2021-09-09 08:09:09 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe Gitlab::RackAttack::Request do
|
2021-09-28 08:11:10 -04:00
|
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
|
2022-02-01 07:17:55 -05:00
|
|
|
let(:path) { '/' }
|
|
|
|
let(:env) { {} }
|
|
|
|
let(:session) { {} }
|
|
|
|
let(:request) do
|
|
|
|
::Rack::Attack::Request.new(
|
|
|
|
env.reverse_merge(
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
2022-02-07 04:12:13 -05:00
|
|
|
'PATH_INFO' => Gitlab.config.gitlab.relative_url_root + path,
|
2022-02-01 07:17:55 -05:00
|
|
|
'rack.input' => StringIO.new,
|
|
|
|
'rack.session' => session
|
|
|
|
)
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2021-09-09 08:09:09 -04:00
|
|
|
describe 'FILES_PATH_REGEX' do
|
|
|
|
subject { described_class::FILES_PATH_REGEX }
|
|
|
|
|
|
|
|
it { is_expected.to match('/api/v4/projects/1/repository/files/README') }
|
|
|
|
it { is_expected.to match('/api/v4/projects/1/repository/files/README?ref=master') }
|
|
|
|
it { is_expected.to match('/api/v4/projects/1/repository/files/README/blame') }
|
|
|
|
it { is_expected.to match('/api/v4/projects/1/repository/files/README/raw') }
|
|
|
|
it { is_expected.to match('/api/v4/projects/some%2Fnested%2Frepo/repository/files/README') }
|
|
|
|
it { is_expected.not_to match('/api/v4/projects/some/nested/repo/repository/files/README') }
|
|
|
|
end
|
2021-09-28 08:11:10 -04:00
|
|
|
|
2022-02-01 07:17:55 -05:00
|
|
|
describe '#api_request?' do
|
|
|
|
subject { request.api_request? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/foo/api' | false
|
|
|
|
|
|
|
|
'/api' | true
|
|
|
|
'/api/v4/groups/1' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#api_internal_request?' do
|
|
|
|
subject { request.api_internal_request? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/api' | false
|
|
|
|
'/api/v4/groups/1' | false
|
|
|
|
'/api/v4/internal' | false
|
|
|
|
'/foo/api/v4/internal' | false
|
|
|
|
|
|
|
|
'/api/v4/internal/' | true
|
|
|
|
'/api/v4/internal/foo' | true
|
|
|
|
'/api/v1/internal/foo' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#health_check_request?' do
|
|
|
|
subject { request.health_check_request? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/foo/-/health' | false
|
|
|
|
|
|
|
|
'/-/health' | true
|
|
|
|
'/-/liveness' | true
|
|
|
|
'/-/readiness' | true
|
|
|
|
'/-/metrics' | true
|
|
|
|
'/-/health/foo' | true
|
|
|
|
'/-/liveness/foo' | true
|
|
|
|
'/-/readiness/foo' | true
|
|
|
|
'/-/metrics/foo' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#container_registry_event?' do
|
|
|
|
subject { request.container_registry_event? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/api/v4/container_registry_event' | false
|
|
|
|
'/foo/api/v4/container_registry_event/' | false
|
|
|
|
|
|
|
|
'/api/v4/container_registry_event/' | true
|
|
|
|
'/api/v4/container_registry_event/foo' | true
|
|
|
|
'/api/v1/container_registry_event/foo' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#product_analytics_collector_request?' do
|
|
|
|
subject { request.product_analytics_collector_request? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/-/collector' | false
|
|
|
|
'/-/collector/foo' | false
|
|
|
|
'/foo/-/collector/i' | false
|
|
|
|
|
|
|
|
'/-/collector/i' | true
|
|
|
|
'/-/collector/ifoo' | true
|
|
|
|
'/-/collector/i/foo' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#should_be_skipped?' do
|
|
|
|
where(
|
|
|
|
api_internal_request: [true, false],
|
|
|
|
health_check_request: [true, false],
|
|
|
|
container_registry_event: [true, false]
|
|
|
|
)
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it 'returns true if any condition is true' do
|
|
|
|
allow(request).to receive(:api_internal_request?).and_return(api_internal_request)
|
|
|
|
allow(request).to receive(:health_check_request?).and_return(health_check_request)
|
|
|
|
allow(request).to receive(:container_registry_event?).and_return(container_registry_event)
|
|
|
|
|
|
|
|
expect(request.should_be_skipped?).to be(api_internal_request || health_check_request || container_registry_event)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#web_request?' do
|
|
|
|
subject { request.web_request? }
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | true
|
|
|
|
'/groups' | true
|
|
|
|
'/foo/api' | true
|
|
|
|
|
|
|
|
'/api' | false
|
|
|
|
'/api/v4/groups/1' | false
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#protected_path?' do
|
|
|
|
subject { request.protected_path? }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_application_setting(protected_paths: [
|
|
|
|
'/protected',
|
|
|
|
'/secure'
|
|
|
|
])
|
|
|
|
end
|
|
|
|
|
|
|
|
where(:path, :expected) do
|
|
|
|
'/' | false
|
|
|
|
'/groups' | false
|
|
|
|
'/foo/protected' | false
|
|
|
|
'/foo/secure' | false
|
|
|
|
|
|
|
|
'/protected' | true
|
|
|
|
'/secure' | true
|
|
|
|
'/secure/' | true
|
|
|
|
'/secure/foo' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2022-02-01 07:17:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-02-03 10:12:41 -05:00
|
|
|
describe '#frontend_request?', :allow_forgery_protection do
|
|
|
|
subject { request.send(:frontend_request?) }
|
|
|
|
|
|
|
|
let(:path) { '/' }
|
|
|
|
|
|
|
|
# Define these as local variables so we can use them in the `where` block.
|
|
|
|
valid_token = SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH)
|
|
|
|
other_token = SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH)
|
|
|
|
|
|
|
|
where(:session, :env, :expected) do
|
|
|
|
{} | {} | false # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands
|
|
|
|
{} | { 'HTTP_X_CSRF_TOKEN' => valid_token } | false
|
|
|
|
{ _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => other_token } | false
|
|
|
|
{ _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => valid_token } | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-09-28 08:11:10 -04:00
|
|
|
describe '#deprecated_api_request?' do
|
2022-02-01 07:17:55 -05:00
|
|
|
subject { request.send(:deprecated_api_request?) }
|
2021-09-28 08:11:10 -04:00
|
|
|
|
2022-02-01 07:17:55 -05:00
|
|
|
let(:env) { { 'QUERY_STRING' => query } }
|
2021-09-28 08:11:10 -04:00
|
|
|
|
|
|
|
where(:path, :query, :expected) do
|
|
|
|
'/' | '' | false
|
|
|
|
|
|
|
|
'/api/v4/groups/1/' | '' | true
|
|
|
|
'/api/v4/groups/1' | '' | true
|
|
|
|
'/api/v4/groups/foo/' | '' | true
|
|
|
|
'/api/v4/groups/foo' | '' | true
|
|
|
|
|
|
|
|
'/api/v4/groups/1' | 'with_projects=' | true
|
|
|
|
'/api/v4/groups/1' | 'with_projects=1' | true
|
|
|
|
'/api/v4/groups/1' | 'with_projects=0' | false
|
|
|
|
|
|
|
|
'/foo/api/v4/groups/1' | '' | false
|
|
|
|
'/api/v4/groups/1/foo' | '' | false
|
|
|
|
|
|
|
|
'/api/v4/groups/nested%2Fgroup' | '' | true
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { is_expected.to eq(expected) }
|
2022-02-07 04:12:13 -05:00
|
|
|
|
|
|
|
context 'when the application is mounted at a relative URL' do
|
|
|
|
before do
|
|
|
|
stub_config_setting(relative_url_root: '/gitlab/root')
|
|
|
|
end
|
|
|
|
|
|
|
|
it { is_expected.to eq(expected) }
|
|
|
|
end
|
2021-09-28 08:11:10 -04:00
|
|
|
end
|
|
|
|
end
|
2021-09-09 08:09:09 -04:00
|
|
|
end
|