diff options
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/api/helpers/custom_validators_spec.rb | 59 | ||||
-rw-r--r-- | spec/lib/gitlab/utils_spec.rb | 8 | ||||
-rw-r--r-- | spec/requests/api/files_spec.rb | 54 |
3 files changed, 107 insertions, 14 deletions
diff --git a/spec/lib/api/helpers/custom_validators_spec.rb b/spec/lib/api/helpers/custom_validators_spec.rb index 1ebce2ab5c4..10505210e65 100644 --- a/spec/lib/api/helpers/custom_validators_spec.rb +++ b/spec/lib/api/helpers/custom_validators_spec.rb @@ -24,7 +24,38 @@ describe API::Helpers::CustomValidators do context 'invalid parameters' do it 'raises a validation error' do - expect_validation_error({ 'test' => 'some_value' }) + expect_validation_error('test' => 'some_value') + end + end + end + + describe API::Helpers::CustomValidators::FilePath do + subject do + described_class.new(['test'], {}, false, scope.new) + end + + context 'valid file path' do + it 'does not raise a validation error' do + expect_no_validation_error('test' => './foo') + expect_no_validation_error('test' => './bar.rb') + expect_no_validation_error('test' => 'foo%2Fbar%2Fnew%2Ffile.rb') + expect_no_validation_error('test' => 'foo%2Fbar%2Fnew') + expect_no_validation_error('test' => 'foo%252Fbar%252Fnew%252Ffile.rb') + end + end + + context 'invalid file path' do + it 'raise a validation error' do + expect_validation_error('test' => '../foo') + expect_validation_error('test' => '../') + expect_validation_error('test' => 'foo/../../bar') + expect_validation_error('test' => 'foo/../') + expect_validation_error('test' => 'foo/..') + expect_validation_error('test' => '../') + expect_validation_error('test' => '..\\') + expect_validation_error('test' => '..\/') + expect_validation_error('test' => '%2e%2e%2f') + expect_validation_error('test' => '/etc/passwd') end end end @@ -36,12 +67,12 @@ describe API::Helpers::CustomValidators do context 'valid parameters' do it 'does not raise a validation error' do - expect_no_validation_error({ 'test' => 2 }) - expect_no_validation_error({ 'test' => 100 }) - expect_no_validation_error({ 'test' => 'None' }) - expect_no_validation_error({ 'test' => 'Any' }) - expect_no_validation_error({ 'test' => 'none' }) - expect_no_validation_error({ 'test' => 'any' }) + expect_no_validation_error('test' => 2) + expect_no_validation_error('test' => 100) + expect_no_validation_error('test' => 'None') + expect_no_validation_error('test' => 'Any') + expect_no_validation_error('test' => 'none') + expect_no_validation_error('test' => 'any') end end @@ -59,18 +90,18 @@ describe API::Helpers::CustomValidators do context 'valid parameters' do it 'does not raise a validation error' do - expect_no_validation_error({ 'test' => [] }) - expect_no_validation_error({ 'test' => [1, 2, 3] }) - expect_no_validation_error({ 'test' => 'None' }) - expect_no_validation_error({ 'test' => 'Any' }) - expect_no_validation_error({ 'test' => 'none' }) - expect_no_validation_error({ 'test' => 'any' }) + expect_no_validation_error('test' => []) + expect_no_validation_error('test' => [1, 2, 3]) + expect_no_validation_error('test' => 'None') + expect_no_validation_error('test' => 'Any') + expect_no_validation_error('test' => 'none') + expect_no_validation_error('test' => 'any') end end context 'invalid parameters' do it 'raises a validation error' do - expect_validation_error({ 'test' => 'some_other_string' }) + expect_validation_error('test' => 'some_other_string') end end end diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb index 85a536ee6ad..48fc2d826bc 100644 --- a/spec/lib/gitlab/utils_spec.rb +++ b/spec/lib/gitlab/utils_spec.rb @@ -31,6 +31,14 @@ describe Gitlab::Utils do it 'does nothing for a safe string' do expect(check_path_traversal!('./foo')).to eq('./foo') end + + it 'does nothing if an absolute path is allowed' do + expect(check_path_traversal!('/etc/folder/path', allowed_absolute: true)). to eq('/etc/folder/path') + end + + it 'raises exception if an absolute path is not allowed' do + expect { check_path_traversal!('/etc/folder/path') }.to raise_error(/Invalid path/) + end end describe '.slugify' do diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb index 3596647015c..e6406174391 100644 --- a/spec/requests/api/files_spec.rb +++ b/spec/requests/api/files_spec.rb @@ -7,6 +7,8 @@ describe API::Files do let!(:project) { create(:project, :repository, namespace: user.namespace ) } let(:guest) { create(:user) { |u| project.add_guest(u) } } let(:file_path) { "files%2Fruby%2Fpopen%2Erb" } + let(:rouge_file_path) { "%2e%2e%2f" } + let(:invalid_file_message) { 'file_path should be a valid file path' } let(:params) do { ref: 'master' @@ -55,6 +57,12 @@ describe API::Files do describe "HEAD /projects/:id/repository/files/:file_path" do shared_examples_for 'repository files' do + it 'returns 400 when file path is invalid' do + head api(route(rouge_file_path), current_user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + end + it 'returns file attributes in headers' do head api(route(file_path), current_user), params: params @@ -145,6 +153,13 @@ describe API::Files do describe "GET /projects/:id/repository/files/:file_path" do shared_examples_for 'repository files' do + it 'returns 400 for invalid file path' do + get api(route(rouge_file_path), current_user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it 'returns file attributes as json' do get api(route(file_path), current_user), params: params @@ -302,6 +317,13 @@ describe API::Files do .to eq('c440cd09bae50c4632cc58638ad33c6aa375b6109d811e76a9cc3a613c1e8887') end + it 'returns 400 when file path is invalid' do + get api(route(rouge_file_path) + '/blame', current_user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it 'returns blame file attributes as json' do get api(route(file_path) + '/blame', current_user), params: params @@ -418,6 +440,13 @@ describe API::Files do describe "GET /projects/:id/repository/files/:file_path/raw" do shared_examples_for 'repository raw files' do + it 'returns 400 when file path is invalid' do + get api(route(rouge_file_path) + "/raw", current_user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it 'returns raw file info' do url = route(file_path) + "/raw" expect(Gitlab::Workhorse).to receive(:send_git_blob) @@ -535,6 +564,13 @@ describe API::Files do } end + it 'returns 400 when file path is invalid' do + post api(route(rouge_file_path), user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it "creates a new file in project repo" do post api(route(file_path), user), params: params @@ -662,6 +698,17 @@ describe API::Files do expect(response).to have_gitlab_http_status(:ok) end + it "returns 400 when file path is invalid" do + last_commit = Gitlab::Git::Commit + .last_for_path(project.repository, 'master', URI.unescape(file_path)) + params_with_correct_id = params.merge(last_commit_id: last_commit.id) + + put api(route(rouge_file_path), user), params: params_with_correct_id + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it "returns a 400 bad request if no params given" do put api(route(file_path), user) @@ -690,6 +737,13 @@ describe API::Files do } end + it 'returns 400 when file path is invalid' do + delete api(route(rouge_file_path), user), params: params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq(invalid_file_message) + end + it "deletes existing file in project repo" do delete api(route(file_path), user), params: params |