From 13ea837db16b2cc3b576dc50d88f62495945daff Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Sun, 26 Feb 2023 17:17:37 +0530 Subject: [PATCH] New upstream version 15.6.8+ds1 --- .gitlab-ci.yml | 2 + CHANGELOG.md | 19 + GITALY_SERVER_VERSION | 2 +- GITLAB_PAGES_VERSION | 2 +- VERSION | 2 +- app/models/concerns/issuable.rb | 19 +- app/models/concerns/sanitizable.rb | 9 + app/models/namespace_setting.rb | 13 +- .../helm/extract_file_metadata_service.rb | 5 + ...0117114739_clear_duplicate_jobs_cookies.rb | 22 + db/schema_migrations/20230117114739 | 1 + doc/development/fips_compliance.md | 20 +- lib/api/container_registry_event.rb | 4 +- lib/gitlab/ci/artifact_file_reader.rb | 23 +- lib/gitlab/utils.rb | 3 +- lib/safe_zip/entry.rb | 10 +- lib/safe_zip/extract.rb | 1 + lib/safe_zip/extract_params.rb | 24 +- spec/features/users/login_spec.rb | 3 +- .../emails/valid_reply_signed_smime.eml | 588 +++++++++--------- .../packages/helm/corrupted_chart.tgz | Bin 0 -> 2084191 bytes .../safe_zip/invalid-unexpected-large.zip | Bin 0 -> 376 bytes .../safe_zip/valid-symlinks-first.zip | Bin 528 -> 1297 bytes .../gitlab/ci/artifact_file_reader_spec.rb | 148 +++-- spec/lib/safe_zip/entry_spec.rb | 35 +- spec/lib/safe_zip/extract_params_spec.rb | 35 +- spec/lib/safe_zip/extract_spec.rb | 55 +- ...14739_clear_duplicate_jobs_cookies_spec.rb | 23 + spec/models/concerns/issuable_spec.rb | 1 - spec/models/concerns/sanitizable_spec.rb | 53 +- spec/models/namespace_setting_spec.rb | 6 +- .../api/container_registry_event_spec.rb | 13 +- .../extract_file_metadata_service_spec.rb | 13 + .../discussion_comments_shared_example.rb | 2 + .../concerns/issuable_shared_examples.rb | 103 ++- .../concerns/sanitizable_shared_examples.rb | 19 +- 36 files changed, 846 insertions(+), 432 deletions(-) create mode 100644 db/post_migrate/20230117114739_clear_duplicate_jobs_cookies.rb create mode 100644 db/schema_migrations/20230117114739 create mode 100644 spec/fixtures/packages/helm/corrupted_chart.tgz create mode 100644 spec/fixtures/safe_zip/invalid-unexpected-large.zip create mode 100644 spec/migrations/20230117114739_clear_duplicate_jobs_cookies_spec.rb diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index edbbe90a77..a1f3910c90 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -77,6 +77,8 @@ workflow: when: never # For stable, auto-deploy, and security branches, create a pipeline. - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + variables: + NOTIFY_PIPELINE_FAILURE_CHANNEL: "releases" - if: '$CI_COMMIT_BRANCH =~ /^\d+-\d+-auto-deploy-\d+$/' - if: '$CI_COMMIT_BRANCH =~ /^security\//' diff --git a/CHANGELOG.md b/CHANGELOG.md index 508a71ce4d..a9d332d608 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,25 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 15.6.8 (2023-02-10) + +No changes. + +## 15.6.7 (2023-01-30) + +### Fixed (2 changes) + +- [Clear DuplicateJobs cookies from post-deployment migration](gitlab-org/security/gitlab@9071bc623c81f4ecbccb63bcfc78d6d503421e2b) +- [Geo: Container Repository push events don't work](gitlab-org/security/gitlab@00ca7dd923444da0b19afa7d72d5e3b505889290) + +### Security (5 changes) + +- [Quarantine features/users/login_spec line 292 [15.6]](gitlab-org/security/gitlab@d202f35e1cac8df0bcbb5d40d42cea2312c09762) ([merge request](gitlab-org/security/gitlab!3025)) +- [Add size validation for Chart.yaml during file extraction](gitlab-org/security/gitlab@59df02bf2658468f9f254c34ed009a6414d6c6b3) ([merge request](gitlab-org/security/gitlab!3020)) +- [Prevent default branches from storing paths](gitlab-org/security/gitlab@b7b402a0a37bb839b601569a035a62fe79febe72) ([merge request](gitlab-org/security/gitlab!3013)) +- [Validate Issuable description max length on update](gitlab-org/security/gitlab@fa68365e853a5701b217ccafea9885705d4a4133) ([merge request](gitlab-org/security/gitlab!3002)) +- [Security fix dynamic child pipeline zip extraction](gitlab-org/security/gitlab@2285d716f10f33d8dbea5112de95d9d7e5cd8b00) ([merge request](gitlab-org/security/gitlab!2981)) + ## 15.6.6 (2023-01-12) No changes. diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index eefeb00be3..8ced5beaea 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -15.6.6 \ No newline at end of file +15.6.8 \ No newline at end of file diff --git a/GITLAB_PAGES_VERSION b/GITLAB_PAGES_VERSION index eefeb00be3..8ced5beaea 100644 --- a/GITLAB_PAGES_VERSION +++ b/GITLAB_PAGES_VERSION @@ -1 +1 @@ -15.6.6 \ No newline at end of file +15.6.8 \ No newline at end of file diff --git a/VERSION b/VERSION index eefeb00be3..8ced5beaea 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -15.6.6 \ No newline at end of file +15.6.8 \ No newline at end of file diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb index 31b2a8d7cc..dd2beb3f41 100644 --- a/app/models/concerns/issuable.rb +++ b/app/models/concerns/issuable.rb @@ -92,10 +92,9 @@ module Issuable validates :author, presence: true validates :title, presence: true, length: { maximum: TITLE_LENGTH_MAX } - # we validate the description against DESCRIPTION_LENGTH_MAX only for Issuables being created - # to avoid breaking the existing Issuables which may have their descriptions longer - validates :description, length: { maximum: DESCRIPTION_LENGTH_MAX }, allow_blank: true, on: :create - validate :description_max_length_for_new_records_is_valid, on: :update + # we validate the description against DESCRIPTION_LENGTH_MAX only for Issuables being created and on updates if + # the description changes to avoid breaking the existing Issuables which may have their descriptions longer + validates :description, bytesize: { maximum: -> { DESCRIPTION_LENGTH_MAX } }, if: :validate_description_length? validate :validate_assignee_size_length, unless: :importing? before_validation :truncate_description_on_import! @@ -229,10 +228,14 @@ module Issuable private - def description_max_length_for_new_records_is_valid - if new_record? && description.length > Issuable::DESCRIPTION_LENGTH_MAX - errors.add(:description, :too_long, count: Issuable::DESCRIPTION_LENGTH_MAX) - end + def validate_description_length? + return false unless description_changed? + + previous_description = changes['description'].first + # previous_description will be nil for new records + return true if previous_description.blank? + + previous_description.bytesize <= DESCRIPTION_LENGTH_MAX end def truncate_description_on_import! diff --git a/app/models/concerns/sanitizable.rb b/app/models/concerns/sanitizable.rb index 05756beb40..653d7a4875 100644 --- a/app/models/concerns/sanitizable.rb +++ b/app/models/concerns/sanitizable.rb @@ -45,6 +45,15 @@ module Sanitizable unless input.to_s == CGI.unescapeHTML(input.to_s) record.errors.add(attr, 'cannot contain escaped HTML entities') end + + # This method raises an exception on failure so perform this + # last if multiple errors should be returned. + Gitlab::Utils.check_path_traversal!(input.to_s) + + rescue Gitlab::Utils::DoubleEncodingError + record.errors.add(attr, 'cannot contain escaped components') + rescue Gitlab::Utils::PathTraversalAttackError + record.errors.add(attr, "cannot contain a path traversal component") end end end diff --git a/app/models/namespace_setting.rb b/app/models/namespace_setting.rb index 3e6371b0c4..b9f6df87f1 100644 --- a/app/models/namespace_setting.rb +++ b/app/models/namespace_setting.rb @@ -14,10 +14,11 @@ class NamespaceSetting < ApplicationRecord validates :enabled_git_access_protocol, inclusion: { in: enabled_git_access_protocols.keys } - validate :default_branch_name_content validate :allow_mfa_for_group validate :allow_resource_access_token_creation_for_group + sanitizes! :default_branch_name + before_validation :normalize_default_branch_name chronic_duration_attr :runner_token_expiration_interval_human_readable, :runner_token_expiration_interval @@ -45,8 +46,6 @@ class NamespaceSetting < ApplicationRecord NAMESPACE_SETTINGS_PARAMS end - sanitizes! :default_branch_name - def prevent_sharing_groups_outside_hierarchy return super if namespace.root? @@ -69,14 +68,6 @@ class NamespaceSetting < ApplicationRecord self.default_branch_name = default_branch_name.presence end - def default_branch_name_content - return if default_branch_name.nil? - - if default_branch_name.blank? - errors.add(:default_branch_name, "can not be an empty string") - end - end - def allow_mfa_for_group if namespace&.subgroup? && allow_mfa_for_subgroups == false errors.add(:allow_mfa_for_subgroups, _('is not allowed since the group is not top-level group.')) diff --git a/app/services/packages/helm/extract_file_metadata_service.rb b/app/services/packages/helm/extract_file_metadata_service.rb index e7373d8ea8..77efa65f1d 100644 --- a/app/services/packages/helm/extract_file_metadata_service.rb +++ b/app/services/packages/helm/extract_file_metadata_service.rb @@ -7,6 +7,10 @@ module Packages class ExtractFileMetadataService ExtractionError = Class.new(StandardError) + # Charts must be smaller than 1M because of the storage limitations of Kubernetes objects. + # based on https://helm.sh/docs/chart_template_guide/accessing_files/ + MAX_FILE_SIZE = 1.megabytes.freeze + def initialize(package_file) @package_file = package_file end @@ -42,6 +46,7 @@ module Packages end raise ExtractionError, 'Chart.yaml not found within a directory' unless chart_yaml + raise ExtractionError, 'Chart.yaml too big' if chart_yaml.size > MAX_FILE_SIZE chart_yaml.read ensure diff --git a/db/post_migrate/20230117114739_clear_duplicate_jobs_cookies.rb b/db/post_migrate/20230117114739_clear_duplicate_jobs_cookies.rb new file mode 100644 index 0000000000..6f0e26634c --- /dev/null +++ b/db/post_migrate/20230117114739_clear_duplicate_jobs_cookies.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +# This is workaround for +# https://gitlab.com/gitlab-org/gitlab/-/issues/388253. During a +# zero-downtime upgrade, duplicate jobs cookies can fail to get deleted. +# This post-deployment migration deletes all such cookies. This can +# cause some jobs that normally would have been deduplicated to twice +# instead of once. +class ClearDuplicateJobsCookies < Gitlab::Database::Migration[2.0] + disable_ddl_transaction! + restrict_gitlab_migration gitlab_schema: :gitlab_main + + def up + Gitlab::Redis::Queues.with do |redis| # rubocop:disable Cop/RedisQueueUsage + redis.scan_each(match: "resque:gitlab:duplicate:*:cookie:v2").each_slice(100) do |keys| + redis.del(keys) + end + end + end + + def down; end +end diff --git a/db/schema_migrations/20230117114739 b/db/schema_migrations/20230117114739 new file mode 100644 index 0000000000..cb9fabfe4c --- /dev/null +++ b/db/schema_migrations/20230117114739 @@ -0,0 +1 @@ +f4ba0d1de73da2b7a912c06ca458898f3404235025089efc74aee9fc4caa511a \ No newline at end of file diff --git a/doc/development/fips_compliance.md b/doc/development/fips_compliance.md index c6208d45c7..4f92bec53f 100644 --- a/doc/development/fips_compliance.md +++ b/doc/development/fips_compliance.md @@ -441,13 +441,27 @@ def default_min_key_size(name) end ``` -## Nightly Omnibus FIPS builds +## Omnibus FIPS packages -The Distribution team has created [nightly FIPS Omnibus builds](https://packages.gitlab.com/gitlab/nightly-fips-builds). These -GitLab builds are compiled to use the system OpenSSL instead of the Omnibus-embedded version of OpenSSL. +GitLab has a dedicated repository +([`gitlab/gitlab-fips`](https://packages.gitlab.com/gitlab/gitlab-fips)) +for builds of the Omnibus GitLab which are built with FIPS compliance. +These GitLab builds are compiled to use the system OpenSSL, instead of +the Omnibus-embedded version of OpenSSL. These packages are built for: + +- RHEL 8 (and compatible) +- AmazonLinux 2 +- Ubuntu + +These are [consumed by the GitLab Environment Toolkit](#install-gitlab-with-fips-compliance) (GET). See [the section on how FIPS builds are created](#how-fips-builds-are-created). +### Nightly Omnibus FIPS builds + +The Distribution team has created [nightly FIPS Omnibus builds](https://packages.gitlab.com/gitlab/nightly-fips-builds), +which can be used for *testing* purposes. These should never be used for production environments. + ## Runner See the [documentation on installing a FIPS-compliant GitLab Runner](https://docs.gitlab.com/runner/install/#fips-compliant-gitlab-runner). diff --git a/lib/api/container_registry_event.rb b/lib/api/container_registry_event.rb index 9acf2fca1b..cee4224ca6 100644 --- a/lib/api/container_registry_event.rb +++ b/lib/api/container_registry_event.rb @@ -29,8 +29,8 @@ module API end params do requires :events, type: Array, desc: 'Event notifications' do - requires :action, type: String, desc: 'The action to perform, `push`, `delete`', - values: %w[push delete].freeze + requires :action, type: String, desc: 'The action to perform, `push`, `delete`, `pull`', + values: %w[push delete pull].freeze optional :target, type: Hash, desc: 'The target of the action' do optional :tag, type: String, desc: 'The target tag' optional :repository, type: String, desc: 'The target repository' diff --git a/lib/gitlab/ci/artifact_file_reader.rb b/lib/gitlab/ci/artifact_file_reader.rb index b0fad026ec..2eb8df01d5 100644 --- a/lib/gitlab/ci/artifact_file_reader.rb +++ b/lib/gitlab/ci/artifact_file_reader.rb @@ -9,6 +9,7 @@ module Gitlab Error = Class.new(StandardError) MAX_ARCHIVE_SIZE = 5.megabytes + TMP_ARTIFACT_EXTRACTION_DIR = "extracted_artifacts_job_%{id}" def initialize(job) @job = job @@ -45,20 +46,20 @@ module Gitlab end def read_zip_file!(file_path) - job.artifacts_file.use_open_file do |file| - zip_file = Zip::File.new(file, false, true) - entry = zip_file.find_entry(file_path) + dir_name = format(TMP_ARTIFACT_EXTRACTION_DIR, id: job.id.to_i) - unless entry - raise Error, "Path `#{file_path}` does not exist inside the `#{job.name}` artifacts archive!" + job.artifacts_file.use_open_file(unlink_early: false) do |tmp_open_file| + Dir.mktmpdir(dir_name) do |tmp_dir| + SafeZip::Extract.new(tmp_open_file.file_path).extract(files: [file_path], to: tmp_dir) + File.read(File.join(tmp_dir, file_path)) end - - if entry.name_is_directory? - raise Error, "Path `#{file_path}` was expected to be a file but it was a directory!" - end - - zip_file.read(entry) end + rescue SafeZip::Extract::NoMatchingError + raise Error, "Path `#{file_path}` does not exist inside the `#{job.name}` artifacts archive!" + rescue SafeZip::Extract::EntrySizeError + raise Error, "Path `#{file_path}` has invalid size in the zip!" + rescue Errno::EISDIR + raise Error, "Path `#{file_path}` was expected to be a file but it was a directory!" end def max_archive_size_in_mb diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb index d3055569ec..8bd4cd2401 100644 --- a/lib/gitlab/utils.rb +++ b/lib/gitlab/utils.rb @@ -4,6 +4,7 @@ module Gitlab module Utils extend self PathTraversalAttackError ||= Class.new(StandardError) + DoubleEncodingError ||= Class.new(StandardError) private_class_method def logger @logger ||= Gitlab::AppLogger @@ -55,7 +56,7 @@ module Gitlab def decode_path(encoded_path) decoded = CGI.unescape(encoded_path) if decoded != CGI.unescape(decoded) - raise StandardError, "path #{encoded_path} is not allowed" + raise DoubleEncodingError, "path #{encoded_path} is not allowed" end decoded diff --git a/lib/safe_zip/entry.rb b/lib/safe_zip/entry.rb index 52d70e8315..88647b9b1e 100644 --- a/lib/safe_zip/entry.rb +++ b/lib/safe_zip/entry.rb @@ -25,8 +25,8 @@ module SafeZip end def extract - # do not extract if file is not part of target directory - return false unless matching_target_directory + # do not extract if file is not part of target directory or target file + return false unless matching_target_directory || matching_target_file # do not overwrite existing file raise SafeZip::Extract::AlreadyExistsError, "File already exists #{zip_entry.name}" if exist? @@ -44,6 +44,8 @@ module SafeZip end rescue SafeZip::Extract::Error raise + rescue Zip::EntrySizeError => e + raise SafeZip::Extract::EntrySizeError, e.message rescue StandardError => e raise SafeZip::Extract::ExtractError, e.message end @@ -84,6 +86,10 @@ module SafeZip params.matching_target_directory(path) end + def matching_target_file + params.matching_target_file(path) + end + def read_symlink zip_archive.read(zip_entry) end diff --git a/lib/safe_zip/extract.rb b/lib/safe_zip/extract.rb index 74df7895af..b86941e6be 100644 --- a/lib/safe_zip/extract.rb +++ b/lib/safe_zip/extract.rb @@ -6,6 +6,7 @@ module SafeZip PermissionDeniedError = Class.new(Error) SymlinkSourceDoesNotExistError = Class.new(Error) UnsupportedEntryError = Class.new(Error) + EntrySizeError = Class.new(Error) AlreadyExistsError = Class.new(Error) NoMatchingError = Class.new(Error) ExtractError = Class.new(Error) diff --git a/lib/safe_zip/extract_params.rb b/lib/safe_zip/extract_params.rb index bd3b788bac..96881ad1ab 100644 --- a/lib/safe_zip/extract_params.rb +++ b/lib/safe_zip/extract_params.rb @@ -4,11 +4,13 @@ module SafeZip class ExtractParams include Gitlab::Utils::StrongMemoize - attr_reader :directories, :extract_path + attr_reader :directories, :files, :extract_path - def initialize(directories:, to:) + def initialize(to:, directories: [], files: []) @directories = directories + @files = files @extract_path = ::File.realpath(to) + validate! end def matching_target_directory(path) @@ -32,5 +34,23 @@ module SafeZip end end end + + def matching_target_file(path) + target_files.include?(path) + end + + private + + def target_files + strong_memoize(:target_files) do + files.map do |file| + ::File.join(extract_path, file) + end + end + end + + def validate! + raise ArgumentError, 'Either directories or files are required' if directories.empty? && files.empty? + end end end diff --git a/spec/features/users/login_spec.rb b/spec/features/users/login_spec.rb index 5ca5bd72b7..2655b4f508 100644 --- a/spec/features/users/login_spec.rb +++ b/spec/features/users/login_spec.rb @@ -926,7 +926,8 @@ RSpec.describe 'Login', :clean_gitlab_redis_sessions do stub_omniauth_saml_config(enabled: true, auto_link_saml_user: true, allow_single_sign_on: ['saml'], providers: [mock_saml_config]) end - it 'asks the user to accept the terms before setting an email' do + it 'asks the user to accept the terms before setting an email', + quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/388049', type: :flaky } do expect(authentication_metrics) .to increment(:user_authenticated_counter) diff --git a/spec/fixtures/emails/valid_reply_signed_smime.eml b/spec/fixtures/emails/valid_reply_signed_smime.eml index 965d922c95..0c5e2c439a 100644 --- a/spec/fixtures/emails/valid_reply_signed_smime.eml +++ b/spec/fixtures/emails/valid_reply_signed_smime.eml @@ -1,294 +1,294 @@ -User-Agent: Microsoft-MacOutlook/10.22.0.200209 -Date: Mon, 17 Feb 2020 22:56:47 +0100 -Subject: Re: htmltest | test issue (#1) -From: "Louzan Martinez, Diego (ext) (SI BP R&D ZG)" - -To: Administrator / htmltest - -Message-ID: <012E37D9-2A3F-4AC8-B79A-871F42914D86@siemens.com> -Thread-Topic: htmltest | test issue (#1) -References: - - -In-Reply-To: -Content-type: multipart/signed; - protocol="application/pkcs7-signature"; - micalg=sha256; - boundary="B_3664825007_1904734766" -MIME-Version: 1.0 - ---B_3664825007_1904734766 -Content-type: multipart/mixed; - boundary="B_3664825007_384940722" - - ---B_3664825007_384940722 -Content-type: multipart/alternative; - boundary="B_3664825007_1519466360" - - ---B_3664825007_1519466360 -Content-type: text/plain; - charset="UTF-8" -Content-transfer-encoding: quoted-printable - -Me too, with an attachment - -=20 - -From: Administrator -Reply to: Administrator / htmltest -Date: Monday, 17 February 2020 at 22:55 -To: "Louzan Martinez, Diego (ext) (SOP IT STG XS)" -Subject: Re: htmltest | test issue (#1) - -=20 - -Administrator commented:=20 - -I pity the foo !!! - -=E2=80=94=20 -Reply to this email directly or view it on GitLab.=20 -You're receiving this email because of your account on 169.254.169.254. If = -you'd like to receive fewer emails, you can unsubscribe from this thread or = -adjust your notification settings.=20 - - ---B_3664825007_1519466360 -Content-type: text/html; - charset="UTF-8" -Content-transfer-encoding: quoted-printable - -GitLab

Me too, with an attachment

 

From: Administrator <dlouzan.dummy@gma= -il.com>
Reply to: Administrator / htmltest <dlouzan.dummy+c0= -34670b1623e617e15a3df64223d363@gmail.com>
Date: Monday, 17 Febr= -uary 2020 at 22:55
To: "Louzan Martinez, Diego (ext) (SOP IT = -STG XS)" <diego.louzan.ext@siemens.com>
Subject: Re: ht= -mltest | test issue (#1)

= - 

Administrator commented:

<= -div>

I pity the foo !!!

=E2=80=94
Reply to this = -email directly or view it on GitLab.
You're receiving this email because of you= -r account on 169.254.169.254. If you'd like to receive fewer emails, you can= - unsubscribe from this thread or adjust your notific= -ation settings.

- ---B_3664825007_1519466360-- - - ---B_3664825007_384940722 -Content-type: image/png; name="gitlab_logo.png"; - x-mac-creator="4F50494D"; - x-mac-type="504E4766" -Content-disposition: attachment; - filename="gitlab_logo.png" -Content-transfer-encoding: base64 - - -iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAIAAABMXPacAAAABnRSTlMA/wD/AP83WBt9AAAN -1UlEQVR4AexcZXPjSBTcXxOTvMy7xxfGZWaGaJmZmZmZmZmZmdnMzB7JNwv1qs6VOJY0tuWU -p/rz5PW0q0f99JQakcxK6eItQGZlBMgIkFkZATICZFZGgIwAmZURICMAshitiybrexXblk5D -NnOk2i3G6bCvmYcJWuaMCevVohPAsWGx6h/Zd/wrd2xbWf0EcB3YqsqmfnK0LZseYZCIBEBW -E/5p4Mp+wtCvJWO3Vqufv8dtHNoZCOo6ZYd1ahEJ4LtzRZ1fC+pTF9T1P7hZnQQIvHqiKW0I -BFU5lPfiCREJYFs5C4r7Cfu6BdVJAOeutVEErfPGRRhGFAIgu1Xft0VUfYaBbRmXI1ItFuvz -Gkd0jyKo65oXNupEIYD//g11QZ2o+tRF9QJP7lUPAYJvX2haNIkmmKv0Xj0rCgHsa+dDWRgA -x+al1eT5Z9+mCglaF02KsGyKBWCcdsOA1hXWZ6A7MB5X2vtPwG8a07tCgvoehchsSLEA/sd3 -sNtUWJ+mpEHgxaN0FyD08Y2mVbMKCarzavluXkyxAI5NS3AplcG5fVXa+8+h7TEI4kSWSgEY -t9NQ3j5GfcZhXRivJ439JxgwT+gfg6C+dymymlMmQOD5Q01xgxj1acoaBV8/S2P/+fJe2+b3 -GATV+bV9d6+lTADc88FFxIZz9/r0FcB9fE+VBO2r56RGAMYL7ZFYMI3qwfp9aek/oZB5Snks -dtD4cthSIEDw1VNNaaMq69O0bBp8/yot/Uf1Wdv+zyoJqgvr+h/eSoEAzl3roIjYcB3Yko4C -eE4fxK31eAja1y9MogDQHhnZPU4BTGP74jiTZv6DwpYZw+MkaBgEja9kCRB89xLaI1VC27p5 -6NPb9BIgrP2m6/hP1eyg8fX0XlIFcO3fHE9lAPeRnWnmP+ePqbIV8RN0bF6WHAGgPdKHkwDm -iQPZUDB9XoAhy5zRnAga6Y78Gl81SLVHYkPb9o/Q149p4z96ja5LDieCmpKG0PhKuACuwzvi -rwze1LtP7EsXAbyXT6lylFw5OnesTrQA0B4ZwLU4DPPUIWw4lA4PQIx1wQQeBI3Du7JeT8IF -CH35AO0RTtC2/yus/hIR/UImva5bPg+CmrLGwTfPEi6A+/heiCfckK3wnD0sfgF818+rc2ty -ogZw7tmQWAHYMG6P0FzLAlhmjoggJG7/YW1LpvImaBrVk2vjqwb39shfvOvTdfo3rFOJ2n8s -Jn3PYn7soPGVQAE8Zw6B//BBNp5nOi5q/7l9GSbM+AFPMCZKAGiPCIF13liYZxLhsq2YJZCg -aVxfNhggLgC0R/7lXxzMMxm0IvUfu0Xfp0wAO2h8vUuIAJ4L0B7hD3UOnmc6I04BYMJMINxH -d5EVANojY/jWRH6eifyCCTPBME8aBI0vYgKEDbg9kkukPphnEtWCCTPhgMYXSQG8V05De0Qg -1Hk1YZ5JFAsmzArrCWUHja+T+4kKwLLWhRPJFAfzTCJbjo2LCRI0T8ONrzAJAaA90r2AYH36 -3iUwz5TiBRNmg9sTJKjt8HdY/ZWYAL4bvNsjMeaZropHgMDzB5ri+gQJQuOLiACsbSm0R4jB -vmqOiPxn6wriBC2zRkYQIiAAfIBHFnr4kE9kH+CRAIcP+Wpw/QCPBGCe6aYYP8AjBfiQj78A -0B75W5YIiORDPufOtQkiaJkLH/LxFYB1W22j2xjL5MaWSsIoU9iGt/LfuYQbAKnEvau2cZ0S -RNBKFzE2vTABtNfDKxqEh8jC5VLyoBWmdnVVubXUeamBKremsXXdULkiIezwoS2uy349I0gA -5uFctD0LzaFQuQSVZxEGneXoitM1vGBIAeydlYgGakQxk0Lbspg7EyIsy1eAgJ051RLtyEJb -ZWiyAg0mX6W/P6XJU6Tq9NW5Cl9fCtGkeeGDmqBAW+Tfj+5YXsRr4CkAq7+N9tT+vsvOLLRB -gcbIiWsQLpdhu1T9nRoBDKXK0GAZ+d/+KBlap8CH9v3odilY1QWeAjBPFuEtMH5psJJCw6Sk -XUji6FozVS5k61STvP8MlaLlFNopgaNj7k3lJUDQyZxp82MLgAQtpAhXTKfMhdQ5Ci95/5Gg -eRTaIf3fuZ0oivhMnAVgjffR3rq/tgBsl6EZFHEXMpSlwIX0JeT8B6x/Kr54ZdGHtlvJaq5w -FoB5tvx/u4ARbZaj8UQvZFpi71wzBf7TkZD/wOmPlaONv6w/CsyDWRwFCLmZcx2iNwIN1lJo -pIygC/n6UfiBJNn+04eo/wyXodUUnH4UmFOlEb+VgwCs6THaVz96IwC+YZZSaCixCzmUdBfS -F2P/kRM7/SEStBgu3oqwpxaru8lBAObFmkr2AkghnaWjC1k7EPQfyffMtV0a+8SYR/PjFiDs -ZS50jb3dr3Q2RfBlAC7Ul8K2kCT/yVZ4euMATMj6J/7KXLHBnG6Fg21cArCW52h/w9jbEU9n -+IFEX6pMjgC6YmVwkJxQ5pKj9XDxxsSe2qzhbnwCvNpY9XagwSoK3z9EXMjWMSku9LfM2h78 -h3Dmig3myZI4BAj7mYs9q9yLfDqjs7x9kuFC6my5pxcJ/6GjM1eVYM62iwRdVQjA2t6gA405 -CEAuneHHEhyOEu4/RRQR/4HMxQF767LGh1UJ8GY7t00hnU0QfCHTEmuiXQi/pWoH/iMsc20C -6+cA5vmqmAIgP3OlP8dNIZ0phKYzOsvTR6nmMP/La2ZNuP+MgMzFGcz5zpGQq1IBWOsrdLA5 -530hnS0TkM7AhYqVCfSfQuw/ClKZiw/2N2QN9ysVgHm5Hu2EW4UHpGiusHRGS3BEgkhM3H/M -bbH/SAVlrlmQuXiCebygcgHOdeSxI5l0Bi7UG7uQPEH+4+oJ/kMoc/HAiaJKBYh+/uF3GWwU -lM7wIwp+UEmEANoCKjBQQThz8cBuZeUCHPqdx46E0xktsbQj6kLgP214+Q9krhX8rT/qYbRy -C7oxXOjukM4W8U1ndBZ+UFFly8n7Tw++/oOJzIfMJRTMpd6VCsBanqFjuWQ0wDfVTIq/CxVS -IvKfaZC5BOPwn6z+Tswgpr+DTpaS+WNb+KYzWkrWhfBWptY18bAUn4t3HM5cckHWDzieD+8m -Y7ajXd+Ym6PQLorAZbCOYzoDF+qpxKZB0H+c3fEFwCtzraEInP4uOXOtnHV8iPuVZNiLexI8 -QhmpdBYcqNCScyFNPhUYoOCeuaRoCYmLd39j9uW6SMjNdS6IZY0PfiQDgRVI0Tzu6YyWmtsI -diHwn1ZK7v4jQbMFZS54D/P9ZSTL8B1P9xmZBzN+zcfxxjbZ997hYG4u5OpByoXkzm5KRHO0 -/kmCM9du5ffBUI9W8CdKTJD9fBQd/VdoOhvLLZ0FsAsVUAT8J4/y9+foP6MFZ67Df7Dv90aQ -n8AHGvCegLncD+2U8ddgNdd0JjW3FuxCf+PZU+w/XP7uMGGZa6eUudCNNT9NwL+rCTq+T2vt -ayAonQ2RcHCh7sJdSI5nTxGd8MwFKff79IPfkrB/WcYiVn0ZnSxJTjrDjy7afEqY/yjw7Cmi -k5K5juex/7V3Dz5yhVEUwP+cce2GjWu7cW3btm03qm27QRXVtt2ZbO8op/r2vp7qS+a+uHHP -5r7z252ze2N7UUrZZxMB0FBw6GxQUJ1JdXlEXSHcn3oB7g/MFSPN5a75fyEAQGG5QIHUWe9I -wCskBYa4Qrg/rfADSNZces1Poeb/swAoKEBnM4Lq7H372B32Ct2RAUxb3B/KXHzN/wcBcFCA -zor92sQVIic01eTzprg/pLn0mn/Hgz/mKVC4moECobMgV4gd8snnTfWM5fTL/G1ZlK75HgTA -QUGu7eJAOhNG6RMaboDXKWOuhTAXUfM9CICGAnTGD/m4AR7MNQunn6j5HgTAQgEv5CnQGTHk -IwZ4MNfE+C80iE2o+Z4GgBTSUOgFKKg6G41vl5JDPmKANyKAuVDzO6HmexAAAQVSZxjy1cMV -ogd4OP0yc1uimgs1Hx9n8zIAHgp4GSwQnUWZCQ0xwBNzzYO5yJrvfwCAwmmBQklGZ8SQDwM8 -t7mm4cVL1HzvA+ChEE5OcOoMc2JqgAdzjcU3O4ma70EAPBQup/a3cUEBOhse168QMcCDuSLB -aj7xu329CICHAnTWHzrThnz6AA//+30VcxE1388AeChAZz0jxJAPAzynuYia738AxPPqRgYK -sWJ1Fv7xCgmvlAHMtwM8mGsSzKXW/AIIQIUCdKYP+fQBnkzYVkQcNb8ian5hBQAoNMPX5nc6 -Gwyd6UM+DPB0cyk1vwACUKAAnfWJ6kO+YgZ4vcRcePHqNb9gAlCggJfBTPyaLveQzzHA6wZz -OWu+BaBAATpThnx3McBzmctR8y0ABQrQmXvIhwGe21zrSqfOjUfNtwB0KEBnUegsN+SLOQd4 -MJde8y0ARwqAQj6DudBZZsiXcA5gekSSs2EureZbAAoUquKFPDWns++HfBjgwVyo+RfmoeZb -ADQUcjobk9HZN0M+DPBgLtT8I0TNtwDcUFiW0dm3Qz7cn4E5c2Vq/gCm5lsAChSgs+wVwgAP -5krX/LV8zbcAFCisjiRnxpI9wrkhX3qAlxCsibnYD+1YAAQUJkQ/dozL8ZEBzIf28eTYaHJt -Ga7mWwAEFPalNtdNDo89bphIfwBdzLWhBlnzLQD+JwoH+7/qVvFlpwqpPT34mm8B8M/n15+P -Lf90cGHRpxf4RwvAHt8DsMcCsADssQAsAHssAAvAni8AV5380akCdgAAAABJRU5ErkJggg== ---B_3664825007_384940722-- - ---B_3664825007_1904734766 -Content-type: application/pkcs7-signature; name="smime.p7s" -Content-transfer-encoding: base64 -Content-disposition: attachment; - filename="smime.p7s" - -MIIRpwYJKoZIhvcNAQcCoIIRmDCCEZQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B -BwGggg8VMIIHojCCBYqgAwIBAgIEZ5a6PTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMC -REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoMB1NpZW1l -bnMxETAPBgNVBAUTCFpaWlpaWkE2MR0wGwYDVQQLDBRTaWVtZW5zIFRydXN0IENlbnRlcjE/ -MD0GA1UEAww2U2llbWVucyBJc3N1aW5nIENBIE1lZGl1bSBTdHJlbmd0aCBBdXRoZW50aWNh -dGlvbiAyMDE2MB4XDTE5MTEyMTE0NDQ0N1oXDTIwMTEyMTE0NDQ0N1owdzERMA8GA1UEBRMI -WjAwM0gwOFQxDjAMBgNVBCoMBURpZWdvMRgwFgYDVQQEDA9Mb3V6YW4gTWFydGluZXoxGDAW -BgNVBAoMD1NpZW1lbnMtUGFydG5lcjEeMBwGA1UEAwwVTG91emFuIE1hcnRpbmV6IERpZWdv -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuInpNaC7NRYD+0pOpHDz2pk9xmPt -JGj860SF6Nmn6Eu9EMYKEDfneC6z5QcH+mPS2d0VWgqVVGbRXSPsxJtbi9TCWjQUZdHglEZK -z9zxoFDh2dvW5/+TOT5Jf78FXyqak0YtY6+oMjQ/i9RUqPL7sIlyXLrBYrILzQ9Afo+7bXZg -v3ypp6xtqAV2ctHzQWFi0onJzxLVYguiVb7fFF9rBEMvSZonuw5tvOwJIhbe5FDFOrDcfbyU -ofZ/wikIZ+A+CE5GryXuuQmGxJaC2QqOkRAWQDzLDx9nG+rKiEs5OvlfEZC7EV1PyjZ93coM -faCVdlAgcFZ5fvd37CjyjKl+1QIDAQABo4IC9DCCAvAwggEEBggrBgEFBQcBAQSB9zCB9DAy -BggrBgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBNi5jcnQwQQYI -KwYBBQUHMAKGNWxkYXA6Ly9hbC5zaWVtZW5zLm5ldC9DTj1aWlpaWlpBNixMPVBLST9jQUNl -cnRpZmljYXRlMEkGCCsGAQUFBzAChj1sZGFwOi8vYWwuc2llbWVucy5jb20vQ049WlpaWlpa -QTYsbz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMDAGCCsGAQUFBzABhiRodHRwOi8vb2Nz -cC5wa2ktc2VydmljZXMuc2llbWVucy5jb20wHwYDVR0jBBgwFoAU+BVdRwxsd3tyxAIXkWii -tvdqCUQwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGDSsGAQQBoWkHAgIEAQMwKTAnBggr -BgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMIHKBgNVHR8EgcIwgb8wgbyg -gbmggbaGJmh0dHA6Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTYuY3JshkFsZGFwOi8v -Y2wuc2llbWVucy5uZXQvQ049WlpaWlpaQTYsTD1QS0k/Y2VydGlmaWNhdGVSZXZvY2F0aW9u -TGlzdIZJbGRhcDovL2NsLnNpZW1lbnMuY29tL0NOPVpaWlpaWkE2LG89VHJ1c3RjZW50ZXI/ -Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH -AwQwDgYDVR0PAQH/BAQDAgeAMFUGA1UdEQROMEygLAYKKwYBBAGCNxQCA6AeDBxkaWVnby5s -b3V6YW4uZXh0QHNpZW1lbnMuY29tgRxkaWVnby5sb3V6YW4uZXh0QHNpZW1lbnMuY29tMB0G -A1UdDgQWBBQj8k8aqZey68w8ALYKGJSGMt5hZDANBgkqhkiG9w0BAQsFAAOCAgEAFDHqxpb1 -R9cB4noC9vx09bkNbmXCpVfl3XCQUmAWTznC0nwEssTTjo0PWuIV4C3jnsp0MRUeHZ6lsyhZ -OzS1ETwYgvj6wzjb8RF3wgn7N/JOvFGaErMz5HZpKOfzGiNpW6/Rmd4hsRDjAwOVQOXUTqc/ -0Bj3FMoLRCSWSnTp5HdyvrY2xOKHfTrTjzmcLdFaKE2F5n7+dBkwCKVfzut8CqfVq/I7ks4m -D1IHk93/P6l9U34R2FHPt6zRTNZcWmDirRSlMH4L18CnfiNPuDN/PtRYlt3Vng5EdYN0VCg2 -NM/uees0U4ingCb0NFjg66uQ/tjfPQk55MN4Wpls4N6TkMoTCWLiqZzYTGdmVQexzroL6940 -tmMr8LoN3TpPf0OdvdKEpyH7fzsx5QlmQyywIWec6X+Fx6+l0g91VJnPEtqACpfZIBZtviHl -gfX298w+SsvBK8C48Pqs8Ijh7tLrCxx7VMLVHZqwWWPK53ga+CDWmjoSQPxi+CPZF7kao6N5 -4GrJWwSHlHh6WzTbLyLvTJZZ775Utp4W8s8xMUsQJ413iYzEaC8FcSeNjSk5UiDDiHrKmzpM -tbApD3pUXStblUMKYGTG1Mj9BcEBFkCdoGlw/ulszIrKFfOyRNDG3Ay+Dj/oMjoKsJphu3px -wyft82rTer7UW/I7o0h0DAG4lkMwggdrMIIFU6ADAgECAgR5nlqfMA0GCSqGSIb3DQEBCwUA -MIGeMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQ -MA4GA1UECgwHU2llbWVuczERMA8GA1UEBRMIWlpaWlpaQTMxHTAbBgNVBAsMFFNpZW1lbnMg -VHJ1c3QgQ2VudGVyMScwJQYDVQQDDB5TaWVtZW5zIElzc3VpbmcgQ0EgRUUgRW5jIDIwMTYw -HhcNMTkwOTI3MDgwMTM5WhcNMjAwOTI3MDgwMTM3WjB3MREwDwYDVQQFEwhaMDAzSDA4VDEO -MAwGA1UEKgwFRGllZ28xGDAWBgNVBAQMD0xvdXphbiBNYXJ0aW5lejEYMBYGA1UECgwPU2ll -bWVucy1QYXJ0bmVyMR4wHAYDVQQDDBVMb3V6YW4gTWFydGluZXogRGllZ28wggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyby5qKzZIrGYWRqxnaAyMt/a/uc0uMk0F3MjwxvPM -vh5DllUpqx0l8ZDakDjPhlEXTeoL4DHNgmh+CDCs76CppM3cNG/1W1Ajo/L2iwMoXaxYuQ/F -q7ED+02KEkWX2DDVVG3fhrUGP20QAq77xPDptmVWZnUnuobZBNYkC49Xfl9HJvkJL8P0+Jqb -Eae7p4roiEr7wNkGriwrVXgA3oPNF/W+OuI76JTNTajS/6PAK/GeqIvLjfuBXpdBZTY031nE -Cztca8vI1jUjQzVhS+0dWpvpfhkVumbvOnid8DI9lapYsX8dpZFsa3ya+T3tjUdGSOOKi0kg -lWf/XYyyfhmDAgMBAAGjggLVMIIC0TAdBgNVHQ4EFgQUprhTCDwNLfPImpSfWdq+QvPTo9Mw -JwYDVR0RBCAwHoEcZGllZ28ubG91emFuLmV4dEBzaWVtZW5zLmNvbTAOBgNVHQ8BAf8EBAMC -BDAwLAYDVR0lBCUwIwYIKwYBBQUHAwQGCisGAQQBgjcKAwQGCysGAQQBgjcKAwQBMIHKBgNV -HR8EgcIwgb8wgbyggbmggbaGJmh0dHA6Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTMu -Y3JshkFsZGFwOi8vY2wuc2llbWVucy5uZXQvQ049WlpaWlpaQTMsTD1QS0k/Y2VydGlmaWNh -dGVSZXZvY2F0aW9uTGlzdIZJbGRhcDovL2NsLnNpZW1lbnMuY29tL0NOPVpaWlpaWkEzLG89 -VHJ1c3RjZW50ZXI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBFBgNVHSAEPjA8MDoGDSsG -AQQBoWkHAgIEAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kv -MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUoassbqB68NPCTeof8R4hivwMre8wggEEBggr -BgEFBQcBAQSB9zCB9DAyBggrBgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9a -WlpaWlpBMy5jcnQwQQYIKwYBBQUHMAKGNWxkYXA6Ly9hbC5zaWVtZW5zLm5ldC9DTj1aWlpa -WlpBMyxMPVBLST9jQUNlcnRpZmljYXRlMEkGCCsGAQUFBzAChj1sZGFwOi8vYWwuc2llbWVu -cy5jb20vQ049WlpaWlpaQTMsbz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMDAGCCsGAQUF -BzABhiRodHRwOi8vb2NzcC5wa2ktc2VydmljZXMuc2llbWVucy5jb20wDQYJKoZIhvcNAQEL -BQADggIBAF98ZMNg28LgkwdjOdvOGbC1QitsWjZTyotmQESF0nClDLUhb0O5675vVixntbrf -eB8xy1+KRiadk40GnAIJ0YzmNl4Tav6hPYv9VBWe5olsWG7C4qB3Q/SwhvW/e+owxv1cBra8 -R3oRudiN81eTZQHyNghRephVqQG/dpPYqydoANfIhEpHa79QlpaCAeYl4896AZOS8HYbkDFs -hLdv7sEHtl79YuSWI1wBjbJl70c0Sb4wLRgCPuHyQj2Uw/vQ5xJlEvBDZAIXXe1TP/nqiuY6 -7nweJbbeqfFE6ZP3kCe+mEIWGSaO0iThZyLGer8fHs1XiEmhhPgvC7P7KodzpXU6+hX+ZzbD -DxEjFfetV5sh0aNSXG9xx4hZmS9bpImBGR8MvZ7cgxqItvLtY2xvfUbYW244d4RcWesaCDq3 -ZEIo6uCIzOzJAwjUdLIac+lLV0rxiHmb7O3cQ19kjpWDB31hmfrus/TKJ55pBKVWBX5m/mFv -K8Ep5USpGrNS0EzOP7I1kQZv2VsvAhSxk/m5FMLpDy8T0O8YgbLypTXoeJFWCF6RduSjVsaZ -lkAtTQYud683pjyOMxJXaQUYGU1PmEYSOonMkVsT9aBcxYkXLp+Ln/+8G0OCYu7dRdwnj+Ut -7yR/ltxtgDcaFApCb0qBTKbgbqZk1fASmkOp+kbdYmoUMYICVjCCAlICAQEwgb8wgbYxCzAJ -BgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVuMRAwDgYDVQQK -DAdTaWVtZW5zMREwDwYDVQQFEwhaWlpaWlpBNjEdMBsGA1UECwwUU2llbWVucyBUcnVzdCBD -ZW50ZXIxPzA9BgNVBAMMNlNpZW1lbnMgSXNzdWluZyBDQSBNZWRpdW0gU3RyZW5ndGggQXV0 -aGVudGljYXRpb24gMjAxNgIEZ5a6PTANBglghkgBZQMEAgEFAKBpMC8GCSqGSIb3DQEJBDEi -BCAOR58AbNfSrI+vtMs+dgAQtn3IVZ3RjYC5hz3j9k+6TTAYBgkqhkiG9w0BCQMxCwYJKoZI -hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMTcyMTU2NDdaMA0GCSqGSIb3DQEBAQUABIIB -AHLSBcFHhNHPevbwqvA2ecuVb/aKnj45CFF6l8esP1H5DRm1ee5qMKuIS84NFuFC9RUENNhW -DBzsB+BVGz64o1f8QgIklYVrIJ4JZ0q1abNG7NbkVKWIpS3CQo//YWShUTYg+JpKx4YbahGR -sP5zbufbU4eagrrqBChjPTLy+njdjwCNu0XPykBTKOOf6BMjnS33AYjHJyh83JOY7rw3IDLx -8POQH4g5EMRpl9354s0rEkIezMt7pfUAsqY3QnQ8hvlE4KTikPQ+tvLMK1l/ffcLAP8BdBNI -YA3ikb3qCoGNSLKieYzNnBPhNOIJELUtEEaljAFZYMQzMKCbI4JdiDs= - ---B_3664825007_1904734766-- +User-Agent: Microsoft-MacOutlook/10.22.0.200209 +Date: Mon, 17 Feb 2020 22:56:47 +0100 +Subject: Re: htmltest | test issue (#1) +From: "Louzan Martinez, Diego (ext) (SI BP R&D ZG)" + +To: Administrator / htmltest + +Message-ID: <012E37D9-2A3F-4AC8-B79A-871F42914D86@siemens.com> +Thread-Topic: htmltest | test issue (#1) +References: + + +In-Reply-To: +Content-type: multipart/signed; + protocol="application/pkcs7-signature"; + micalg=sha256; + boundary="B_3664825007_1904734766" +MIME-Version: 1.0 + +--B_3664825007_1904734766 +Content-type: multipart/mixed; + boundary="B_3664825007_384940722" + + +--B_3664825007_384940722 +Content-type: multipart/alternative; + boundary="B_3664825007_1519466360" + + +--B_3664825007_1519466360 +Content-type: text/plain; + charset="UTF-8" +Content-transfer-encoding: quoted-printable + +Me too, with an attachment + +=20 + +From: Administrator +Reply to: Administrator / htmltest +Date: Monday, 17 February 2020 at 22:55 +To: "Louzan Martinez, Diego (ext) (SOP IT STG XS)" +Subject: Re: htmltest | test issue (#1) + +=20 + +Administrator commented:=20 + +I pity the foo !!! + +=E2=80=94=20 +Reply to this email directly or view it on GitLab.=20 +You're receiving this email because of your account on 169.254.169.254. If = +you'd like to receive fewer emails, you can unsubscribe from this thread or = +adjust your notification settings.=20 + + +--B_3664825007_1519466360 +Content-type: text/html; + charset="UTF-8" +Content-transfer-encoding: quoted-printable + +GitLab

Me too, with an attachment

 

From: Administrator <dlouzan.dummy@gma= +il.com>
Reply to: Administrator / htmltest <dlouzan.dummy+c0= +34670b1623e617e15a3df64223d363@gmail.com>
Date: Monday, 17 Febr= +uary 2020 at 22:55
To: "Louzan Martinez, Diego (ext) (SOP IT = +STG XS)" <diego.louzan.ext@siemens.com>
Subject: Re: ht= +mltest | test issue (#1)

= + 

Administrator commented:

<= +div>

I pity the foo !!!

=E2=80=94
Reply to this = +email directly or view it on GitLab.
You're receiving this email because of you= +r account on 169.254.169.254. If you'd like to receive fewer emails, you can= + unsubscribe from this thread or adjust your notific= +ation settings.

+ +--B_3664825007_1519466360-- + + +--B_3664825007_384940722 +Content-type: image/png; name="gitlab_logo.png"; + x-mac-creator="4F50494D"; + x-mac-type="504E4766" +Content-disposition: attachment; + filename="gitlab_logo.png" +Content-transfer-encoding: base64 + + +iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAIAAABMXPacAAAABnRSTlMA/wD/AP83WBt9AAAN +1UlEQVR4AexcZXPjSBTcXxOTvMy7xxfGZWaGaJmZmZmZmZmZmdnMzB7JNwv1qs6VOJY0tuWU +p/rz5PW0q0f99JQakcxK6eItQGZlBMgIkFkZATICZFZGgIwAmZURICMAshitiybrexXblk5D +NnOk2i3G6bCvmYcJWuaMCevVohPAsWGx6h/Zd/wrd2xbWf0EcB3YqsqmfnK0LZseYZCIBEBW +E/5p4Mp+wtCvJWO3Vqufv8dtHNoZCOo6ZYd1ahEJ4LtzRZ1fC+pTF9T1P7hZnQQIvHqiKW0I +BFU5lPfiCREJYFs5C4r7Cfu6BdVJAOeutVEErfPGRRhGFAIgu1Xft0VUfYaBbRmXI1ItFuvz +Gkd0jyKo65oXNupEIYD//g11QZ2o+tRF9QJP7lUPAYJvX2haNIkmmKv0Xj0rCgHsa+dDWRgA +x+al1eT5Z9+mCglaF02KsGyKBWCcdsOA1hXWZ6A7MB5X2vtPwG8a07tCgvoehchsSLEA/sd3 +sNtUWJ+mpEHgxaN0FyD08Y2mVbMKCarzavluXkyxAI5NS3AplcG5fVXa+8+h7TEI4kSWSgEY +t9NQ3j5GfcZhXRivJ439JxgwT+gfg6C+dymymlMmQOD5Q01xgxj1acoaBV8/S2P/+fJe2+b3 +GATV+bV9d6+lTADc88FFxIZz9/r0FcB9fE+VBO2r56RGAMYL7ZFYMI3qwfp9aek/oZB5Snks +dtD4cthSIEDw1VNNaaMq69O0bBp8/yot/Uf1Wdv+zyoJqgvr+h/eSoEAzl3roIjYcB3Yko4C +eE4fxK31eAja1y9MogDQHhnZPU4BTGP74jiTZv6DwpYZw+MkaBgEja9kCRB89xLaI1VC27p5 +6NPb9BIgrP2m6/hP1eyg8fX0XlIFcO3fHE9lAPeRnWnmP+ePqbIV8RN0bF6WHAGgPdKHkwDm +iQPZUDB9XoAhy5zRnAga6Y78Gl81SLVHYkPb9o/Q149p4z96ja5LDieCmpKG0PhKuACuwzvi +rwze1LtP7EsXAbyXT6lylFw5OnesTrQA0B4ZwLU4DPPUIWw4lA4PQIx1wQQeBI3Du7JeT8IF +CH35AO0RTtC2/yus/hIR/UImva5bPg+CmrLGwTfPEi6A+/heiCfckK3wnD0sfgF818+rc2ty +ogZw7tmQWAHYMG6P0FzLAlhmjoggJG7/YW1LpvImaBrVk2vjqwb39shfvOvTdfo3rFOJ2n8s +Jn3PYn7soPGVQAE8Zw6B//BBNp5nOi5q/7l9GSbM+AFPMCZKAGiPCIF13liYZxLhsq2YJZCg +aVxfNhggLgC0R/7lXxzMMxm0IvUfu0Xfp0wAO2h8vUuIAJ4L0B7hD3UOnmc6I04BYMJMINxH +d5EVANojY/jWRH6eifyCCTPBME8aBI0vYgKEDbg9kkukPphnEtWCCTPhgMYXSQG8V05De0Qg +1Hk1YZ5JFAsmzArrCWUHja+T+4kKwLLWhRPJFAfzTCJbjo2LCRI0T8ONrzAJAaA90r2AYH36 +3iUwz5TiBRNmg9sTJKjt8HdY/ZWYAL4bvNsjMeaZropHgMDzB5ri+gQJQuOLiACsbSm0R4jB +vmqOiPxn6wriBC2zRkYQIiAAfIBHFnr4kE9kH+CRAIcP+Wpw/QCPBGCe6aYYP8AjBfiQj78A +0B75W5YIiORDPufOtQkiaJkLH/LxFYB1W22j2xjL5MaWSsIoU9iGt/LfuYQbAKnEvau2cZ0S +RNBKFzE2vTABtNfDKxqEh8jC5VLyoBWmdnVVubXUeamBKremsXXdULkiIezwoS2uy349I0gA +5uFctD0LzaFQuQSVZxEGneXoitM1vGBIAeydlYgGakQxk0Lbspg7EyIsy1eAgJ051RLtyEJb +ZWiyAg0mX6W/P6XJU6Tq9NW5Cl9fCtGkeeGDmqBAW+Tfj+5YXsRr4CkAq7+N9tT+vsvOLLRB +gcbIiWsQLpdhu1T9nRoBDKXK0GAZ+d/+KBlap8CH9v3odilY1QWeAjBPFuEtMH5psJJCw6Sk +XUji6FozVS5k61STvP8MlaLlFNopgaNj7k3lJUDQyZxp82MLgAQtpAhXTKfMhdQ5Ci95/5Gg +eRTaIf3fuZ0oivhMnAVgjffR3rq/tgBsl6EZFHEXMpSlwIX0JeT8B6x/Kr54ZdGHtlvJaq5w +FoB5tvx/u4ARbZaj8UQvZFpi71wzBf7TkZD/wOmPlaONv6w/CsyDWRwFCLmZcx2iNwIN1lJo +pIygC/n6UfiBJNn+04eo/wyXodUUnH4UmFOlEb+VgwCs6THaVz96IwC+YZZSaCixCzmUdBfS +F2P/kRM7/SEStBgu3oqwpxaru8lBAObFmkr2AkghnaWjC1k7EPQfyffMtV0a+8SYR/PjFiDs +ZS50jb3dr3Q2RfBlAC7Ul8K2kCT/yVZ4euMATMj6J/7KXLHBnG6Fg21cArCW52h/w9jbEU9n ++IFEX6pMjgC6YmVwkJxQ5pKj9XDxxsSe2qzhbnwCvNpY9XagwSoK3z9EXMjWMSku9LfM2h78 +h3Dmig3myZI4BAj7mYs9q9yLfDqjs7x9kuFC6my5pxcJ/6GjM1eVYM62iwRdVQjA2t6gA405 +CEAuneHHEhyOEu4/RRQR/4HMxQF767LGh1UJ8GY7t00hnU0QfCHTEmuiXQi/pWoH/iMsc20C +6+cA5vmqmAIgP3OlP8dNIZ0phKYzOsvTR6nmMP/La2ZNuP+MgMzFGcz5zpGQq1IBWOsrdLA5 +530hnS0TkM7AhYqVCfSfQuw/ClKZiw/2N2QN9ysVgHm5Hu2EW4UHpGiusHRGS3BEgkhM3H/M +bbH/SAVlrlmQuXiCebygcgHOdeSxI5l0Bi7UG7uQPEH+4+oJ/kMoc/HAiaJKBYh+/uF3GWwU +lM7wIwp+UEmEANoCKjBQQThz8cBuZeUCHPqdx46E0xktsbQj6kLgP214+Q9krhX8rT/qYbRy +C7oxXOjukM4W8U1ndBZ+UFFly8n7Tw++/oOJzIfMJRTMpd6VCsBanqFjuWQ0wDfVTIq/CxVS +IvKfaZC5BOPwn6z+Tswgpr+DTpaS+WNb+KYzWkrWhfBWptY18bAUn4t3HM5cckHWDzieD+8m +Y7ajXd+Ym6PQLorAZbCOYzoDF+qpxKZB0H+c3fEFwCtzraEInP4uOXOtnHV8iPuVZNiLexI8 +QhmpdBYcqNCScyFNPhUYoOCeuaRoCYmLd39j9uW6SMjNdS6IZY0PfiQDgRVI0Tzu6YyWmtsI +diHwn1ZK7v4jQbMFZS54D/P9ZSTL8B1P9xmZBzN+zcfxxjbZ997hYG4u5OpByoXkzm5KRHO0 +/kmCM9du5ffBUI9W8CdKTJD9fBQd/VdoOhvLLZ0FsAsVUAT8J4/y9+foP6MFZ67Df7Dv90aQ +n8AHGvCegLncD+2U8ddgNdd0JjW3FuxCf+PZU+w/XP7uMGGZa6eUudCNNT9NwL+rCTq+T2vt +ayAonQ2RcHCh7sJdSI5nTxGd8MwFKff79IPfkrB/WcYiVn0ZnSxJTjrDjy7afEqY/yjw7Cmi +k5K5juex/7V3Dz5yhVEUwP+cce2GjWu7cW3btm03qm27QRXVtt2ZbO8op/r2vp7qS+a+uHHP +5r7z252ze2N7UUrZZxMB0FBw6GxQUJ1JdXlEXSHcn3oB7g/MFSPN5a75fyEAQGG5QIHUWe9I +wCskBYa4Qrg/rfADSNZces1Poeb/swAoKEBnM4Lq7H372B32Ct2RAUxb3B/KXHzN/wcBcFCA +zor92sQVIic01eTzprg/pLn0mn/Hgz/mKVC4moECobMgV4gd8snnTfWM5fTL/G1ZlK75HgTA +QUGu7eJAOhNG6RMaboDXKWOuhTAXUfM9CICGAnTGD/m4AR7MNQunn6j5HgTAQgEv5CnQGTHk +IwZ4MNfE+C80iE2o+Z4GgBTSUOgFKKg6G41vl5JDPmKANyKAuVDzO6HmexAAAQVSZxjy1cMV +ogd4OP0yc1uimgs1Hx9n8zIAHgp4GSwQnUWZCQ0xwBNzzYO5yJrvfwCAwmmBQklGZ8SQDwM8 +t7mm4cVL1HzvA+ChEE5OcOoMc2JqgAdzjcU3O4ma70EAPBQup/a3cUEBOhse168QMcCDuSLB +aj7xu329CICHAnTWHzrThnz6AA//+30VcxE1388AeChAZz0jxJAPAzynuYia738AxPPqRgYK +sWJ1Fv7xCgmvlAHMtwM8mGsSzKXW/AIIQIUCdKYP+fQBnkzYVkQcNb8ian5hBQAoNMPX5nc6 +Gwyd6UM+DPB0cyk1vwACUKAAnfWJ6kO+YgZ4vcRcePHqNb9gAlCggJfBTPyaLveQzzHA6wZz +OWu+BaBAATpThnx3McBzmctR8y0ABQrQmXvIhwGe21zrSqfOjUfNtwB0KEBnUegsN+SLOQd4 +MJde8y0ARwqAQj6DudBZZsiXcA5gekSSs2EureZbAAoUquKFPDWns++HfBjgwVyo+RfmoeZb +ADQUcjobk9HZN0M+DPBgLtT8I0TNtwDcUFiW0dm3Qz7cn4E5c2Vq/gCm5lsAChSgs+wVwgAP +5krX/LV8zbcAFCisjiRnxpI9wrkhX3qAlxCsibnYD+1YAAQUJkQ/dozL8ZEBzIf28eTYaHJt +Ga7mWwAEFPalNtdNDo89bphIfwBdzLWhBlnzLQD+JwoH+7/qVvFlpwqpPT34mm8B8M/n15+P +Lf90cGHRpxf4RwvAHt8DsMcCsADssQAsAHssAAvAni8AV5380akCdgAAAABJRU5ErkJggg== +--B_3664825007_384940722-- + +--B_3664825007_1904734766 +Content-type: application/pkcs7-signature; name="smime.p7s" +Content-transfer-encoding: base64 +Content-disposition: attachment; + filename="smime.p7s" + +MIIRpwYJKoZIhvcNAQcCoIIRmDCCEZQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B +BwGggg8VMIIHojCCBYqgAwIBAgIEZ5a6PTANBgkqhkiG9w0BAQsFADCBtjELMAkGA1UEBhMC +REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoMB1NpZW1l +bnMxETAPBgNVBAUTCFpaWlpaWkE2MR0wGwYDVQQLDBRTaWVtZW5zIFRydXN0IENlbnRlcjE/ +MD0GA1UEAww2U2llbWVucyBJc3N1aW5nIENBIE1lZGl1bSBTdHJlbmd0aCBBdXRoZW50aWNh +dGlvbiAyMDE2MB4XDTE5MTEyMTE0NDQ0N1oXDTIwMTEyMTE0NDQ0N1owdzERMA8GA1UEBRMI +WjAwM0gwOFQxDjAMBgNVBCoMBURpZWdvMRgwFgYDVQQEDA9Mb3V6YW4gTWFydGluZXoxGDAW +BgNVBAoMD1NpZW1lbnMtUGFydG5lcjEeMBwGA1UEAwwVTG91emFuIE1hcnRpbmV6IERpZWdv +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuInpNaC7NRYD+0pOpHDz2pk9xmPt +JGj860SF6Nmn6Eu9EMYKEDfneC6z5QcH+mPS2d0VWgqVVGbRXSPsxJtbi9TCWjQUZdHglEZK +z9zxoFDh2dvW5/+TOT5Jf78FXyqak0YtY6+oMjQ/i9RUqPL7sIlyXLrBYrILzQ9Afo+7bXZg +v3ypp6xtqAV2ctHzQWFi0onJzxLVYguiVb7fFF9rBEMvSZonuw5tvOwJIhbe5FDFOrDcfbyU +ofZ/wikIZ+A+CE5GryXuuQmGxJaC2QqOkRAWQDzLDx9nG+rKiEs5OvlfEZC7EV1PyjZ93coM +faCVdlAgcFZ5fvd37CjyjKl+1QIDAQABo4IC9DCCAvAwggEEBggrBgEFBQcBAQSB9zCB9DAy +BggrBgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBNi5jcnQwQQYI +KwYBBQUHMAKGNWxkYXA6Ly9hbC5zaWVtZW5zLm5ldC9DTj1aWlpaWlpBNixMPVBLST9jQUNl +cnRpZmljYXRlMEkGCCsGAQUFBzAChj1sZGFwOi8vYWwuc2llbWVucy5jb20vQ049WlpaWlpa +QTYsbz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMDAGCCsGAQUFBzABhiRodHRwOi8vb2Nz +cC5wa2ktc2VydmljZXMuc2llbWVucy5jb20wHwYDVR0jBBgwFoAU+BVdRwxsd3tyxAIXkWii +tvdqCUQwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGDSsGAQQBoWkHAgIEAQMwKTAnBggr +BgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMIHKBgNVHR8EgcIwgb8wgbyg +gbmggbaGJmh0dHA6Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTYuY3JshkFsZGFwOi8v +Y2wuc2llbWVucy5uZXQvQ049WlpaWlpaQTYsTD1QS0k/Y2VydGlmaWNhdGVSZXZvY2F0aW9u +TGlzdIZJbGRhcDovL2NsLnNpZW1lbnMuY29tL0NOPVpaWlpaWkE2LG89VHJ1c3RjZW50ZXI/ +Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH +AwQwDgYDVR0PAQH/BAQDAgeAMFUGA1UdEQROMEygLAYKKwYBBAGCNxQCA6AeDBxkaWVnby5s +b3V6YW4uZXh0QHNpZW1lbnMuY29tgRxkaWVnby5sb3V6YW4uZXh0QHNpZW1lbnMuY29tMB0G +A1UdDgQWBBQj8k8aqZey68w8ALYKGJSGMt5hZDANBgkqhkiG9w0BAQsFAAOCAgEAFDHqxpb1 +R9cB4noC9vx09bkNbmXCpVfl3XCQUmAWTznC0nwEssTTjo0PWuIV4C3jnsp0MRUeHZ6lsyhZ +OzS1ETwYgvj6wzjb8RF3wgn7N/JOvFGaErMz5HZpKOfzGiNpW6/Rmd4hsRDjAwOVQOXUTqc/ +0Bj3FMoLRCSWSnTp5HdyvrY2xOKHfTrTjzmcLdFaKE2F5n7+dBkwCKVfzut8CqfVq/I7ks4m +D1IHk93/P6l9U34R2FHPt6zRTNZcWmDirRSlMH4L18CnfiNPuDN/PtRYlt3Vng5EdYN0VCg2 +NM/uees0U4ingCb0NFjg66uQ/tjfPQk55MN4Wpls4N6TkMoTCWLiqZzYTGdmVQexzroL6940 +tmMr8LoN3TpPf0OdvdKEpyH7fzsx5QlmQyywIWec6X+Fx6+l0g91VJnPEtqACpfZIBZtviHl +gfX298w+SsvBK8C48Pqs8Ijh7tLrCxx7VMLVHZqwWWPK53ga+CDWmjoSQPxi+CPZF7kao6N5 +4GrJWwSHlHh6WzTbLyLvTJZZ775Utp4W8s8xMUsQJ413iYzEaC8FcSeNjSk5UiDDiHrKmzpM +tbApD3pUXStblUMKYGTG1Mj9BcEBFkCdoGlw/ulszIrKFfOyRNDG3Ay+Dj/oMjoKsJphu3px +wyft82rTer7UW/I7o0h0DAG4lkMwggdrMIIFU6ADAgECAgR5nlqfMA0GCSqGSIb3DQEBCwUA +MIGeMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQ +MA4GA1UECgwHU2llbWVuczERMA8GA1UEBRMIWlpaWlpaQTMxHTAbBgNVBAsMFFNpZW1lbnMg +VHJ1c3QgQ2VudGVyMScwJQYDVQQDDB5TaWVtZW5zIElzc3VpbmcgQ0EgRUUgRW5jIDIwMTYw +HhcNMTkwOTI3MDgwMTM5WhcNMjAwOTI3MDgwMTM3WjB3MREwDwYDVQQFEwhaMDAzSDA4VDEO +MAwGA1UEKgwFRGllZ28xGDAWBgNVBAQMD0xvdXphbiBNYXJ0aW5lejEYMBYGA1UECgwPU2ll +bWVucy1QYXJ0bmVyMR4wHAYDVQQDDBVMb3V6YW4gTWFydGluZXogRGllZ28wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyby5qKzZIrGYWRqxnaAyMt/a/uc0uMk0F3MjwxvPM +vh5DllUpqx0l8ZDakDjPhlEXTeoL4DHNgmh+CDCs76CppM3cNG/1W1Ajo/L2iwMoXaxYuQ/F +q7ED+02KEkWX2DDVVG3fhrUGP20QAq77xPDptmVWZnUnuobZBNYkC49Xfl9HJvkJL8P0+Jqb +Eae7p4roiEr7wNkGriwrVXgA3oPNF/W+OuI76JTNTajS/6PAK/GeqIvLjfuBXpdBZTY031nE +Cztca8vI1jUjQzVhS+0dWpvpfhkVumbvOnid8DI9lapYsX8dpZFsa3ya+T3tjUdGSOOKi0kg +lWf/XYyyfhmDAgMBAAGjggLVMIIC0TAdBgNVHQ4EFgQUprhTCDwNLfPImpSfWdq+QvPTo9Mw +JwYDVR0RBCAwHoEcZGllZ28ubG91emFuLmV4dEBzaWVtZW5zLmNvbTAOBgNVHQ8BAf8EBAMC +BDAwLAYDVR0lBCUwIwYIKwYBBQUHAwQGCisGAQQBgjcKAwQGCysGAQQBgjcKAwQBMIHKBgNV +HR8EgcIwgb8wgbyggbmggbaGJmh0dHA6Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTMu +Y3JshkFsZGFwOi8vY2wuc2llbWVucy5uZXQvQ049WlpaWlpaQTMsTD1QS0k/Y2VydGlmaWNh +dGVSZXZvY2F0aW9uTGlzdIZJbGRhcDovL2NsLnNpZW1lbnMuY29tL0NOPVpaWlpaWkEzLG89 +VHJ1c3RjZW50ZXI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBFBgNVHSAEPjA8MDoGDSsG +AQQBoWkHAgIEAQMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kv +MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUoassbqB68NPCTeof8R4hivwMre8wggEEBggr +BgEFBQcBAQSB9zCB9DAyBggrBgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9a +WlpaWlpBMy5jcnQwQQYIKwYBBQUHMAKGNWxkYXA6Ly9hbC5zaWVtZW5zLm5ldC9DTj1aWlpa +WlpBMyxMPVBLST9jQUNlcnRpZmljYXRlMEkGCCsGAQUFBzAChj1sZGFwOi8vYWwuc2llbWVu +cy5jb20vQ049WlpaWlpaQTMsbz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMDAGCCsGAQUF +BzABhiRodHRwOi8vb2NzcC5wa2ktc2VydmljZXMuc2llbWVucy5jb20wDQYJKoZIhvcNAQEL +BQADggIBAF98ZMNg28LgkwdjOdvOGbC1QitsWjZTyotmQESF0nClDLUhb0O5675vVixntbrf +eB8xy1+KRiadk40GnAIJ0YzmNl4Tav6hPYv9VBWe5olsWG7C4qB3Q/SwhvW/e+owxv1cBra8 +R3oRudiN81eTZQHyNghRephVqQG/dpPYqydoANfIhEpHa79QlpaCAeYl4896AZOS8HYbkDFs +hLdv7sEHtl79YuSWI1wBjbJl70c0Sb4wLRgCPuHyQj2Uw/vQ5xJlEvBDZAIXXe1TP/nqiuY6 +7nweJbbeqfFE6ZP3kCe+mEIWGSaO0iThZyLGer8fHs1XiEmhhPgvC7P7KodzpXU6+hX+ZzbD +DxEjFfetV5sh0aNSXG9xx4hZmS9bpImBGR8MvZ7cgxqItvLtY2xvfUbYW244d4RcWesaCDq3 +ZEIo6uCIzOzJAwjUdLIac+lLV0rxiHmb7O3cQ19kjpWDB31hmfrus/TKJ55pBKVWBX5m/mFv +K8Ep5USpGrNS0EzOP7I1kQZv2VsvAhSxk/m5FMLpDy8T0O8YgbLypTXoeJFWCF6RduSjVsaZ +lkAtTQYud683pjyOMxJXaQUYGU1PmEYSOonMkVsT9aBcxYkXLp+Ln/+8G0OCYu7dRdwnj+Ut +7yR/ltxtgDcaFApCb0qBTKbgbqZk1fASmkOp+kbdYmoUMYICVjCCAlICAQEwgb8wgbYxCzAJ +BgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVuMRAwDgYDVQQK +DAdTaWVtZW5zMREwDwYDVQQFEwhaWlpaWlpBNjEdMBsGA1UECwwUU2llbWVucyBUcnVzdCBD +ZW50ZXIxPzA9BgNVBAMMNlNpZW1lbnMgSXNzdWluZyBDQSBNZWRpdW0gU3RyZW5ndGggQXV0 +aGVudGljYXRpb24gMjAxNgIEZ5a6PTANBglghkgBZQMEAgEFAKBpMC8GCSqGSIb3DQEJBDEi +BCAOR58AbNfSrI+vtMs+dgAQtn3IVZ3RjYC5hz3j9k+6TTAYBgkqhkiG9w0BCQMxCwYJKoZI +hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDAyMTcyMTU2NDdaMA0GCSqGSIb3DQEBAQUABIIB +AHLSBcFHhNHPevbwqvA2ecuVb/aKnj45CFF6l8esP1H5DRm1ee5qMKuIS84NFuFC9RUENNhW +DBzsB+BVGz64o1f8QgIklYVrIJ4JZ0q1abNG7NbkVKWIpS3CQo//YWShUTYg+JpKx4YbahGR +sP5zbufbU4eagrrqBChjPTLy+njdjwCNu0XPykBTKOOf6BMjnS33AYjHJyh83JOY7rw3IDLx +8POQH4g5EMRpl9354s0rEkIezMt7pfUAsqY3QnQ8hvlE4KTikPQ+tvLMK1l/ffcLAP8BdBNI +YA3ikb3qCoGNSLKieYzNnBPhNOIJELUtEEaljAFZYMQzMKCbI4JdiDs= + +--B_3664825007_1904734766-- diff --git a/spec/fixtures/packages/helm/corrupted_chart.tgz b/spec/fixtures/packages/helm/corrupted_chart.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b2ac93b271e2e91731590fef32a21179986ede3f GIT binary patch literal 2084191 zcmeI*u?xiDUB}^i77`ELIyf9L7`q&zf^aSlnJtJEq+@j~S#D8~AebPnsKJ0>5kziL zLLG8~o684~55M%KU;C@SufF>~KmXky{PS=B!>|6< zH@@|?-~IkSW?%iAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0?`XRljL-a0m^Oc9?{nbAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0tA-ql7_0?#Bl9bYKaL4W`O0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PDYg@Jy1^F$O5Nv3o>cBY*$_0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBmVvP&8c1AL}ii-Q0G0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBm_ zUf^8c^RNYY@2@oa8UX|d5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7e?b)B2A z1?cyx7DJ;PK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1fmx>*Y`YZ0p9y7jlMfPSxvfd>Hs1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oN9;y}&a` zPRAIa+{W$^eT@JD1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZV973NI1KQa zZY>T11PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZAbNpweb2)d;Jv@n=xYQJ zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0@rnJ!WN+4t770mfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72t+UNOp?pfN~qVNAxuU2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&dDq~S2YXS%gG2oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+0DE2oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5Fik}z%xls#~7g8#_kb)jQ|1!2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkKc$u4O)4Dgw5Ee-+%2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkJx zdVzC&&%+kry}#1vYXlG=K!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk*L7~f z7NFm&V&Fl5009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFL@)46lG8B;D7UeD zL|-F-009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5LmKH8V&<|rdx}H009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5QtvjT;KDs1$ghTH2N9=1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfWUQ~o3I7w_o^6p5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RqtrJd@;fi~-7R>>knA2p~X!009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjY;?2?AV0H5jB;vhhP009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjY~7dY4VJZu5p`zwvUMgRc<1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNA}UFRlj0s6fv1|9?m5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7dX^a9T$ zIUQqwavQrx^fdwq5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7csfhD`7;V{5w zy0th65FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7csf#?O!^*s+;fcO4NqpuM_ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72wc~>30r`EuZn>O0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAP~L4Gf7Uz7@*w7?h$>B00IOE5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV6TrE@?On@R@Ec4gv%S5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV45`fpdM&!xrGZztZSy1P~xVfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009Emb#B5Ipx>)v;6Z=@0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&|FYru~(=i4px3POfUn7730RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zSh7nR4g-9qTZ@AL0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&Uh+g1a-}A5q zc<-+?`WgWQ2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+z;&IQum$M%su*|> zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0?`XRljL-a0m^Oc9?{nbAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tA-ql7_0?#Bl9bYKaL4W`O0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PDYg@Jy1^F$O5Nv3o>cBY*$_0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBmVvP&8c1AL}ii-Q0G0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBm_Uf^8c^RNYY@2@oa8UX|d5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7e?b)B2A1?cyx7DJ;PK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1fmx>*Y`YZ0p9y7jlMfPSxvfd>Hs1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oN9;y}&a`PRAIa+{W$^eT@JD1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zV973NI1KQaZY>T11PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZAbNpweb2)d z;Jv@n=xYQJAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0@rnJ!WN+4t770m zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72t+UNOp?pfN~qV zNAxuU2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&dDq~S2YXS%gG2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0DE2oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5Fik}z%xls#~7g8#_kb)jQ|1!2oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkKc$u4O)4Dgw5Ee-+%2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkJxdVzC&&%+kry}#1vYXlG=K!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk*L7~f7NFm&V&Fl5009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFL@)46 zlG8B;D7UeDL|-F-009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5LmKH8V&<| zrdx}H009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5QtvjT;KDs1$ghTH2N9= z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfWUQ~o3I7w_o^6p5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RqtrJd@;fi~-7R>>knA2p~X!009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjY;?2?AV0H5jB;vhhP009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjY~7dY4VJZu5p`zwvUMgRc<1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNA}UFRlj0s6fv1|9?m5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7dX^a9T$IUQqwavQrx^fdwq5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs zfhD`7;V{5wy0th65FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7csf#?O!^*s+; zfcO4NqpuM_fB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72wc~>30r`EuZn>O z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAP~L4Gf7Uz7@*w7?h$>B00IOE z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV6TrE@?On@R@Ec4gv%S5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV45`fpdM&!xrGZztZSy1P~xVfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009Emb#B5Ipx>)v;6Z=@0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&|FYru~(=i4px3POfUn7730RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&USh7nR4g-9qTZ@AL0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zh+g1a-}A5qc<-+?`WgWQ2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+z;&IQ zum$M%su*|>AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0?`XRljL-a0m^Oc z9?{nbAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tA-ql7_0?#Bl9bYKaL4W`O0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PDYg@Jy1^F$O5Nv3o>cBY*$_0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBmVvP&8c1AL}ii-Q0G0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBm_Uf^8c^RNYY@2@oa8UX|d5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7e?b)B2A1?cyx7DJ;PK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1fmx>*Y`YZ z0p9y7jlMfPSxvfd>Hs1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oN9;y}&a`PRAIa+{W$^eT@JD1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZV973NI1KQaZY>T11PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zAbNpweb2)d;Jv@n=xYQJAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0@rnJ z!WN+4t770mfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72t+UNOp?pfN~qVNAxuU2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0D&dDq~S2Y zXS%gG2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0DE2oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fik}z%xls#~7g8#_kb)jQ|1!2oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkKc$u4O)4Dgw5Ee-+%2oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkJxdVzC&&%+kry}#1vYXlG=K!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk*L7~f7NFm&V&Fl5009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXFL@)46lG8B;D7UeDL|-F-009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5LmKH8V&<|rdx}H009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5QtvjT;KDs z1$ghTH2N9=1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfWUQ~o3I7w_o^6p z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RqtrJd@;fi~-7R>>knA2p~X! z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjY;?2?AV0H5jB;vhhP009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjY~7dY4VJZu5p`zwvUMgRc<1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNA}UFRlj0s6fv1|9?m5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7dX^a9T$IUQqwavQrx^fdwq5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7csfhD`7;V{5wy0th65FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs zf#?O!^*s+;fcO4NqpuM_fB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72wc~> z30r`EuZn>O0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAP~L4Gf7Uz7@*w7 z?h$>B00IOE5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV6TrE@?On@R@Ec4gv%S z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV45`fpdM&!xrGZztZSy1P~xVfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009Emb#B5Ipx>)v;6Z=@0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&|FYru~(=i4px3POfUn7730RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&USh7nR4g-9qTZ@AL0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&Uh+g1a-}A5qc<-+?`WgWQ2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+z;&IQum$M%su*|>AV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0?`XR zljL-a0m^Oc9?{nbAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0tA-ql7_0?#Bl9bYKa zL4W`O0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PDYg@Jy1^F$O5Nv3o>cBY*$_ z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBmVvP&8c1AL}ii-Q0G0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBm_Uf^8c^RNYY@2@oa8UX|d5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7e?b)B2A1?cyx7DJ;PK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1fmx>*Y`YZ0p9y7jlMfPSxvfd>Hs1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oN9;y}&a`PRAIa+{W$^eT@JD1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZV973NI1KQaZY>T11PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZAbNpweb2)d;Jv@n=xYQJAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0@rnJ!WN+4t770mfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72t+UN zOp?pfN~qVNAxuU2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z0D&dDq~S2YXS%gG2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+0DE2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5Fik}z%xls#~7g8#_kb)jQ|1! z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkKc$u4O)4Dgw5Ee-+%2oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkJxdVzC&&%+kry}#1vYXlG=K!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk*L7~f7NFm&V&Fl5009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXFL@)46lG8B;D7UeDL|-F-009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5LmKH8V&<|rdx}H009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5QtvjT;KDs1$ghTH2N9=1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfWUQ~ zo3I7w_o^6p5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RqtrJd@;fi~-7R z>>knA2p~X!009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjY;?2?AV0H5jB;vhhP z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjY~7dY4VJZu5p`zwvUMgRc<1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNA}UFRlj0s6fv1|9?m5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7dX^a9T$IUQqwavQrx^fdwq5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7csfhD`7;V{5wy0th65FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7csf#?O!^*s+;fcO4NqpuM_fB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72wc~>30r`EuZn>O0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAP~L4 m-zDGr;xPtjx9PvW`6FQ#@c-`hlj%?X;tzlQ3;7p*?|%V<2@lEu literal 0 HcmV?d00001 diff --git a/spec/fixtures/safe_zip/invalid-unexpected-large.zip b/spec/fixtures/safe_zip/invalid-unexpected-large.zip new file mode 100644 index 0000000000000000000000000000000000000000..3005da8c779366ae9f07c182a1db87f90056d278 GIT binary patch literal 376 zcmWIWW@h1H00HL2X`x^SkYEI2b_N-Sg3_d%%w+x05KabW)f^%VSI6BNosCl0m1^1!7z;GUW8L{8_ka}Ix#VkY-5AaLX{86*y7^U zl43~U`T`vb!)T601nzZa)W8+TFe@`RF+EkUATJ#p#M{?8#9RPkl7blIU@MVA4o+b3 zg0L8dCCT{(m2f*?jt0?a4u?A?z?+dtgc)}#1KI)xZyiAt(P@s6iHjL`s)HEGz_6v! z6=5hM;t8iggqyLYI+*eQ7cM~WHZ%e?;W%$1k#KZ^$R!AVAxfIz@OphZQ8jLU$H5h;f rV+jIegE761FnCMjDultv0Rc1?6c8BhWn}|-j~NJA85tP9f;bESdn|NT diff --git a/spec/lib/gitlab/ci/artifact_file_reader_spec.rb b/spec/lib/gitlab/ci/artifact_file_reader_spec.rb index e982f0eb01..813dc15e79 100644 --- a/spec/lib/gitlab/ci/artifact_file_reader_spec.rb +++ b/spec/lib/gitlab/ci/artifact_file_reader_spec.rb @@ -10,71 +10,117 @@ RSpec.describe Gitlab::Ci::ArtifactFileReader do subject { described_class.new(job).read(path) } context 'when job has artifacts and metadata' do - let!(:artifacts) { create(:ci_job_artifact, :archive, job: job) } - let!(:metadata) { create(:ci_job_artifact, :metadata, job: job) } - - it 'returns the content at the path' do - is_expected.to be_present - expect(YAML.safe_load(subject).keys).to contain_exactly('rspec', 'time', 'custom') - end - - context 'when path does not exist' do - let(:path) { 'file/does/not/exist.txt' } - let(:expected_error) do - "Path `#{path}` does not exist inside the `#{job.name}` artifacts archive!" - end - - it 'raises an error' do - expect { subject }.to raise_error(described_class::Error, expected_error) - end - end - - context 'when path points to a directory' do - let(:path) { 'other_artifacts_0.1.2' } - let(:expected_error) do - "Path `#{path}` was expected to be a file but it was a directory!" - end - - it 'raises an error' do - expect { subject }.to raise_error(described_class::Error, expected_error) - end - end - - context 'when path is nested' do - # path exists in ci_build_artifacts.zip - let(:path) { 'other_artifacts_0.1.2/doc_sample.txt' } - - it 'returns the content at the nested path' do + shared_examples 'extracting job artifact archive' do + it 'returns the content at the path' do is_expected.to be_present + expect(YAML.safe_load(subject).keys).to contain_exactly('rspec', 'time', 'custom') + end + + context 'when path does not exist' do + let(:path) { 'file/does/not/exist.txt' } + let(:expected_error) do + "Path `#{path}` does not exist inside the `#{job.name}` artifacts archive!" + end + + it 'raises an error' do + expect { subject }.to raise_error(described_class::Error, expected_error) + end + end + + context 'when path points to a directory' do + let(:path) { 'other_artifacts_0.1.2' } + let(:expected_error) do + "Path `#{path}` was expected to be a file but it was a directory!" + end + + it 'raises an error' do + expect { subject }.to raise_error(described_class::Error, expected_error) + end + end + + context 'when path is nested' do + # path exists in ci_build_artifacts.zip + let(:path) { 'other_artifacts_0.1.2/doc_sample.txt' } + + it 'returns the content at the nested path' do + is_expected.to be_present + end + end + + context 'when artifact archive size is greater than the limit' do + let(:expected_error) do + "Artifacts archive for job `#{job.name}` is too large: max 1 KB" + end + + before do + stub_const("#{described_class}::MAX_ARCHIVE_SIZE", 1.kilobyte) + end + + it 'raises an error' do + expect { subject }.to raise_error(described_class::Error, expected_error) + end + end + + context 'when metadata entry shows size greater than the limit' do + let(:expected_error) do + "Artifacts archive for job `#{job.name}` is too large: max 5 MB" + end + + before do + expect_next_instance_of(Gitlab::Ci::Build::Artifacts::Metadata::Entry) do |entry| + expect(entry).to receive(:total_size).and_return(10.megabytes) + end + end + + it 'raises an error' do + expect { subject }.to raise_error(described_class::Error, expected_error) + end end end - context 'when artifact archive size is greater than the limit' do - let(:expected_error) do - "Artifacts archive for job `#{job.name}` is too large: max 1 KB" - end + context 'when job artifact is on local storage' do + let!(:artifacts) { create(:ci_job_artifact, :archive, job: job) } + let!(:metadata) { create(:ci_job_artifact, :metadata, job: job) } - before do - stub_const("#{described_class}::MAX_ARCHIVE_SIZE", 1.kilobyte) - end - - it 'raises an error' do - expect { subject }.to raise_error(described_class::Error, expected_error) - end + it_behaves_like 'extracting job artifact archive' end - context 'when metadata entry shows size greater than the limit' do - let(:expected_error) do - "Artifacts archive for job `#{job.name}` is too large: max 5 MB" + context 'when job artifact is on remote storage' do + before do + stub_artifacts_object_storage + stub_request(:get, %r{https://artifacts.+ci_build_artifacts\.zip}) + .to_return( + status: 200, + body: File.open(Rails.root.join('spec/fixtures/ci_build_artifacts.zip')), + headers: {} + ) + stub_request(:get, %r{https://artifacts.+ci_build_artifacts_metadata}) + .to_return( + status: 200, + body: File.open(Rails.root.join('spec/fixtures/ci_build_artifacts_metadata.gz')), + headers: {} + ) end + let!(:artifacts) { create(:ci_job_artifact, :archive, :remote_store, job: job) } + let!(:metadata) { create(:ci_job_artifact, :metadata, :remote_store, job: job) } + + it_behaves_like 'extracting job artifact archive' + end + + context 'when extracting job artifact raises entry size error' do + let!(:artifacts) { create(:ci_job_artifact, :archive, job: job) } + let!(:metadata) { create(:ci_job_artifact, :metadata, job: job) } + before do - expect_next_instance_of(Gitlab::Ci::Build::Artifacts::Metadata::Entry) do |entry| - expect(entry).to receive(:total_size).and_return(10.megabytes) + allow_next_instance_of(SafeZip::Extract, anything) do |extractor| + allow(extractor).to receive(:extract).and_raise(SafeZip::Extract::EntrySizeError) end end it 'raises an error' do + expected_error = "Path `#{path}` has invalid size in the zip!" + expect { subject }.to raise_error(described_class::Error, expected_error) end end diff --git a/spec/lib/safe_zip/entry_spec.rb b/spec/lib/safe_zip/entry_spec.rb index 9929b8073a..8d49e2bcec 100644 --- a/spec/lib/safe_zip/entry_spec.rb +++ b/spec/lib/safe_zip/entry_spec.rb @@ -5,12 +5,13 @@ require 'spec_helper' RSpec.describe SafeZip::Entry do let(:target_path) { Dir.mktmpdir('safe-zip') } let(:directories) { %w(public folder/with/subfolder) } - let(:params) { SafeZip::ExtractParams.new(directories: directories, to: target_path) } + let(:files) { %w(public/index.html public/assets/image.png) } + let(:params) { SafeZip::ExtractParams.new(directories: directories, files: files, to: target_path) } let(:entry) { described_class.new(zip_archive, zip_entry, params) } let(:entry_name) { 'public/folder/index.html' } let(:entry_path_dir) { File.join(target_path, File.dirname(entry_name)) } - let(:entry_path) { File.join(target_path, entry_name) } + let(:entry_path) { File.join(File.realpath(target_path), entry_name) } let(:zip_archive) { double } let(:zip_entry) do @@ -28,7 +29,7 @@ RSpec.describe SafeZip::Entry do describe '#path_dir' do subject { entry.path_dir } - it { is_expected.to eq(target_path + '/public/folder') } + it { is_expected.to eq(File.realpath(target_path) + '/public/folder') } end describe '#exist?' do @@ -51,6 +52,9 @@ RSpec.describe SafeZip::Entry do subject { entry.extract } context 'when entry does not match the filtered directories' do + let(:directories) { %w(public folder/with/subfolder) } + let(:files) { [] } + using RSpec::Parameterized::TableSyntax where(:entry_name) do @@ -70,7 +74,30 @@ RSpec.describe SafeZip::Entry do end end - context 'when entry does exist' do + context 'when entry does not match the filtered files' do + let(:directories) { [] } + let(:files) { %w(public/index.html public/assets/image.png) } + + using RSpec::Parameterized::TableSyntax + + where(:entry_name) do + [ + 'assets/folder/index.html', + 'public/../folder/index.html', + 'public/../../../../../index.html', + '../../../../../public/index.html', + '/etc/passwd' + ] + end + + with_them do + it 'does not extract file' do + is_expected.to be_falsey + end + end + end + + context 'when there is an existing extracted entry' do before do create_entry end diff --git a/spec/lib/safe_zip/extract_params_spec.rb b/spec/lib/safe_zip/extract_params_spec.rb index 880c435866..0ebfb7430c 100644 --- a/spec/lib/safe_zip/extract_params_spec.rb +++ b/spec/lib/safe_zip/extract_params_spec.rb @@ -4,8 +4,10 @@ require 'spec_helper' RSpec.describe SafeZip::ExtractParams do let(:target_path) { Dir.mktmpdir("safe-zip") } - let(:params) { described_class.new(directories: directories, to: target_path) } + let(:real_target_path) { File.realpath(target_path) } + let(:params) { described_class.new(directories: directories, files: files, to: target_path) } let(:directories) { %w(public folder/with/subfolder) } + let(:files) { %w(public/index.html public/assets/image.png) } after do FileUtils.remove_entry_secure(target_path) @@ -14,13 +16,13 @@ RSpec.describe SafeZip::ExtractParams do describe '#extract_path' do subject { params.extract_path } - it { is_expected.to eq(target_path) } + it { is_expected.to eq(real_target_path) } end describe '#matching_target_directory' do using RSpec::Parameterized::TableSyntax - subject { params.matching_target_directory(target_path + path) } + subject { params.matching_target_directory(real_target_path + path) } where(:path, :result) do '/public/index.html' | '/public/' @@ -30,7 +32,7 @@ RSpec.describe SafeZip::ExtractParams do end with_them do - it { is_expected.to eq(result ? target_path + result : nil) } + it { is_expected.to eq(result ? real_target_path + result : nil) } end end @@ -38,7 +40,7 @@ RSpec.describe SafeZip::ExtractParams do subject { params.target_directories } it 'starts with target_path' do - is_expected.to all(start_with(target_path + '/')) + is_expected.to all(start_with(real_target_path + '/')) end it 'ends with / for all paths' do @@ -53,4 +55,27 @@ RSpec.describe SafeZip::ExtractParams do is_expected.to all(end_with('/*')) end end + + describe '#matching_target_file' do + using RSpec::Parameterized::TableSyntax + + subject { params.matching_target_file(real_target_path + path) } + + where(:path, :result) do + '/public/index.html' | true + '/non/existing/path' | false + '/public/' | false + '/folder/with/index.html' | false + end + + with_them do + it { is_expected.to eq(result) } + end + end + + context 'when directories and files are empty' do + it 'is invalid' do + expect { described_class.new(to: target_path) }.to raise_error(ArgumentError, /directories or files are required/) + end + end end diff --git a/spec/lib/safe_zip/extract_spec.rb b/spec/lib/safe_zip/extract_spec.rb index 443430b267..c727475e27 100644 --- a/spec/lib/safe_zip/extract_spec.rb +++ b/spec/lib/safe_zip/extract_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' RSpec.describe SafeZip::Extract do let(:target_path) { Dir.mktmpdir('safe-zip') } let(:directories) { %w(public) } + let(:files) { %w(public/index.html) } let(:object) { described_class.new(archive) } let(:archive) { Rails.root.join('spec', 'fixtures', 'safe_zip', archive_name) } @@ -13,20 +14,36 @@ RSpec.describe SafeZip::Extract do end describe '#extract' do - subject { object.extract(directories: directories, to: target_path) } + subject { object.extract(directories: directories, files: files, to: target_path) } shared_examples 'extracts archive' do - it 'does extract archive' do - subject + context 'when specifying directories' do + subject { object.extract(directories: directories, to: target_path) } - expect(File.exist?(File.join(target_path, 'public', 'index.html'))).to eq(true) - expect(File.exist?(File.join(target_path, 'source'))).to eq(false) + it 'does extract archive' do + subject + + expect(File.exist?(File.join(target_path, 'public', 'index.html'))).to eq(true) + expect(File.exist?(File.join(target_path, 'public', 'assets', 'image.png'))).to eq(true) + expect(File.exist?(File.join(target_path, 'source'))).to eq(false) + end + end + + context 'when specifying files' do + subject { object.extract(files: files, to: target_path) } + + it 'does extract archive' do + subject + + expect(File.exist?(File.join(target_path, 'public', 'index.html'))).to eq(true) + expect(File.exist?(File.join(target_path, 'public', 'assets', 'image.png'))).to eq(false) + end end end shared_examples 'fails to extract archive' do it 'does not extract archive' do - expect { subject }.to raise_error(SafeZip::Extract::Error) + expect { subject }.to raise_error(SafeZip::Extract::Error, including(error_message)) end end @@ -38,9 +55,18 @@ RSpec.describe SafeZip::Extract do end end - %w(invalid-symlink-does-not-exist.zip invalid-symlinks-outside.zip).each do |name| - context "when using #{name} archive" do + context 'when zip files are invalid' do + using RSpec::Parameterized::TableSyntax + + where(:name, :message) do + 'invalid-symlink-does-not-exist.zip' | 'does not exist' + 'invalid-symlinks-outside.zip' | 'Symlink cannot be created' + 'invalid-unexpected-large.zip' | 'larger when inflated' + end + + with_them do let(:archive_name) { name } + let(:error_message) { message } it_behaves_like 'fails to extract archive' end @@ -49,6 +75,19 @@ RSpec.describe SafeZip::Extract do context 'when no matching directories are found' do let(:archive_name) { 'valid-simple.zip' } let(:directories) { %w(non/existing) } + let(:error_message) { 'No entries extracted' } + + subject { object.extract(directories: directories, to: target_path) } + + it_behaves_like 'fails to extract archive' + end + + context 'when no matching files are found' do + let(:archive_name) { 'valid-simple.zip' } + let(:files) { %w(non/existing) } + let(:error_message) { 'No entries extracted' } + + subject { object.extract(files: files, to: target_path) } it_behaves_like 'fails to extract archive' end diff --git a/spec/migrations/20230117114739_clear_duplicate_jobs_cookies_spec.rb b/spec/migrations/20230117114739_clear_duplicate_jobs_cookies_spec.rb new file mode 100644 index 0000000000..5c572b49d3 --- /dev/null +++ b/spec/migrations/20230117114739_clear_duplicate_jobs_cookies_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' +require_migration! + +RSpec.describe ClearDuplicateJobsCookies, :migration, feature_category: :redis do + def with_redis(&block) + Gitlab::Redis::Queues.with(&block) + end + + it 'deletes duplicate jobs cookies' do + delete = ['resque:gitlab:duplicate:blabla:1:cookie:v2', 'resque:gitlab:duplicate:foobar:2:cookie:v2'] + keep = ['resque:gitlab:duplicate:something', 'something:cookie:v2'] + with_redis { |r| (delete + keep).each { |key| r.set(key, 'value') } } + + expect(with_redis { |r| r.exists(delete + keep) }).to eq(4) + + migrate! + + expect(with_redis { |r| r.exists(delete) }).to eq(0) + expect(with_redis { |r| r.exists(keep) }).to eq(2) + end +end diff --git a/spec/models/concerns/issuable_spec.rb b/spec/models/concerns/issuable_spec.rb index e553e34ab5..206b3ae61c 100644 --- a/spec/models/concerns/issuable_spec.rb +++ b/spec/models/concerns/issuable_spec.rb @@ -65,7 +65,6 @@ RSpec.describe Issuable do it { is_expected.to validate_presence_of(:author) } it { is_expected.to validate_presence_of(:title) } it { is_expected.to validate_length_of(:title).is_at_most(described_class::TITLE_LENGTH_MAX) } - it { is_expected.to validate_length_of(:description).is_at_most(described_class::DESCRIPTION_LENGTH_MAX).on(:create) } it_behaves_like 'validates description length with custom validation' do before do diff --git a/spec/models/concerns/sanitizable_spec.rb b/spec/models/concerns/sanitizable_spec.rb index 4a1d463d66..be7169f8dc 100644 --- a/spec/models/concerns/sanitizable_spec.rb +++ b/spec/models/concerns/sanitizable_spec.rb @@ -75,7 +75,58 @@ RSpec.describe Sanitizable do it 'is not valid', :aggregate_failures do expect(record).not_to be_valid - expect(record.errors.full_messages).to include('Name cannot contain escaped HTML entities') + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped HTML entities', + 'Description cannot contain escaped HTML entities' + ) + end + end + + context 'when input contains double-escaped data' do + let_it_be(:input) do + '%2526lt%253Bscript%2526gt%253Balert%25281%2529%2526lt%253B%252Fscript%2526gt%253B' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped components', + 'Description cannot contain escaped components' + ) + end + end + + context 'when input contains a path traversal attempt' do + let_it_be(:input) { 'main../../../../../../api/v4/projects/1/import_project_members/2' } + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Description cannot contain a path traversal component' + ) + end + end + + context 'when input contains both path traversal attempt and pre-escaped entities' do + let_it_be(:input) do + 'main../../../../../../api/v4/projects/1/import_project_members/2<script>alert(1)</script>' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Name cannot contain escaped HTML entities', + 'Description cannot contain a path traversal component', + 'Description cannot contain escaped HTML entities' + ) end end end diff --git a/spec/models/namespace_setting_spec.rb b/spec/models/namespace_setting_spec.rb index 17c49e13c8..8c06a5897b 100644 --- a/spec/models/namespace_setting_spec.rb +++ b/spec/models/namespace_setting_spec.rb @@ -18,7 +18,7 @@ RSpec.describe NamespaceSetting, type: :model do describe "#default_branch_name_content" do let_it_be(:group) { create(:group) } - let(:namespace_settings) { group.namespace_settings } + subject(:namespace_settings) { group.namespace_settings } shared_examples "doesn't return an error" do it "doesn't return an error" do @@ -28,6 +28,10 @@ RSpec.describe NamespaceSetting, type: :model do end context "when not set" do + before do + namespace_settings.default_branch_name = nil + end + it_behaves_like "doesn't return an error" end diff --git a/spec/requests/api/container_registry_event_spec.rb b/spec/requests/api/container_registry_event_spec.rb index 767e6e0b2f..3504ceb336 100644 --- a/spec/requests/api/container_registry_event_spec.rb +++ b/spec/requests/api/container_registry_event_spec.rb @@ -4,7 +4,7 @@ require 'spec_helper' RSpec.describe API::ContainerRegistryEvent do let(:secret_token) { 'secret_token' } - let(:events) { [{ action: 'push' }] } + let(:events) { [{ action: 'push' }, { action: 'pull' }] } let(:registry_headers) { { 'Content-Type' => ::API::ContainerRegistryEvent::DOCKER_DISTRIBUTION_EVENTS_V1_JSON } } describe 'POST /container_registry_event/events' do @@ -19,14 +19,15 @@ RSpec.describe API::ContainerRegistryEvent do end it 'returns 200 status and events are passed to event handler' do - event = spy(:event) - allow(::ContainerRegistry::Event).to receive(:new).and_return(event) - expect(event).to receive(:supported?).and_return(true) + allow_next_instance_of(::ContainerRegistry::Event) do |event| + if event.supported? + expect(event).to receive(:handle!).once + expect(event).to receive(:track!).once + end + end post_events - expect(event).to have_received(:handle!).once - expect(event).to have_received(:track!).once expect(response).to have_gitlab_http_status(:ok) end diff --git a/spec/services/packages/helm/extract_file_metadata_service_spec.rb b/spec/services/packages/helm/extract_file_metadata_service_spec.rb index 273f679b73..f4c61c1234 100644 --- a/spec/services/packages/helm/extract_file_metadata_service_spec.rb +++ b/spec/services/packages/helm/extract_file_metadata_service_spec.rb @@ -54,4 +54,17 @@ RSpec.describe Packages::Helm::ExtractFileMetadataService do it { expect { subject }.to raise_error(described_class::ExtractionError, 'Error while parsing Chart.yaml: (): did not find expected node content while parsing a flow node at line 2 column 1') } end + + context 'with a corrupted Chart.yaml of incorrect size' do + let(:helm_fixture_path) { expand_fixture_path('packages/helm/corrupted_chart.tgz') } + let(:expected_error_message) { 'Chart.yaml too big' } + + before do + allow(Zlib::GzipReader).to receive(:new).and_return(Zlib::GzipReader.new(File.open(helm_fixture_path))) + end + + it 'raises an error with the expected message' do + expect { subject }.to raise_error(::Packages::Helm::ExtractFileMetadataService::ExtractionError, expected_error_message) + end + end end diff --git a/spec/support/shared_examples/features/discussion_comments_shared_example.rb b/spec/support/shared_examples/features/discussion_comments_shared_example.rb index 68c0d06e7d..adddd837b1 100644 --- a/spec/support/shared_examples/features/discussion_comments_shared_example.rb +++ b/spec/support/shared_examples/features/discussion_comments_shared_example.rb @@ -19,6 +19,8 @@ RSpec.shared_examples 'thread comments for commit and snippet' do |resource_name find('.js-comment-button').click + wait_for_all_requests + expect(page).to have_content(comment) new_comment = all(comments_selector).last diff --git a/spec/support/shared_examples/models/concerns/issuable_shared_examples.rb b/spec/support/shared_examples/models/concerns/issuable_shared_examples.rb index 3a40708899..f49ec90638 100644 --- a/spec/support/shared_examples/models/concerns/issuable_shared_examples.rb +++ b/spec/support/shared_examples/models/concerns/issuable_shared_examples.rb @@ -10,40 +10,111 @@ RSpec.shared_examples 'matches_cross_reference_regex? fails fast' do end RSpec.shared_examples 'validates description length with custom validation' do - let(:issuable) { build(:issue, description: 'x' * (::Issuable::DESCRIPTION_LENGTH_MAX + 1)) } - let(:context) { :update } + let(:invalid_description) { 'x' * (::Issuable::DESCRIPTION_LENGTH_MAX + 1) } + let(:valid_description) { 'short description' } + let(:issuable) { build(:issue, description: description) } - subject { issuable.validate(context) } + let(:error_message) do + format( + _('is too long (%{size}). The maximum size is %{max_size}.'), + size: ActiveSupport::NumberHelper.number_to_human_size(invalid_description.bytesize), + max_size: ActiveSupport::NumberHelper.number_to_human_size(::Issuable::DESCRIPTION_LENGTH_MAX) + ) + end + + subject(:validate) { issuable.validate(context) } context 'when Issuable is a new record' do - it 'validates the maximum description length' do - subject - expect(issuable.errors[:description]).to eq(["is too long (maximum is #{::Issuable::DESCRIPTION_LENGTH_MAX} characters)"]) + let(:context) { :create } + + context 'when description exceeds the maximum size' do + let(:description) { invalid_description } + + it 'adds a description too long error' do + validate + + expect(issuable.errors[:description]).to contain_exactly(error_message) + end end - context 'on create' do - let(:context) { :create } + context 'when description is within the allowed limits' do + let(:description) { valid_description } - it 'does not validate the maximum description length' do - allow(issuable).to receive(:description_max_length_for_new_records_is_valid).and_call_original + it 'does not add a validation error' do + validate - subject - - expect(issuable).not_to have_received(:description_max_length_for_new_records_is_valid) + expect(issuable.errors).not_to have_key(:description) end end end context 'when Issuable is an existing record' do + let(:context) { :update } + before do allow(issuable).to receive(:expire_etag_cache) # to skip the expire_etag_cache callback + issuable.description = existing_description issuable.save!(validate: false) + issuable.description = description end - it 'does not validate the maximum description length' do - subject - expect(issuable.errors).not_to have_key(:description) + context 'when record already had a valid description' do + let(:existing_description) { 'small difference so it triggers description_changed?' } + + context 'when new description exceeds the maximum size' do + let(:description) { invalid_description } + + it 'adds a description too long error' do + validate + + expect(issuable.errors[:description]).to contain_exactly(error_message) + end + end + + context 'when new description is within the allowed limits' do + let(:description) { valid_description } + + it 'does not add a validation error' do + validate + + expect(issuable.errors).not_to have_key(:description) + end + end + end + + context 'when record existed with an invalid description' do + let(:existing_description) { "#{invalid_description} small difference so it triggers description_changed?" } + + context 'when description is not changed' do + let(:description) { existing_description } + + it 'does not add a validation error' do + validate + + expect(issuable.errors).not_to have_key(:description) + end + end + + context 'when new description exceeds the maximum size' do + let(:description) { invalid_description } + + it 'allows updating descriptions that already existed above the limit' do + validate + + expect(issuable.errors).not_to have_key(:description) + end + end + + context 'when new description is within the allowed limits' do + let(:description) { valid_description } + + it 'does not add a validation error' do + validate + + expect(issuable.errors).not_to have_key(:description) + end + end end end end diff --git a/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb index ed94a71892..d89e3115d7 100644 --- a/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb +++ b/spec/support/shared_examples/models/concerns/sanitizable_shared_examples.rb @@ -32,8 +32,25 @@ RSpec.shared_examples 'sanitizable' do |factory, fields| subject { build(factory, attributes) } it 'is not valid', :aggregate_failures do + error = 'cannot contain escaped HTML entities' + expect(subject).not_to be_valid - expect(subject.errors.details[field].flat_map(&:values)).to include('cannot contain escaped HTML entities') + expect(subject.errors.details[field].flat_map(&:values)).to include(error) + end + end + + context 'when it contains a path component' do + let_it_be(:input) do + 'main../../../../../../api/v4/projects/1/import_project_members/2' + end + + subject { build(factory, attributes) } + + it 'is not valid', :aggregate_failures do + error = 'cannot contain a path traversal component' + + expect(subject).not_to be_valid + expect(subject.errors.details[field].flat_map(&:values)).to include(error) end end end