:hook) { create(:system_hook, url: "http://example.com") } let!(:hook) { create(:system_hook, url: "http://example.com") }
before do before do
stub_request(:post, hook.url) stub_full_request(hook.url, method: :post)
end end
describe "GET /hooks" do describe "GET /hooks" do
...@@ -68,6 +70,8 @@ describe API::SystemHooks do ...@@ -68,6 +70,8 @@ describe API::SystemHooks do
end end
it 'sets default values for events' do it 'sets default values for events' do
stub_full_request('http://mep.mep', method: :post)
post api('/hooks', admin), params: { url: 'http://mep.mep' } post api('/hooks', admin), params: { url: 'http://mep.mep' }
expect(response).to have_gitlab_http_status(201) expect(response).to have_gitlab_http_status(201)
...@@ -78,6 +82,8 @@ describe API::SystemHooks do ...@@ -78,6 +82,8 @@ describe API::SystemHooks do
end end
it 'sets explicit values for events' do it 'sets explicit values for events' do
stub_full_request('http://mep.mep', method: :post)
post api('/hooks', admin), post api('/hooks', admin),
params: { params: {
url: 'http://mep.mep', url: 'http://mep.mep',
......
spec/services/ci/create_pipeline_service_spec.rb
View file @ fdcaeb38
...@@ -973,7 +973,7 @@ describe Ci::CreatePipelineService do ...@@ -973,7 +973,7 @@ describe Ci::CreatePipelineService do
let(:merge_request) do let(:merge_request) do
create(:merge_request, create(:merge_request,
source_project: project, source_project: project,
source_branch: ref_name, source_branch: Gitlab::Git.ref_name(ref_name),
target_project: project, target_project: project,
target_branch: 'master') target_branch: 'master')
end end
...@@ -1004,7 +1004,7 @@ describe Ci::CreatePipelineService do ...@@ -1004,7 +1004,7 @@ describe Ci::CreatePipelineService do
let(:merge_request) do let(:merge_request) do
create(:merge_request, create(:merge_request,
source_project: project, source_project: project,
source_branch: ref_name, source_branch: Gitlab::Git.ref_name(ref_name),
target_project: project, target_project: project,
target_branch: 'master') target_branch: 'master')
end end
...@@ -1033,7 +1033,7 @@ describe Ci::CreatePipelineService do ...@@ -1033,7 +1033,7 @@ describe Ci::CreatePipelineService do
let(:merge_request) do let(:merge_request) do
create(:merge_request, create(:merge_request,
source_project: project, source_project: project,
source_branch: ref_name, source_branch: Gitlab::Git.ref_name(ref_name),
target_project: project, target_project: project,
target_branch: 'master') target_branch: 'master')
end end
......
spec/services/projects/lfs_pointers/lfs_download_service_spec.rb
View file @ fdcaeb38
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
require 'spec_helper' require 'spec_helper'
describe Projects::LfsPointers::LfsDownloadService do describe Projects::LfsPointers::LfsDownloadService do
include StubRequests
let(:project) { create(:project) } let(:project) { create(:project) }
let(:lfs_content) { SecureRandom.random_bytes(10) } let(:lfs_content) { SecureRandom.random_bytes(10) }
let(:oid) { Digest::SHA256.hexdigest(lfs_content) } let(:oid) { Digest::SHA256.hexdigest(lfs_content) }
...@@ -62,7 +64,7 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -62,7 +64,7 @@ describe Projects::LfsPointers::LfsDownloadService do
describe '#execute' do describe '#execute' do
context 'when file download succeeds' do context 'when file download succeeds' do
before do before do
WebMock.stub_request(:get, download_link).to_return(body: lfs_content) stub_full_request(download_link).to_return(body: lfs_content)
end end
it_behaves_like 'lfs object is created' it_behaves_like 'lfs object is created'
...@@ -104,7 +106,7 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -104,7 +106,7 @@ describe Projects::LfsPointers::LfsDownloadService do
let(:size) { 1 } let(:size) { 1 }
before do before do
WebMock.stub_request(:get, download_link).to_return(body: lfs_content) stub_full_request(download_link).to_return(body: lfs_content)
end end
it_behaves_like 'no lfs object is created' it_behaves_like 'no lfs object is created'
...@@ -118,7 +120,7 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -118,7 +120,7 @@ describe Projects::LfsPointers::LfsDownloadService do
context 'when downloaded lfs file has a different oid' do context 'when downloaded lfs file has a different oid' do
before do before do
WebMock.stub_request(:get, download_link).to_return(body: lfs_content) stub_full_request(download_link).to_return(body: lfs_content)
allow_any_instance_of(Digest::SHA256).to receive(:hexdigest).and_return('foobar') allow_any_instance_of(Digest::SHA256).to receive(:hexdigest).and_return('foobar')
end end
...@@ -136,7 +138,7 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -136,7 +138,7 @@ describe Projects::LfsPointers::LfsDownloadService do
let(:lfs_object) { LfsDownloadObject.new(oid: oid, size: size, link: download_link_with_credentials) } let(:lfs_object) { LfsDownloadObject.new(oid: oid, size: size, link: download_link_with_credentials) }
before do before do
WebMock.stub_request(:get, download_link).with(headers: { 'Authorization' => 'Basic dXNlcjpwYXNzd29yZA==' }).to_return(body: lfs_content) stub_full_request(download_link).with(headers: { 'Authorization' => 'Basic dXNlcjpwYXNzd29yZA==' }).to_return(body: lfs_content)
end end
it 'the request adds authorization headers' do it 'the request adds authorization headers' do
...@@ -149,7 +151,7 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -149,7 +151,7 @@ describe Projects::LfsPointers::LfsDownloadService do
let(:local_request_setting) { true } let(:local_request_setting) { true }
before do before do
WebMock.stub_request(:get, download_link).to_return(body: lfs_content) stub_full_request(download_link, ip_address: '192.168.2.120').to_return(body: lfs_content)
end end
it_behaves_like 'lfs object is created' it_behaves_like 'lfs object is created'
...@@ -173,7 +175,8 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -173,7 +175,8 @@ describe Projects::LfsPointers::LfsDownloadService do
with_them do with_them do
before do before do
WebMock.stub_request(:get, download_link).to_return(status: 301, headers: { 'Location' => redirect_link }) stub_full_request(download_link, ip_address: '192.168.2.120')
.to_return(status: 301, headers: { 'Location' => redirect_link })
end end
it_behaves_like 'no lfs object is created' it_behaves_like 'no lfs object is created'
...@@ -184,8 +187,8 @@ describe Projects::LfsPointers::LfsDownloadService do ...@@ -184,8 +187,8 @@ describe Projects::LfsPointers::LfsDownloadService do
let(:redirect_link) { "http://example.com/"} let(:redirect_link) { "http://example.com/"}
before do before do
WebMock.stub_request(:get, download_link).to_return(status: 301, headers: { 'Location' => redirect_link }) stub_full_request(download_link).to_return(status: 301, headers: { 'Location' => redirect_link })
WebMock.stub_request(:get, redirect_link).to_return(body: lfs_content) stub_full_request(redirect_link).to_return(body: lfs_content)
end end
it_behaves_like 'lfs object is created' it_behaves_like 'lfs object is created'
......
spec/services/submit_usage_ping_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe SubmitUsagePingService do describe SubmitUsagePingService do
include StubRequests
context 'when usage ping is disabled' do context 'when usage ping is disabled' do
before do before do
stub_application_setting(usage_ping_enabled: false) stub_application_setting(usage_ping_enabled: false)
...@@ -99,7 +101,7 @@ describe SubmitUsagePingService do ...@@ -99,7 +101,7 @@ describe SubmitUsagePingService do
end end
def stub_response(body) def stub_response(body)
stub_request(:post, 'https://version.gitlab.com/usage_data') stub_full_request('https://version.gitlab.com/usage_data', method: :post)
.to_return( .to_return(
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
body: body.to_json body: body.to_json
......
spec/services/web_hook_service_spec.rb
View file @ fdcaeb38
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe WebHookService do describe WebHookService do
include StubRequests
let(:project) { create(:project) } let(:project) { create(:project) }
let(:project_hook) { create(:project_hook) } let(:project_hook) { create(:project_hook) }
let(:headers) do let(:headers) do
...@@ -67,11 +69,11 @@ describe WebHookService do ...@@ -67,11 +69,11 @@ describe WebHookService do
let(:project_hook) { create(:project_hook, url: 'https://demo:demo@example.org/') } let(:project_hook) { create(:project_hook, url: 'https://demo:demo@example.org/') }
it 'uses the credentials' do it 'uses the credentials' do
WebMock.stub_request(:post, url) stub_full_request(url, method: :post)
service_instance.execute service_instance.execute
expect(WebMock).to have_requested(:post, url).with( expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
headers: headers.merge('Authorization' => 'Basic ZGVtbzpkZW1v') headers: headers.merge('Authorization' => 'Basic ZGVtbzpkZW1v')
).once ).once
end end
...@@ -82,11 +84,11 @@ describe WebHookService do ...@@ -82,11 +84,11 @@ describe WebHookService do
let(:project_hook) { create(:project_hook, url: 'https://demo@example.org/') } let(:project_hook) { create(:project_hook, url: 'https://demo@example.org/') }
it 'uses the credentials anyways' do it 'uses the credentials anyways' do
WebMock.stub_request(:post, url) stub_full_request(url, method: :post)
service_instance.execute service_instance.execute
expect(WebMock).to have_requested(:post, url).with( expect(WebMock).to have_requested(:post, stubbed_hostname(url)).with(
headers: headers.merge('Authorization' => 'Basic ZGVtbzo=') headers: headers.merge('Authorization' => 'Basic ZGVtbzo=')
).once ).once
end end
......
spec/support/helpers/stub_requests.rb 0 → 100644
View file @ fdcaeb38
module StubRequests
IP_ADDRESS_STUB = '8.8.8.9'.freeze
# Fully stubs a request using WebMock class. This class also
# stubs the IP address the URL is translated to (DNS lookup).
#
# It expects the final request to go to the `ip_address` instead the given url.
# That's primarily a DNS rebind attack prevention of Gitlab::HTTP
# (see: Gitlab::UrlBlocker).
#
def stub_full_request(url, ip_address: IP_ADDRESS_STUB, port: 80, method: :get)
stub_dns(url, ip_address: ip_address, port: port)
url = stubbed_hostname(url, hostname: ip_address)
WebMock.stub_request(method, url)
end
def stub_dns(url, ip_address:, port: 80)
url = parse_url(url)
socket = Socket.sockaddr_in(port, ip_address)
addr = Addrinfo.new(socket)
# See Gitlab::UrlBlocker
allow(Addrinfo).to receive(:getaddrinfo)
.with(url.hostname, url.port, nil, :STREAM)
.and_return([addr])
end
def stubbed_hostname(url, hostname: IP_ADDRESS_STUB)
url = parse_url(url)
url.hostname = hostname
url.to_s
end
private
def parse_url(url)
url.is_a?(URI) ? url : URI(url)
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7