debian-mirror-gitlab/spec/controllers/projects/raw_controller_spec.rb

# frozen_string_literal: true

require 'spec_helper'

describe Projects::RawController do
  include RepoHelpers

  let(:project) { create(:project, :public, :repository) }

  describe 'GET #show' do
    subject do
      get(:show,
          params: {
            namespace_id: project.namespace,
            project_id: project,
            id: filepath
          })
    end

    context 'regular filename' do
      let(:filepath) { 'master/README.md' }

      it 'delivers ASCII file' do
        subject

        expect(response).to have_gitlab_http_status(200)
        expect(response.header['Content-Type']).to eq('text/plain; charset=utf-8')
        expect(response.header['Content-Disposition']).to eq('inline')
        expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
        expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
      end
    end

    context 'image header' do
      let(:filepath) { 'master/files/images/6049019_460s.jpg' }

      it 'leaves image content disposition' do
        subject

        expect(response).to have_gitlab_http_status(200)
        expect(response.header['Content-Disposition']).to eq('inline')
        expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
        expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
      end
    end

    it_behaves_like 'a controller that can serve LFS files' do
      let(:filename) { 'lfs_object.iso' }
      let(:filepath) { "be93687/files/lfs/#{filename}" }
    end

    context 'when the endpoint receives requests above the limit', :clean_gitlab_redis_cache do
      let(:file_path) { 'master/README.md' }

      before do
        stub_application_setting(raw_blob_request_limit: 5)
      end

      it 'prevents from accessing the raw file' do
        execute_raw_requests(requests: 6, project: project, file_path: file_path)

        expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
        expect(response).to have_gitlab_http_status(429)
      end

      it 'logs the event on auth.log' do
        attributes = {
          message: 'Action_Rate_Limiter_Request',
          env: :raw_blob_request_limit,
          remote_ip: '0.0.0.0',
          request_method: 'GET',
          path: "/#{project.full_path}/raw/#{file_path}"
        }

        expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once

        execute_raw_requests(requests: 6, project: project, file_path: file_path)
      end

      context 'when the request uses a different version of a commit' do
        it 'prevents from accessing the raw file' do
          # 3 times with the normal sha
          commit_sha = project.repository.commit.sha
          file_path = "#{commit_sha}/README.md"

          execute_raw_requests(requests: 3, project: project, file_path: file_path)

          # 3 times with the modified version
          modified_sha = commit_sha.gsub(commit_sha[0..5], commit_sha[0..5].upcase)
          modified_path = "#{modified_sha}/README.md"

          execute_raw_requests(requests: 3, project: project, file_path: modified_path)

          expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
          expect(response).to have_gitlab_http_status(429)
        end
      end

      context 'when the throttling has been disabled' do
        before do
          stub_application_setting(raw_blob_request_limit: 0)
        end

        it 'does not prevent from accessing the raw file' do
          execute_raw_requests(requests: 10, project: project, file_path: file_path)

          expect(response).to have_gitlab_http_status(200)
        end
      end

      context 'with case-sensitive files' do
        it 'prevents from accessing the specific file' do
          create_file_in_repo(project, 'master', 'master', 'readme.md', 'Add readme.md')
          create_file_in_repo(project, 'master', 'master', 'README.md', 'Add README.md')

          commit_sha = project.repository.commit.sha
          file_path = "#{commit_sha}/readme.md"

          # Accessing downcase version of readme
          execute_raw_requests(requests: 6, project: project, file_path: file_path)

          expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
          expect(response).to have_gitlab_http_status(429)

          # Accessing upcase version of readme
          file_path = "#{commit_sha}/README.md"

          execute_raw_requests(requests: 1, project: project, file_path: file_path)

          expect(response).to have_gitlab_http_status(200)
        end
      end
    end
  end

  def execute_raw_requests(requests:, project:, file_path:)
    requests.times do
      get :show, params: {
        namespace_id: project.namespace,
        project_id: project,
        id: file_path
      }
    end
  end
end
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`# frozen_string_literal: true`

Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30			`require 'spec_helper'`

			`describe Projects::RawController do`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`include RepoHelpers`

New upstream version 11.3.10+dfsg 2018-11-20 20:47:30 +05:30			`let(:project) { create(:project, :public, :repository) }`

			`describe 'GET #show' do`
			`subject do`
			`get(:show,`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`params: {`
			`namespace_id: project.namespace,`
			`project_id: project,`
			`id: filepath`
			`})`
New upstream version 11.3.10+dfsg 2018-11-20 20:47:30 +05:30			`end`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30
			`context 'regular filename' do`
New upstream version 11.3.10+dfsg 2018-11-20 20:47:30 +05:30			`let(:filepath) { 'master/README.md' }`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`it 'delivers ASCII file' do`
			`subject`

			`expect(response).to have_gitlab_http_status(200)`
			`expect(response.header['Content-Type']).to eq('text/plain; charset=utf-8')`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`expect(response.header['Content-Disposition']).to eq('inline')`
			`expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"`
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30			`end`
			`end`

			`context 'image header' do`
New upstream version 11.3.10+dfsg 2018-11-20 20:47:30 +05:30			`let(:filepath) { 'master/files/images/6049019_460s.jpg' }`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`it 'leaves image content disposition' do`
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`subject`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`expect(response).to have_gitlab_http_status(200)`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`expect(response.header['Content-Disposition']).to eq('inline')`
			`expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"`
New upstream version 11.5.6+dfsg 2019-01-03 12:48:30 +05:30			`expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30			`end`
			`end`
Imported Upstream version 8.3.0+dfsg 2015-12-23 02:04:40 +05:30
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`it_behaves_like 'a controller that can serve LFS files' do`
New upstream version 11.3.10+dfsg 2018-11-20 20:47:30 +05:30			`let(:filename) { 'lfs_object.iso' }`
			`let(:filepath) { "be93687/files/lfs/#{filename}" }`
Imported Upstream version 8.3.0+dfsg 2015-12-23 02:04:40 +05:30			`end`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30
			`context 'when the endpoint receives requests above the limit', :clean_gitlab_redis_cache do`
			`let(:file_path) { 'master/README.md' }`

			`before do`
			`stub_application_setting(raw_blob_request_limit: 5)`
			`end`

			`it 'prevents from accessing the raw file' do`
			`execute_raw_requests(requests: 6, project: project, file_path: file_path)`

			`expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')`
			`expect(response).to have_gitlab_http_status(429)`
			`end`

			`it 'logs the event on auth.log' do`
			`attributes = {`
			`message: 'Action_Rate_Limiter_Request',`
			`env: :raw_blob_request_limit,`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`remote_ip: '0.0.0.0',`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`request_method: 'GET',`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`path: "/#{project.full_path}/raw/#{file_path}"`
New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`}`

			`expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once`

			`execute_raw_requests(requests: 6, project: project, file_path: file_path)`
			`end`

			`context 'when the request uses a different version of a commit' do`
			`it 'prevents from accessing the raw file' do`
			`# 3 times with the normal sha`
			`commit_sha = project.repository.commit.sha`
			`file_path = "#{commit_sha}/README.md"`

			`execute_raw_requests(requests: 3, project: project, file_path: file_path)`

			`# 3 times with the modified version`
			`modified_sha = commit_sha.gsub(commit_sha[0..5], commit_sha[0..5].upcase)`
			`modified_path = "#{modified_sha}/README.md"`

			`execute_raw_requests(requests: 3, project: project, file_path: modified_path)`

			`expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')`
			`expect(response).to have_gitlab_http_status(429)`
			`end`
			`end`

			`context 'when the throttling has been disabled' do`
			`before do`
			`stub_application_setting(raw_blob_request_limit: 0)`
			`end`

			`it 'does not prevent from accessing the raw file' do`
			`execute_raw_requests(requests: 10, project: project, file_path: file_path)`

			`expect(response).to have_gitlab_http_status(200)`
			`end`
			`end`

			`context 'with case-sensitive files' do`
			`it 'prevents from accessing the specific file' do`
			`create_file_in_repo(project, 'master', 'master', 'readme.md', 'Add readme.md')`
			`create_file_in_repo(project, 'master', 'master', 'README.md', 'Add README.md')`

			`commit_sha = project.repository.commit.sha`
			`file_path = "#{commit_sha}/readme.md"`

			`# Accessing downcase version of readme`
			`execute_raw_requests(requests: 6, project: project, file_path: file_path)`

			`expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')`
			`expect(response).to have_gitlab_http_status(429)`

			`# Accessing upcase version of readme`
			`file_path = "#{commit_sha}/README.md"`

			`execute_raw_requests(requests: 1, project: project, file_path: file_path)`

			`expect(response).to have_gitlab_http_status(200)`
			`end`
			`end`
			`end`
			`end`

			`def execute_raw_requests(requests:, project:, file_path:)`
			`requests.times do`
			`get :show, params: {`
			`namespace_id: project.namespace,`
			`project_id: project,`
			`id: file_path`
			`}`
			`end`
Imported Upstream version 8.0.2 2015-09-25 12:07:36 +05:30			`end`
			`end`