Add latest changes from gitlab-org/gitlab@master

2 files changed, 52 insertions, 5 deletions

diff --git a/spec/support/database/prevent_cross_joins.rb b/spec/support/database/prevent_cross_joins.rb
index 575fc4293fd..fb92b622636 100644
--- a/spec/support/database/prevent_cross_joins.rb
+++ b/spec/support/database/prevent_cross_joins.rb
@@ -11,7 +11,7 @@
 #
 # class User
 #   def ci_owned_runners
-#     ::Gitlab::Database.allow_cross_joins_across_databases!(url: link-to-issue-url)
+#     ::Gitlab::Database.allow_cross_joins_across_databases(url: link-to-issue-url)
 #
 #     ...
 #   end
@@ -21,8 +21,10 @@ module Database
   module PreventCrossJoins
     CrossJoinAcrossUnsupportedTablesError = Class.new(StandardError)
 
+    ALLOW_THREAD_KEY = :allow_cross_joins_across_databases
+
     def self.validate_cross_joins!(sql)
-      return if Thread.current[:allow_cross_joins_across_databases]
+      return if Thread.current[ALLOW_THREAD_KEY]
 
       # Allow spec/support/database_cleaner.rb queries to disable/enable triggers for many tables
       # See https://gitlab.com/gitlab-org/gitlab/-/issues/339396
@@ -55,7 +57,7 @@ module Database
           ::Database::PreventCrossJoins.validate_cross_joins!(event.payload[:sql])
         end
 
-        Thread.current[:allow_cross_joins_across_databases] = false
+        Thread.current[ALLOW_THREAD_KEY] = false
 
         yield
       ensure
@@ -65,8 +67,12 @@ module Database
 
     module GitlabDatabaseMixin
       def allow_cross_joins_across_databases(url:)
-        Thread.current[:allow_cross_joins_across_databases] = true
-        super
+        old_value = Thread.current[ALLOW_THREAD_KEY]
+        Thread.current[ALLOW_THREAD_KEY] = true
+
+        yield
+      ensure
+        Thread.current[ALLOW_THREAD_KEY] = old_value
       end
     end
   end
diff --git a/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb
new file mode 100644
index 00000000000..ed94a71892d
--- /dev/null
+++ b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'sanitizable' do |factory, fields|
+  let(:attributes) { fields.to_h { |field| [field, input] } }
+
+  it 'includes Sanitizable' do
+    expect(described_class).to include(Sanitizable)
+  end
+
+  fields.each do |field|
+    subject do
+      record = build(factory, attributes)
+      record.valid?
+
+      record.public_send(field)
+    end
+
+    describe "##{field}" do
+      context 'when input includes javascript tags' do
+        let(:input) { 'hello<script>alert(1)</script>' }
+
+        it 'gets sanitized' do
+          expect(subject).to eq('hello')
+        end
+      end
+    end
+
+    describe "##{field} validation" do
+      context 'when input contains pre-escaped html entities' do
+        let_it_be(:input) { '&lt;script&gt;alert(1)&lt;/script&gt;' }
+
+        subject { build(factory, attributes) }
+
+        it 'is not valid', :aggregate_failures do
+          expect(subject).not_to be_valid
+          expect(subject.errors.details[field].flat_map(&:values)).to include('cannot contain escaped HTML entities')
+        end
+      end
+    end
+  end
+end