summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
Diffstat (limited to 'spec')
-rw-r--r--spec/lib/api/helpers/custom_validators_spec.rb59
-rw-r--r--spec/lib/gitlab/utils_spec.rb8
-rw-r--r--spec/requests/api/files_spec.rb54
3 files changed, 107 insertions, 14 deletions
diff --git a/spec/lib/api/helpers/custom_validators_spec.rb b/spec/lib/api/helpers/custom_validators_spec.rb
index 1ebce2ab5c4..10505210e65 100644
--- a/spec/lib/api/helpers/custom_validators_spec.rb
+++ b/spec/lib/api/helpers/custom_validators_spec.rb
@@ -24,7 +24,38 @@ describe API::Helpers::CustomValidators do
context 'invalid parameters' do
it 'raises a validation error' do
- expect_validation_error({ 'test' => 'some_value' })
+ expect_validation_error('test' => 'some_value')
+ end
+ end
+ end
+
+ describe API::Helpers::CustomValidators::FilePath do
+ subject do
+ described_class.new(['test'], {}, false, scope.new)
+ end
+
+ context 'valid file path' do
+ it 'does not raise a validation error' do
+ expect_no_validation_error('test' => './foo')
+ expect_no_validation_error('test' => './bar.rb')
+ expect_no_validation_error('test' => 'foo%2Fbar%2Fnew%2Ffile.rb')
+ expect_no_validation_error('test' => 'foo%2Fbar%2Fnew')
+ expect_no_validation_error('test' => 'foo%252Fbar%252Fnew%252Ffile.rb')
+ end
+ end
+
+ context 'invalid file path' do
+ it 'raise a validation error' do
+ expect_validation_error('test' => '../foo')
+ expect_validation_error('test' => '../')
+ expect_validation_error('test' => 'foo/../../bar')
+ expect_validation_error('test' => 'foo/../')
+ expect_validation_error('test' => 'foo/..')
+ expect_validation_error('test' => '../')
+ expect_validation_error('test' => '..\\')
+ expect_validation_error('test' => '..\/')
+ expect_validation_error('test' => '%2e%2e%2f')
+ expect_validation_error('test' => '/etc/passwd')
end
end
end
@@ -36,12 +67,12 @@ describe API::Helpers::CustomValidators do
context 'valid parameters' do
it 'does not raise a validation error' do
- expect_no_validation_error({ 'test' => 2 })
- expect_no_validation_error({ 'test' => 100 })
- expect_no_validation_error({ 'test' => 'None' })
- expect_no_validation_error({ 'test' => 'Any' })
- expect_no_validation_error({ 'test' => 'none' })
- expect_no_validation_error({ 'test' => 'any' })
+ expect_no_validation_error('test' => 2)
+ expect_no_validation_error('test' => 100)
+ expect_no_validation_error('test' => 'None')
+ expect_no_validation_error('test' => 'Any')
+ expect_no_validation_error('test' => 'none')
+ expect_no_validation_error('test' => 'any')
end
end
@@ -59,18 +90,18 @@ describe API::Helpers::CustomValidators do
context 'valid parameters' do
it 'does not raise a validation error' do
- expect_no_validation_error({ 'test' => [] })
- expect_no_validation_error({ 'test' => [1, 2, 3] })
- expect_no_validation_error({ 'test' => 'None' })
- expect_no_validation_error({ 'test' => 'Any' })
- expect_no_validation_error({ 'test' => 'none' })
- expect_no_validation_error({ 'test' => 'any' })
+ expect_no_validation_error('test' => [])
+ expect_no_validation_error('test' => [1, 2, 3])
+ expect_no_validation_error('test' => 'None')
+ expect_no_validation_error('test' => 'Any')
+ expect_no_validation_error('test' => 'none')
+ expect_no_validation_error('test' => 'any')
end
end
context 'invalid parameters' do
it 'raises a validation error' do
- expect_validation_error({ 'test' => 'some_other_string' })
+ expect_validation_error('test' => 'some_other_string')
end
end
end
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb
index 85a536ee6ad..48fc2d826bc 100644
--- a/spec/lib/gitlab/utils_spec.rb
+++ b/spec/lib/gitlab/utils_spec.rb
@@ -31,6 +31,14 @@ describe Gitlab::Utils do
it 'does nothing for a safe string' do
expect(check_path_traversal!('./foo')).to eq('./foo')
end
+
+ it 'does nothing if an absolute path is allowed' do
+ expect(check_path_traversal!('/etc/folder/path', allowed_absolute: true)). to eq('/etc/folder/path')
+ end
+
+ it 'raises exception if an absolute path is not allowed' do
+ expect { check_path_traversal!('/etc/folder/path') }.to raise_error(/Invalid path/)
+ end
end
describe '.slugify' do
diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb
index 3596647015c..e6406174391 100644
--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -7,6 +7,8 @@ describe API::Files do
let!(:project) { create(:project, :repository, namespace: user.namespace ) }
let(:guest) { create(:user) { |u| project.add_guest(u) } }
let(:file_path) { "files%2Fruby%2Fpopen%2Erb" }
+ let(:rouge_file_path) { "%2e%2e%2f" }
+ let(:invalid_file_message) { 'file_path should be a valid file path' }
let(:params) do
{
ref: 'master'
@@ -55,6 +57,12 @@ describe API::Files do
describe "HEAD /projects/:id/repository/files/:file_path" do
shared_examples_for 'repository files' do
+ it 'returns 400 when file path is invalid' do
+ head api(route(rouge_file_path), current_user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ end
+
it 'returns file attributes in headers' do
head api(route(file_path), current_user), params: params
@@ -145,6 +153,13 @@ describe API::Files do
describe "GET /projects/:id/repository/files/:file_path" do
shared_examples_for 'repository files' do
+ it 'returns 400 for invalid file path' do
+ get api(route(rouge_file_path), current_user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it 'returns file attributes as json' do
get api(route(file_path), current_user), params: params
@@ -302,6 +317,13 @@ describe API::Files do
.to eq('c440cd09bae50c4632cc58638ad33c6aa375b6109d811e76a9cc3a613c1e8887')
end
+ it 'returns 400 when file path is invalid' do
+ get api(route(rouge_file_path) + '/blame', current_user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it 'returns blame file attributes as json' do
get api(route(file_path) + '/blame', current_user), params: params
@@ -418,6 +440,13 @@ describe API::Files do
describe "GET /projects/:id/repository/files/:file_path/raw" do
shared_examples_for 'repository raw files' do
+ it 'returns 400 when file path is invalid' do
+ get api(route(rouge_file_path) + "/raw", current_user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it 'returns raw file info' do
url = route(file_path) + "/raw"
expect(Gitlab::Workhorse).to receive(:send_git_blob)
@@ -535,6 +564,13 @@ describe API::Files do
}
end
+ it 'returns 400 when file path is invalid' do
+ post api(route(rouge_file_path), user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it "creates a new file in project repo" do
post api(route(file_path), user), params: params
@@ -662,6 +698,17 @@ describe API::Files do
expect(response).to have_gitlab_http_status(:ok)
end
+ it "returns 400 when file path is invalid" do
+ last_commit = Gitlab::Git::Commit
+ .last_for_path(project.repository, 'master', URI.unescape(file_path))
+ params_with_correct_id = params.merge(last_commit_id: last_commit.id)
+
+ put api(route(rouge_file_path), user), params: params_with_correct_id
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it "returns a 400 bad request if no params given" do
put api(route(file_path), user)
@@ -690,6 +737,13 @@ describe API::Files do
}
end
+ it 'returns 400 when file path is invalid' do
+ delete api(route(rouge_file_path), user), params: params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq(invalid_file_message)
+ end
+
it "deletes existing file in project repo" do
delete api(route(file_path), user), params: params