Merge branch 'rs-pick-security' into 'master'

Pick 10.4.3 fixes into master See merge request gitlab-org/gitlab-ce!17040

Merge branch 'rs-pick-security' into 'master'
490aacf5 · Stan Hu · 721fab66 · 56a41ceb · 490aacf5 · 490aacf5
Commit 490aacf5 authored 7 years ago by Stan Hu
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -549,7 +549,7 @@ describe Group do
  
    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end
  
      it_behaves_like 'ref is protected'
@@ -557,7 +557,7 @@ describe Group do
  
    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end
  
      it_behaves_like 'ref is protected'
@@ -571,6 +571,10 @@ describe Group do
      let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
      let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
  
+      before do
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
+      end
+
      it 'returns all variables belong to the group and parent groups' do
        expected_array1 = [protected_variable, secret_variable]
        expected_array2 = [variable_child, variable_child_2, variable_child_3]

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2092,7 +2092,7 @@ describe Project do
  
    context 'when the ref is a protected branch' do
      before do
-        create(:protected_branch, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end
  
      it_behaves_like 'ref is protected'
@@ -2100,7 +2100,7 @@ describe Project do
  
    context 'when the ref is a protected tag' do
      before do
-        create(:protected_tag, name: 'ref', project: project)
+        allow(project).to receive(:protected_for?).with('ref').and_return(true)
      end
  
      it_behaves_like 'ref is protected'
@@ -2125,6 +2125,8 @@ describe Project do
  
    context 'when the ref is a protected branch' do
      before do
+        allow(project).to receive(:repository).and_call_original
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(true)
        create(:protected_branch, name: 'ref', project: project)
      end
  
@@ -2135,6 +2137,8 @@ describe Project do
  
    context 'when the ref is a protected tag' do
      before do
+        allow(project).to receive_message_chain(:repository, :branch_exists?).and_return(false)
+        allow(project).to receive_message_chain(:repository, :tag_exists?).and_return(true)
        create(:protected_tag, name: 'ref', project: project)
      end
  

--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
 require 'spec_helper'
  
+# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
 describe PersonalSnippetPolicy do
  let(:regular_user) { create(:user) }
  let(:external_user) { create(:user, :external) }

--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
 require 'spec_helper'
  
+# Snippet visibility scenarios are included in more details in spec/support/snippet_visibility.rb
 describe ProjectSnippetPolicy do
  let(:regular_user) { create(:user) }
  let(:external_user) { create(:user, :external) }

--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -32,6 +32,27 @@ describe API::Snippets do
      expect(json_response).to be_an Array
      expect(json_response.size).to eq(0)
    end
+
+    it 'returns 404 for non-authenticated' do
+      create(:personal_snippet, :internal)
+
+      get api("/snippets/")
+
+      expect(response).to have_gitlab_http_status(401)
+    end
+
+    it 'does not return snippets related to a project with disable feature visibility' do
+      project = create(:project)
+      create(:project_member, project: project, user: user)
+      public_snippet = create(:personal_snippet, :public, author: user, project: project)
+      project.project_feature.update_attribute(:snippets_access_level, 0)
+
+      get api("/snippets/", user)
+
+      json_response.each do |snippet|
+        expect(snippet["id"]).not_to eq(public_snippet.id)
+      end
+    end
  end
  
  describe 'GET /snippets/public' do

--- a/spec/requests/api/todos_spec.rb
+++ b/spec/requests/api/todos_spec.rb
@@ -129,6 +129,12 @@ describe API::Todos do
  
        post api("/todos/#{pending_1.id}/mark_as_done", john_doe)
      end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        post api("/todos/#{pending_1.id}/mark_as_done", author_1)
+
+        expect(response.status).to eq(404)
+      end
    end
  end
  

--- a/spec/requests/api/v3/todos_spec.rb
+++ b/spec/requests/api/v3/todos_spec.rb
@@ -38,6 +38,12 @@ describe API::V3::Todos do
  
        delete v3_api("/todos/#{pending_1.id}", john_doe)
      end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        delete v3_api("/todos/#{pending_1.id}", author_1)
+
+        expect(response.status).to eq(404)
+      end
    end
  end
  

--- a/spec/services/search/snippet_service_spec.rb
+++ b/spec/services/search/snippet_service_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
  
 describe Search::SnippetService do
  let(:author) { create(:author) }
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :public) }
  
  let!(:public_snippet)   { create(:snippet, :public, content: 'password: XXX') }
  let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }

--- a/spec/support/controllers/githubish_import_controller_shared_examples.rb
+++ b/spec/support/controllers/githubish_import_controller_shared_examples.rb
@@ -256,7 +256,7 @@ shared_examples 'a GitHub-ish import controller: POST create' do
      end
    end
  
-    context 'user has chosen an existing nested namespace and name for the project' do
+    context 'user has chosen an existing nested namespace and name for the project', :postgresql do
      let(:parent_namespace) { create(:group, name: 'foo', owner: user) }
      let(:nested_namespace) { create(:group, name: 'bar', parent: parent_namespace) }
      let(:test_name) { 'test_name' }
@@ -274,7 +274,7 @@ shared_examples 'a GitHub-ish import controller: POST create' do
      end
    end
  
-    context 'user has chosen a non-existent nested namespaces and name for the project' do
+    context 'user has chosen a non-existent nested namespaces and name for the project', :postgresql do
      let(:test_name) { 'test_name' }
  
      it 'takes the selected namespace and name' do
@@ -305,10 +305,14 @@ shared_examples 'a GitHub-ish import controller: POST create' do
      end
    end
  
-    context 'user has chosen existent and non-existent nested namespaces and name for the project' do
+    context 'user has chosen existent and non-existent nested namespaces and name for the project', :postgresql do
      let(:test_name) { 'test_name' }
      let!(:parent_namespace) { create(:group, name: 'foo', owner: user) }
  
+      before do
+        parent_namespace.add_owner(user)
+      end
+
      it 'takes the selected namespace and name' do
        expect(Gitlab::LegacyGithubImport::ProjectCreator)
          .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
@@ -325,6 +329,53 @@ shared_examples 'a GitHub-ish import controller: POST create' do
        expect { post :create, { target_namespace: 'foo/foobar/bar', new_name: test_name, format: :json } }
          .to change { Namespace.count }.by(2)
      end
+
+      it 'does not create a new namespace under the user namespace' do
+        expect(Gitlab::LegacyGithubImport::ProjectCreator)
+            .to receive(:new).with(provider_repo, test_name, user.namespace, user, access_params, type: provider)
+                    .and_return(double(execute: build_stubbed(:project)))
+
+        expect { post :create, { target_namespace: "#{user.namespace_path}/test_group", new_name: test_name, format: :js } }
+            .not_to change { Namespace.count }
+      end
+    end
+
+    context 'user cannot create a subgroup inside a group is not a member of' do
+      let(:test_name) { 'test_name' }
+      let!(:parent_namespace) { create(:group, name: 'foo') }
+
+      it 'does not take the selected namespace and name' do
+        expect(Gitlab::LegacyGithubImport::ProjectCreator)
+            .to receive(:new).with(provider_repo, test_name, user.namespace, user, access_params, type: provider)
+                    .and_return(double(execute: build_stubbed(:project)))
+
+        post :create, { target_namespace: 'foo/foobar/bar', new_name: test_name, format: :js }
+      end
+
+      it 'does not create the namespaces' do
+        allow(Gitlab::LegacyGithubImport::ProjectCreator)
+            .to receive(:new).with(provider_repo, test_name, kind_of(Namespace), user, access_params, type: provider)
+                    .and_return(double(execute: build_stubbed(:project)))
+
+        expect { post :create, { target_namespace: 'foo/foobar/bar', new_name: test_name, format: :js } }
+            .not_to change { Namespace.count }
+      end
+    end
+
+    context 'user can use a group without having permissions to create a group' do
+      let(:test_name) { 'test_name' }
+      let!(:group) { create(:group, name: 'foo') }
+
+      it 'takes the selected namespace and name' do
+        group.add_owner(user)
+        user.update!(can_create_group: false)
+
+        expect(Gitlab::LegacyGithubImport::ProjectCreator)
+            .to receive(:new).with(provider_repo, test_name, group, user, access_params, type: provider)
+                    .and_return(double(execute: build_stubbed(:project)))
+
+        post :create, { target_namespace: 'foo', new_name: test_name, format: :js }
+      end
    end
  
    context 'when user can not create projects in the chosen namespace' do

--- a/spec/support/snippet_visibility.rb
+++ b/spec/support/snippet_visibility.rb
+RSpec.shared_examples 'snippet visibility' do
+  let!(:author) { create(:user) }
+  let!(:member) { create(:user) }
+  let!(:external) { create(:user, :external) }
+
+  let!(:snippet_type_visibilities) do
+    {
+      public: Snippet::PUBLIC,
+      internal: Snippet::INTERNAL,
+      private: Snippet::PRIVATE
+    }
+  end
+
+  context "For project snippets" do
+    let!(:users) do
+      {
+        unauthenticated: nil,
+        external: external,
+        non_member: create(:user),
+        member: member,
+        author: author
+      }
+    end
+
+    let!(:project_type_visibilities) do
+      {
+        public: Gitlab::VisibilityLevel::PUBLIC,
+        internal: Gitlab::VisibilityLevel::INTERNAL,
+        private: Gitlab::VisibilityLevel::PRIVATE
+      }
+    end
+
+    let(:project_feature_visibilities) do
+      {
+        enabled: ProjectFeature::ENABLED,
+        private: ProjectFeature::PRIVATE,
+        disabled: ProjectFeature::DISABLED
+      }
+    end
+
+    where(:project_type, :feature_visibility, :user_type, :snippet_type, :outcome) do
+      [
+        # Public projects
+        [:public, :enabled, :unauthenticated,    :public,   true],
+        [:public, :enabled, :unauthenticated,    :internal, false],
+        [:public, :enabled, :unauthenticated,    :private,  false],
+
+        [:public, :enabled, :external,           :public,   true],
+        [:public, :enabled, :external,           :internal, false],
+        [:public, :enabled, :external,           :private,  false],
+
+        [:public, :enabled, :non_member,         :public,   true],
+        [:public, :enabled, :non_member,         :internal, true],
+        [:public, :enabled, :non_member,         :private,  false],
+
+        [:public, :enabled, :member,             :public,   true],
+        [:public, :enabled, :member,             :internal, true],
+        [:public, :enabled, :member,             :private,  true],
+
+        [:public, :enabled, :author,             :public,   true],
+        [:public, :enabled, :author,             :internal, true],
+        [:public, :enabled, :author,             :private,  true],
+
+        [:public, :private, :unauthenticated,    :public,   false],
+        [:public, :private, :unauthenticated,    :internal, false],
+        [:public, :private, :unauthenticated,    :private,  false],
+
+        [:public, :private, :external,           :public,   false],
+        [:public, :private, :external,           :internal, false],
+        [:public, :private, :external,           :private,  false],
+
+        [:public, :private, :non_member,         :public,   false],
+        [:public, :private, :non_member,         :internal, false],
+        [:public, :private, :non_member,         :private,  false],
+
+        [:public, :private, :member,             :public,   true],
+        [:public, :private, :member,             :internal, true],
+        [:public, :private, :member,             :private,  true],
+
+        [:public, :private, :author,             :public,   true],
+        [:public, :private, :author,             :internal, true],
+        [:public, :private, :author,             :private,  true],
+
+        [:public, :disabled, :unauthenticated,   :public,   false],
+        [:public, :disabled, :unauthenticated,   :internal, false],
+        [:public, :disabled, :unauthenticated,   :private,  false],
+
+        [:public, :disabled, :external,          :public,   false],
+        [:public, :disabled, :external,          :internal, false],
+        [:public, :disabled, :external,          :private,  false],
+
+        [:public, :disabled, :non_member,        :public,   false],
+        [:public, :disabled, :non_member,        :internal, false],
+        [:public, :disabled, :non_member,        :private,  false],
+
+        [:public, :disabled, :member,            :public,   false],
+        [:public, :disabled, :member,            :internal, false],
+        [:public, :disabled, :member,            :private,  false],
+
+        [:public, :disabled, :author,            :public,   false],
+        [:public, :disabled, :author,            :internal, false],
+        [:public, :disabled, :author,            :private,  false],
+
+        # Internal projects
+        [:internal, :enabled, :unauthenticated,  :public,   false],
+        [:internal, :enabled, :unauthenticated,  :internal, false],
+        [:internal, :enabled, :unauthenticated,  :private,  false],
+
+        [:internal, :enabled, :external,         :public,   false],
+        [:internal, :enabled, :external,         :internal, false],
+        [:internal, :enabled, :external,         :private,  false],
+
+        [:internal, :enabled, :non_member,       :public,   true],
+        [:internal, :enabled, :non_member,       :internal, true],
+        [:internal, :enabled, :non_member,       :private,  false],
+
+        [:internal, :enabled, :member,           :public,   true],
+        [:internal, :enabled, :member,           :internal, true],
+        [:internal, :enabled, :member,           :private,  true],
+
+        [:internal, :enabled, :author,           :public,   true],
+        [:internal, :enabled, :author,           :internal, true],
+        [:internal, :enabled, :author,           :private,  true],
+
+        [:internal, :private, :unauthenticated,  :public,   false],
+        [:internal, :private, :unauthenticated,  :internal, false],
+        [:internal, :private, :unauthenticated,  :private,  false],
+
+        [:internal, :private, :external,         :public,   false],
+        [:internal, :private, :external,         :internal, false],
+        [:internal, :private, :external,         :private,  false],
+
+        [:internal, :private, :non_member,       :public,   false],
+        [:internal, :private, :non_member,       :internal, false],
+        [:internal, :private, :non_member,       :private,  false],
+
+        [:internal, :private, :member,           :public,   true],
+        [:internal, :private, :member,           :internal, true],
+        [:internal, :private, :member,           :private,  true],
+
+        [:internal, :private, :author,           :public,   true],
+        [:internal, :private, :author,           :internal, true],
+        [:internal, :private, :author,           :private,  true],
+
+        [:internal, :disabled, :unauthenticated, :public,   false],
+        [:internal, :disabled, :unauthenticated, :internal, false],
+        [:internal, :disabled, :unauthenticated, :private,  false],
+
+        [:internal, :disabled, :external,        :public,   false],
+        [:internal, :disabled, :external,        :internal, false],
+        [:internal, :disabled, :external,        :private,  false],
+
+        [:internal, :disabled, :non_member,      :public,   false],
+        [:internal, :disabled, :non_member,      :internal, false],
+        [:internal, :disabled, :non_member,      :private,  false],
+
+        [:internal, :disabled, :member,          :public,   false],
+        [:internal, :disabled, :member,          :internal, false],
+        [:internal, :disabled, :member,          :private,  false],
+
+        [:internal, :disabled, :author,          :public,   false],
+        [:internal, :disabled, :author,          :internal, false],
+        [:internal, :disabled, :author,          :private,  false],
+
+        # Private projects
+        [:private, :enabled, :unauthenticated,   :public,   false],
+        [:private, :enabled, :unauthenticated,   :internal, false],
+        [:private, :enabled, :unauthenticated,   :private,  false],
+
+        [:private, :enabled, :external,          :public,   true],
+        [:private, :enabled, :external,          :internal, true],
+        [:private, :enabled, :external,          :private,  true],
+
+        [:private, :enabled, :non_member,        :public,   false],
+        [:private, :enabled, :non_member,        :internal, false],
+        [:private, :enabled, :non_member,        :private,  false],
+
+        [:private, :enabled, :member,            :public,   true],
+        [:private, :enabled, :member,            :internal, true],
+        [:private, :enabled, :member,            :private,  true],
+
+        [:private, :enabled, :author,            :public,   true],
+        [:private, :enabled, :author,            :internal, true],
+        [:private, :enabled, :author,            :private,  true],
+
+        [:private, :private, :unauthenticated,   :public,   false],
+        [:private, :private, :unauthenticated,   :internal, false],
+        [:private, :private, :unauthenticated,   :private,  false],
+
+        [:private, :private, :external,          :public,   true],
+        [:private, :private, :external,          :internal, true],
+        [:private, :private, :external,          :private,  true],
+
+        [:private, :private, :non_member,        :public,   false],
+        [:private, :private, :non_member,        :internal, false],
+        [:private, :private, :non_member,        :private,  false],
+
+        [:private, :private, :member,            :public,   true],
+        [:private, :private, :member,            :internal, true],
+        [:private, :private, :member,            :private,  true],
+
+        [:private, :private, :author,            :public,   true],
+        [:private, :private, :author,            :internal, true],
+        [:private, :private, :author,            :private,  true],
+
+        [:private, :disabled, :unauthenticated,  :public,   false],
+        [:private, :disabled, :unauthenticated,  :internal, false],
+        [:private, :disabled, :unauthenticated,  :private,  false],
+
+        [:private, :disabled, :external,         :public,   false],
+        [:private, :disabled, :external,         :internal, false],
+        [:private, :disabled, :external,         :private,  false],
+
+        [:private, :disabled, :non_member,       :public,   false],
+        [:private, :disabled, :non_member,       :internal, false],
+        [:private, :disabled, :non_member,       :private,  false],
+
+        [:private, :disabled, :member,           :public,   false],
+        [:private, :disabled, :member,           :internal, false],
+        [:private, :disabled, :member,           :private,  false],
+
+        [:private, :disabled, :author,           :public,   false],
+        [:private, :disabled, :author,           :internal, false],
+        [:private, :disabled, :author,           :private,  false]
+      ]
+    end
+
+    with_them do
+      let!(:project) { create(:project, visibility_level: project_type_visibilities[project_type]) }
+      let!(:project_feature) { project.project_feature.update_column(:snippets_access_level, project_feature_visibilities[feature_visibility]) }
+      let!(:user) { users[user_type] }
+      let!(:snippet) { create(:project_snippet, visibility_level: snippet_type_visibilities[snippet_type], project: project, author: author) }
+      let!(:members) do
+        project.add_developer(author)
+        project.add_developer(member)
+        project.add_developer(external) if project.private?
+      end
+
+      context "For #{params[:project_type]} project and #{params[:user_type]} users" do
+        it 'should agree with the read_project_snippet policy' do
+          expect(can?(user, :read_project_snippet, snippet)).to eq(outcome)
+        end
+
+        it 'should return proper outcome' do
+          results = described_class.new(user, project: project).execute
+          expect(results.include?(snippet)).to eq(outcome)
+        end
+      end
+
+      context "Without a given project and #{params[:user_type]} users" do
+        it 'should return proper outcome' do
+          results = described_class.new(user).execute
+          expect(results.include?(snippet)).to eq(outcome)
+        end
+      end
+    end
+  end
+
+  context 'For personal snippets' do
+    let!(:users) do
+      {
+        unauthenticated: nil,
+        external: external,
+        non_member: create(:user),
+        author: author
+      }
+    end
+
+    where(:snippet_visibility, :user_type, :outcome) do
+      [
+        [:public,   :unauthenticated, true],
+        [:public,   :external,        true],
+        [:public,   :non_member,      true],
+        [:public,   :author,          true],
+
+        [:internal, :unauthenticated, false],
+        [:internal, :external,        false],
+        [:internal, :non_member,      true],
+        [:internal, :author,          true],
+
+        [:private,  :unauthenticated, false],
+        [:private,  :external,        false],
+        [:private,  :non_member,      false],
+        [:private,  :author,          true]
+      ]
+    end
+
+    with_them do
+      let!(:user) { users[user_type] }
+      let!(:snippet) { create(:personal_snippet, visibility_level: snippet_type_visibilities[snippet_visibility], author: author) }
+
+      context "For personal and #{params[:snippet_visibility]} snippets with #{params[:user_type]} user" do
+        it 'should agree with read_personal_snippet policy' do
+          expect(can?(user, :read_personal_snippet, snippet)).to eq(outcome)
+        end
+
+        it 'should return proper outcome' do
+          results = described_class.new(user).execute
+          expect(results.include?(snippet)).to eq(outcome)
+        end
+      end
+    end
+  end
+end