Add latest changes from gitlab-org/security/gitlab@12-5-stable-ee

spec/requests/api/oauth_tokens_spec.rb

@@ -30,26 +30,40 @@ describe 'OAuth tokens' do
       end
     end
-    context "when user is blocked" do
-      it "does not create an access token" do
-        user = create(:user)
+    shared_examples 'does not create an access token' do
+      let(:user) { create(:user) }
+
+      it { expect(response).to have_gitlab_http_status(401) }
+    end
+
+    context 'when user is blocked' do
+      before do
         user.block
         request_oauth_token(user)
-
-        expect(response).to have_gitlab_http_status(401)
       end
+
+      include_examples 'does not create an access token'
     end
-    context "when user is ldap_blocked" do
-      it "does not create an access token" do
-        user = create(:user)
+    context 'when user is ldap_blocked' do
+      before do
         user.ldap_block
         request_oauth_token(user)
-        expect(response).to have_gitlab_http_status(401)
+      end
+      include_examples 'does not create an access token'
+    end
+
+    context 'when user account is not confirmed' do
+      before do
+        user.update!(confirmed_at: nil)
+
+        request_oauth_token(user)
       end
+
+      include_examples 'does not create an access token'
     end
   end
 end

spec/requests/api/runner_spec.rb

@@ -1499,7 +1499,7 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
           authorize_artifacts
-          expect(response).to have_gitlab_http_status(500)
+          expect(response).to have_gitlab_http_status(:forbidden)
         end
         context 'authorization token is invalid' do
@@ -1629,6 +1629,16 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
             end
           end
+          context 'Is missing GitLab Workhorse token headers' do
+            let(:jwt_token) { JWT.encode({ 'iss' => 'invalid-header' }, Gitlab::Workhorse.secret, 'HS256') }
+
+            it 'fails to post artifacts without GitLab-Workhorse' do
+              upload_artifacts(file_upload, headers_with_token)
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
+          end
+
           context 'when setting an expire date' do
             let(:default_artifacts_expire_in) {}
             let(:post_data) do

spec/services/projects/group_links/destroy_service_spec.rb

@@ -3,8 +3,8 @@
 require 'spec_helper'
 describe Projects::GroupLinks::DestroyService, '#execute' do
-  let(:group_link) { create :project_group_link }
-  let(:project) { group_link.project }
+  let(:project) { create(:project, :private) }
+  let!(:group_link) { create(:project_group_link, project: project) }
   let(:user) { create :user }
   let(:subject) { described_class.new(project, user) }
@@ -15,4 +15,39 @@ describe Projects::GroupLinks::DestroyService, '#execute' do
   it 'returns false if group_link is blank' do
     expect { subject.execute(nil) }.not_to change { project.project_group_links.count }
   end
+
+  describe 'todos cleanup' do
+    context 'when project is private' do
+      it 'triggers todos cleanup' do
+        expect(TodosDestroyer::ProjectPrivateWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, project.id)
+        expect(project.private?).to be true
+
+        subject.execute(group_link)
+      end
+    end
+
+    context 'when project is public or internal' do
+      shared_examples_for 'removes confidential todos' do
+        it 'does not trigger todos cleanup' do
+          expect(TodosDestroyer::ProjectPrivateWorker).not_to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, project.id)
+          expect(TodosDestroyer::ConfidentialIssueWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, nil, project.id)
+          expect(project.private?).to be false
+
+          subject.execute(group_link)
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public) }
+
+        it_behaves_like 'removes confidential todos'
+      end
+
+      context 'when project is internal' do
+        let(:project) { create(:project, :public) }
+
+        it_behaves_like 'removes confidential todos'
+      end
+    end
+  end
 end

spec/services/projects/import_export/export_service_spec.rb

@@ -10,6 +10,10 @@ describe Projects::ImportExport::ExportService do
     let(:service) { described_class.new(project, user) }
     let!(:after_export_strategy) { Gitlab::ImportExport::AfterExportStrategies::DownloadNotificationStrategy.new }
+    before do
+      project.add_maintainer(user)
+    end
+
     it 'saves the version' do
       expect(Gitlab::ImportExport::VersionSaver).to receive(:new).and_call_original
@@ -133,5 +137,18 @@ describe Projects::ImportExport::ExportService do
         expect(service).not_to receive(:execute_after_export_action)
       end
     end
+
+    context 'when user does not have admin_project permission' do
+      let!(:another_user) { create(:user) }
+
+      subject(:service) { described_class.new(project, another_user) }
+
+      it 'fails' do
+        expected_message =
+          "User with ID: %s does not have permission to Project %s with ID: %s." %
+            [another_user.id, project.name, project.id]
+        expect { service.execute }.to raise_error(Gitlab::ImportExport::Error).with_message(expected_message)
+      end
+    end
   end
 end

spec/services/projects/operations/update_service_spec.rb

@@ -210,7 +210,7 @@ describe Projects::Operations::UpdateService do
           integration = project.reload.grafana_integration
           expect(integration.grafana_url).to eq(expected_attrs[:grafana_url])
-          expect(integration.token).to eq(expected_attrs[:token])
+          expect(integration.send(:token)).to eq(expected_attrs[:token])
         end
       end
@@ -226,7 +226,7 @@ describe Projects::Operations::UpdateService do
           integration = project.reload.grafana_integration
           expect(integration.grafana_url).to eq(expected_attrs[:grafana_url])
-          expect(integration.token).to eq(expected_attrs[:token])
+          expect(integration.send(:token)).to eq(expected_attrs[:token])
         end
         context 'with all grafana attributes blank in params' do

spec/services/projects/update_pages_service_spec.rb

@@ -5,7 +5,7 @@ require "spec_helper"
 describe Projects::UpdatePagesService do
   set(:project) { create(:project, :repository) }
   set(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit('HEAD').sha) }
-  set(:build) { create(:ci_build, pipeline: pipeline, ref: 'HEAD') }
+  let(:build) { create(:ci_build, pipeline: pipeline, ref: 'HEAD') }
   let(:invalid_file) { fixture_file_upload('spec/fixtures/dk.png') }
   let(:file) { fixture_file_upload("spec/fixtures/pages.zip") }
@@ -242,6 +242,32 @@ describe Projects::UpdatePagesService do
     end
   end
+  context 'when file size is spoofed' do
+    let(:metadata) { spy('metadata') }
+
+    include_context 'pages zip with spoofed size'
+
+    before do
+      file = fixture_file_upload(fake_zip_path, 'pages.zip')
+      metafile = fixture_file_upload('spec/fixtures/pages.zip.meta')
+
+      create(:ci_job_artifact, :archive, file: file, job: build)
+      create(:ci_job_artifact, :metadata, file: metafile, job: build)
+
+      allow(build).to receive(:artifacts_metadata_entry)
+                        .and_return(metadata)
+      allow(metadata).to receive(:total_size).and_return(100)
+    end
+
+    it 'raises an error' do
+      expect do
+        subject.execute
+      end.to raise_error(Projects::UpdatePagesService::FailedToExtractError,
+                         'Entry public/index.html should be 1B but is larger when inflated')
+      expect(deploy_status).to be_script_failure
+    end
+  end
+
   def deploy_status
     GenericCommitStatus.find_by(name: 'pages:deploy')
   end

spec/support/helpers/reference_parser_helpers.rb

@@ -5,6 +5,11 @@ module ReferenceParserHelpers
     Nokogiri::HTML.fragment('<a></a>').children[0]
   end
+  def expect_gathered_references(result, visible, not_visible_count)
+    expect(result[:visible]).to eq(visible)
+    expect(result[:not_visible].count).to eq(not_visible_count)
+  end
+
   shared_examples 'no project N+1 queries' do
     it 'avoids N+1 queries in #nodes_visible_to_user', :request_store do
       context = Banzai::RenderContext.new(project, user)

spec/support/shared_contexts/pages_zip_with_spoofed_size_shared_context.rb

+# frozen_string_literal: true
+
+# the idea of creating zip archive with spoofed size is borrowed from
+# https://github.com/rubyzip/rubyzip/pull/403/files#diff-118213fb4baa6404a40f89e1147661ebR88
+RSpec.shared_context 'pages zip with spoofed size' do
+  let(:real_zip_path) { Tempfile.new(['real', '.zip']).path }
+  let(:fake_zip_path) { Tempfile.new(['fake', '.zip']).path }
+
+  before do
+    full_file_name = 'public/index.html'
+    true_size = 500_000
+    fake_size = 1
+
+    ::Zip::File.open(real_zip_path, ::Zip::File::CREATE) do |zf|
+      zf.get_output_stream(full_file_name) do |os|
+        os.write 'a' * true_size
+      end
+    end
+
+    compressed_size = nil
+    ::Zip::File.open(real_zip_path) do |zf|
+      a_entry = zf.find_entry(full_file_name)
+      compressed_size = a_entry.compressed_size
+    end
+
+    true_size_bytes = [compressed_size, true_size, full_file_name.size].pack('LLS')
+    fake_size_bytes = [compressed_size, fake_size, full_file_name.size].pack('LLS')
+
+    data = File.binread(real_zip_path)
+    data.gsub! true_size_bytes, fake_size_bytes
+
+    File.open(fake_zip_path, 'wb') do |file|
+      file.write data
+    end
+  end
+
+  after do
+    File.delete(real_zip_path) if File.exist?(real_zip_path)
+    File.delete(fake_zip_path) if File.exist?(fake_zip_path)
+  end
+end