2019-04-15 06:17:05 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2015-09-02 02:28:48 -04:00
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
describe Projects::RawController do
|
2019-07-24 15:49:31 -04:00
|
|
|
include RepoHelpers
|
|
|
|
|
2018-08-30 08:34:41 -04:00
|
|
|
let(:project) { create(:project, :public, :repository) }
|
|
|
|
|
|
|
|
describe 'GET #show' do
|
|
|
|
subject do
|
|
|
|
get(:show,
|
2018-12-17 17:52:17 -05:00
|
|
|
params: {
|
|
|
|
namespace_id: project.namespace,
|
|
|
|
project_id: project,
|
|
|
|
id: filepath
|
|
|
|
})
|
2018-08-30 08:34:41 -04:00
|
|
|
end
|
2015-09-02 02:28:48 -04:00
|
|
|
|
|
|
|
context 'regular filename' do
|
2018-08-30 08:34:41 -04:00
|
|
|
let(:filepath) { 'master/README.md' }
|
2015-09-02 02:28:48 -04:00
|
|
|
|
2018-12-19 06:51:07 -05:00
|
|
|
it 'delivers ASCII file' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
expect(response.header['Content-Type']).to eq('text/plain; charset=utf-8')
|
|
|
|
expect(response.header['Content-Disposition']).to eq('inline')
|
|
|
|
expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
|
|
|
|
expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
|
2015-09-02 02:28:48 -04:00
|
|
|
end
|
|
|
|
end
|
2015-09-03 05:55:43 -04:00
|
|
|
|
|
|
|
context 'image header' do
|
2018-08-30 08:34:41 -04:00
|
|
|
let(:filepath) { 'master/files/images/6049019_460s.jpg' }
|
2015-09-03 05:55:43 -04:00
|
|
|
|
2018-12-19 06:51:07 -05:00
|
|
|
it 'leaves image content disposition' do
|
|
|
|
subject
|
2015-09-03 05:55:43 -04:00
|
|
|
|
2018-12-19 06:51:07 -05:00
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
expect(response.header['Content-Disposition']).to eq('inline')
|
|
|
|
expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
|
|
|
|
expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
|
2015-09-03 05:55:43 -04:00
|
|
|
end
|
|
|
|
end
|
2015-12-07 09:03:50 -05:00
|
|
|
|
2019-06-03 19:40:07 -04:00
|
|
|
it_behaves_like 'a controller that can serve LFS files' do
|
2018-08-30 08:34:41 -04:00
|
|
|
let(:filename) { 'lfs_object.iso' }
|
|
|
|
let(:filepath) { "be93687/files/lfs/#{filename}" }
|
2015-12-07 09:03:50 -05:00
|
|
|
end
|
2019-07-24 15:49:31 -04:00
|
|
|
|
|
|
|
context 'when the endpoint receives requests above the limit', :clean_gitlab_redis_cache do
|
|
|
|
let(:file_path) { 'master/README.md' }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_application_setting(raw_blob_request_limit: 5)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'prevents from accessing the raw file' do
|
|
|
|
execute_raw_requests(requests: 6, project: project, file_path: file_path)
|
|
|
|
|
|
|
|
expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
|
2019-08-13 14:13:37 -04:00
|
|
|
expect(response).to have_gitlab_http_status(429)
|
2019-07-24 15:49:31 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'logs the event on auth.log' do
|
|
|
|
attributes = {
|
|
|
|
message: 'Action_Rate_Limiter_Request',
|
|
|
|
env: :raw_blob_request_limit,
|
|
|
|
ip: '0.0.0.0',
|
|
|
|
request_method: 'GET',
|
|
|
|
fullpath: "/#{project.full_path}/raw/#{file_path}"
|
|
|
|
}
|
|
|
|
|
|
|
|
expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
|
|
|
|
|
|
|
|
execute_raw_requests(requests: 6, project: project, file_path: file_path)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the request uses a different version of a commit' do
|
|
|
|
it 'prevents from accessing the raw file' do
|
|
|
|
# 3 times with the normal sha
|
|
|
|
commit_sha = project.repository.commit.sha
|
|
|
|
file_path = "#{commit_sha}/README.md"
|
|
|
|
|
|
|
|
execute_raw_requests(requests: 3, project: project, file_path: file_path)
|
|
|
|
|
|
|
|
# 3 times with the modified version
|
|
|
|
modified_sha = commit_sha.gsub(commit_sha[0..5], commit_sha[0..5].upcase)
|
|
|
|
modified_path = "#{modified_sha}/README.md"
|
|
|
|
|
|
|
|
execute_raw_requests(requests: 3, project: project, file_path: modified_path)
|
|
|
|
|
|
|
|
expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
|
2019-08-13 14:13:37 -04:00
|
|
|
expect(response).to have_gitlab_http_status(429)
|
2019-07-24 15:49:31 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the throttling has been disabled' do
|
|
|
|
before do
|
|
|
|
stub_application_setting(raw_blob_request_limit: 0)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not prevent from accessing the raw file' do
|
|
|
|
execute_raw_requests(requests: 10, project: project, file_path: file_path)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with case-sensitive files' do
|
|
|
|
it 'prevents from accessing the specific file' do
|
|
|
|
create_file_in_repo(project, 'master', 'master', 'readme.md', 'Add readme.md')
|
|
|
|
create_file_in_repo(project, 'master', 'master', 'README.md', 'Add README.md')
|
|
|
|
|
|
|
|
commit_sha = project.repository.commit.sha
|
|
|
|
file_path = "#{commit_sha}/readme.md"
|
|
|
|
|
|
|
|
# Accessing downcase version of readme
|
|
|
|
execute_raw_requests(requests: 6, project: project, file_path: file_path)
|
|
|
|
|
|
|
|
expect(flash[:alert]).to eq('You cannot access the raw file. Please wait a minute.')
|
2019-08-13 14:13:37 -04:00
|
|
|
expect(response).to have_gitlab_http_status(429)
|
2019-07-24 15:49:31 -04:00
|
|
|
|
|
|
|
# Accessing upcase version of readme
|
|
|
|
file_path = "#{commit_sha}/README.md"
|
|
|
|
|
|
|
|
execute_raw_requests(requests: 1, project: project, file_path: file_path)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(200)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def execute_raw_requests(requests:, project:, file_path:)
|
|
|
|
requests.times do
|
|
|
|
get :show, params: {
|
|
|
|
namespace_id: project.namespace,
|
|
|
|
project_id: project,
|
|
|
|
id: file_path
|
|
|
|
}
|
|
|
|
end
|
2015-09-02 02:28:48 -04:00
|
|
|
end
|
|
|
|
end
|