6 files changed, 133 insertions, 9 deletions

diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb
index 6830a8daa3b..79f97c606a0 100644
--- a/spec/models/ci/runner_spec.rb
+++ b/spec/models/ci/runner_spec.rb
@@ -29,15 +29,25 @@ RSpec.describe Ci::Runner do
 
     context 'when runner is not allowed to pick untagged jobs' do
       context 'when runner does not have tags' do
+        let(:runner) { build(:ci_runner, tag_list: [], run_untagged: false) }
+
+        it 'is not valid' do
+          expect(runner).to be_invalid
+        end
+      end
+
+      context 'when runner has too many tags' do
+        let(:runner) { build(:ci_runner, tag_list: (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" }, run_untagged: false) }
+
         it 'is not valid' do
-          runner = build(:ci_runner, tag_list: [], run_untagged: false)
           expect(runner).to be_invalid
         end
       end
 
       context 'when runner has tags' do
+        let(:runner) { build(:ci_runner, tag_list: ['tag'], run_untagged: false) }
+
         it 'is valid' do
-          runner = build(:ci_runner, tag_list: ['tag'], run_untagged: false)
           expect(runner).to be_valid
         end
       end
diff --git a/spec/models/hooks/system_hook_spec.rb b/spec/models/hooks/system_hook_spec.rb
index 89bfb742f5d..17cb5da977a 100644
--- a/spec/models/hooks/system_hook_spec.rb
+++ b/spec/models/hooks/system_hook_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe SystemHook do
     let(:project)     { create(:project, namespace: user.namespace) }
     let(:group)       { create(:group) }
     let(:params) do
-      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: Gitlab::Password.test_default }
+      { name: 'John Doe', username: 'jduser', email: 'jg@example.com', password: 'mydummypass' }
     end
 
     before do
diff --git a/spec/models/integrations/asana_spec.rb b/spec/models/integrations/asana_spec.rb
index b6602964182..43e876a4f47 100644
--- a/spec/models/integrations/asana_spec.rb
+++ b/spec/models/integrations/asana_spec.rb
@@ -20,11 +20,13 @@ RSpec.describe Integrations::Asana do
     let(:gid) { "123456789ABCD" }
     let(:asana_task) { double(::Asana::Resources::Task) }
     let(:asana_integration) { described_class.new }
+    let(:ref) { 'main' }
+    let(:restrict_to_branch) { nil }
 
     let(:data) do
       {
         object_kind: 'push',
-        ref: 'master',
+        ref: ref,
         user_name: user.name,
         commits: [
           {
@@ -40,16 +42,44 @@ RSpec.describe Integrations::Asana do
         project: project,
         project_id: project.id,
         api_key: 'verySecret',
-        restrict_to_branch: 'master'
+        restrict_to_branch: restrict_to_branch
       )
     end
 
     subject(:execute_integration) { asana_integration.execute(data) }
 
+    context 'with restrict_to_branch' do
+      let(:restrict_to_branch) { 'feature-branch, main' }
+      let(:message) { 'fix #456789' }
+
+      context 'when ref is in scope of restriced branches' do
+        let(:ref) { 'main' }
+
+        it 'calls the Asana integration' do
+          expect(asana_task).to receive(:add_comment)
+          expect(asana_task).to receive(:update).with(completed: true)
+          expect(::Asana::Resources::Task).to receive(:find_by_id).with(anything, '456789').once.and_return(asana_task)
+
+          execute_integration
+        end
+      end
+
+      context 'when ref is not in scope of restricted branches' do
+        let(:ref) { 'mai' }
+
+        it 'does not call the Asana integration' do
+          expect(asana_task).not_to receive(:add_comment)
+          expect(::Asana::Resources::Task).not_to receive(:find_by_id)
+
+          execute_integration
+        end
+      end
+    end
+
     context 'when creating a story' do
       let(:message) { "Message from commit. related to ##{gid}" }
       let(:expected_message) do
-        "#{user.name} pushed to branch master of #{project.full_name} ( https://gitlab.com/ ): #{message}"
+        "#{user.name} pushed to branch main of #{project.full_name} ( https://gitlab.com/ ): #{message}"
       end
 
       it 'calls Asana integration to create a story' do
diff --git a/spec/models/releases/link_spec.rb b/spec/models/releases/link_spec.rb
index 4dc1e53d59e..74ef38f482b 100644
--- a/spec/models/releases/link_spec.rb
+++ b/spec/models/releases/link_spec.rb
@@ -113,6 +113,17 @@ RSpec.describe Releases::Link do
     end
   end
 
+  describe 'when filepath is greater than max length' do
+    let!(:invalid_link) { build(:release_link, filepath: 'x' * (Releases::Link::FILEPATH_MAX_LENGTH + 1), release: release) }
+
+    it 'will not execute regex' do
+      invalid_link.filepath_format_valid?
+
+      expect(invalid_link.errors[:filepath].size).to eq(1)
+      expect(invalid_link.errors[:filepath].first).to start_with("is too long")
+    end
+  end
+
   describe 'FILEPATH_REGEX with table' do
     using RSpec::Parameterized::TableSyntax
 
diff --git a/spec/models/ssh_host_key_spec.rb b/spec/models/ssh_host_key_spec.rb
index 4d729d5585f..4b756846598 100644
--- a/spec/models/ssh_host_key_spec.rb
+++ b/spec/models/ssh_host_key_spec.rb
@@ -4,7 +4,9 @@ require 'spec_helper'
 
 RSpec.describe SshHostKey do
   using RSpec::Parameterized::TableSyntax
+
   include ReactiveCachingHelpers
+  include StubRequests
 
   let(:key1) do
     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3UpyF2iLqy1d63M6k3jH1vuEnq/NWtE+o' \
@@ -35,6 +37,7 @@ RSpec.describe SshHostKey do
   let(:extra) { known_hosts + "foo\nbar\n" }
   let(:reversed) { known_hosts.lines.reverse.join }
 
+  let(:url) { 'ssh://example.com:2222' }
   let(:compare_host_keys) { nil }
 
   def stub_ssh_keyscan(args, status: true, stdout: "", stderr: "")
@@ -50,7 +53,7 @@ RSpec.describe SshHostKey do
 
   let(:project) { build(:project) }
 
-  subject(:ssh_host_key) { described_class.new(project: project, url: 'ssh://example.com:2222', compare_host_keys: compare_host_keys) }
+  subject(:ssh_host_key) { described_class.new(project: project, url: url, compare_host_keys: compare_host_keys) }
 
   describe '.primary_key' do
     it 'returns a symbol' do
@@ -191,5 +194,45 @@ RSpec.describe SshHostKey do
         is_expected.to eq(error: 'Failed to detect SSH host keys')
       end
     end
+
+    context 'DNS rebinding protection enabled' do
+      before do
+        stub_application_setting(dns_rebinding_protection_enabled: true)
+      end
+
+      it 'sends an address as well as hostname to ssh-keyscan' do
+        stub_dns(url, ip_address: '1.2.3.4')
+
+        stdin = stub_ssh_keyscan(%w[-T 5 -p 2222 -f-])
+
+        cache
+
+        expect(stdin.string).to eq("1.2.3.4 example.com\n")
+      end
+    end
+  end
+
+  describe 'URL validation' do
+    let(:url) { 'ssh://127.0.0.1' }
+
+    context 'when local requests are not allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+      end
+
+      it 'forbids scanning localhost' do
+        expect { ssh_host_key }.to raise_error(/Invalid URL/)
+      end
+    end
+
+    context 'when local requests are allowed' do
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+      end
+
+      it 'permits scanning localhost' do
+        expect(ssh_host_key.url.to_s).to eq('ssh://127.0.0.1:22')
+      end
+    end
   end
 end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index c2535fd3698..cd8be088c6c 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1696,9 +1696,9 @@ RSpec.describe User do
 
   describe '#generate_password' do
     it 'does not generate password by default' do
-      user = create(:user, password: Gitlab::Password.test_default)
+      user = create(:user, password: 'abcdefghe')
 
-      expect(user.password).to eq(Gitlab::Password.test_default)
+      expect(user.password).to eq('abcdefghe')
     end
   end
 
@@ -5792,6 +5792,36 @@ RSpec.describe User do
     end
   end
 
+  describe '#valid_password?' do
+    subject { user.valid_password?(password) }
+
+    context 'user with password not in disallowed list' do
+      let(:user) { create(:user) }
+      let(:password) { user.password }
+
+      it { is_expected.to be_truthy }
+
+      context 'using a wrong password' do
+        let(:password) { 'WRONG PASSWORD' }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+
+    context 'user with disallowed password' do
+      let(:user) { create(:user, :disallowed_password) }
+      let(:password) { user.password }
+
+      it { is_expected.to be_falsey }
+
+      context 'using a wrong password' do
+        let(:password) { 'WRONG PASSWORD' }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+  end
+
   describe '#password_expired?' do
     let(:user) { build(:user, password_expires_at: password_expires_at) }