Merge branch 'sh-validate-path-project-import-10-3' into 'security-10-3'

Validate project path in Gitlab import - 10.3 port See merge request gitlab/gitlabhq!2268 (cherry picked from commit 94c82376d66fc80d46dd2d5eeb5bade408ec6a7e) 2b94a7c2 Validate project path in Gitlab import

Merge branch 'sh-validate-path-project-import-10-3' into 'security-10-3'
Validate project path in Gitlab import - 10.3 port See merge request gitlab/gitlabhq!2268 (cherry picked from commit 94c82376d66fc80d46dd2d5eeb5bade408ec6a7e) 2b94a7c2 Validate project path in Gitlab import
1f96512b · Stan Hu · Stan Hu · 8f4b0613 · 1f96512b · 1f96512b
Commit 1f96512b authored Jan 04, 2018 by Stan Hu Committed by Stan Hu Jan 16, 2018
4 changed files
--- a/app/services/projects/gitlab_projects_import_service.rb
+++ b/app/services/projects/gitlab_projects_import_service.rb
@@ -26,7 +26,7 @@ module Projects
    end

    def tmp_filename
-      "#{SecureRandom.hex}_#{params[:path]}"
+      SecureRandom.hex
    end

    def file

--- a/spec/controllers/import/gitlab_projects_controller_spec.rb
+++ b/spec/controllers/import/gitlab_projects_controller_spec.rb
+require 'spec_helper'
+
+describe Import::GitlabProjectsController do
+  set(:namespace) { create(:namespace) }
+  set(:user) { namespace.owner }
+  let(:file) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') }
+
+  before do
+    sign_in(user)
+  end
+
+  describe 'POST create' do
+    context 'with an invalid path' do
+      it 'redirects with an error' do
+        post :create, namespace_id: namespace.id, path: '/test', file: file
+
+        expect(flash[:alert]).to start_with('Project could not be imported')
+        expect(response).to have_gitlab_http_status(302)
+      end
+
+      it 'redirects with an error when a relative path is used' do
+        post :create, namespace_id: namespace.id, path: '../test', file: file
+
+        expect(flash[:alert]).to start_with('Project could not be imported')
+        expect(response).to have_gitlab_http_status(302)
+      end
+    end
+
+    context 'with a valid path' do
+      it 'redirects to the new project path' do
+        post :create, namespace_id: namespace.id, path: 'test', file: file
+
+        expect(flash[:notice]).to include('is being imported')
+        expect(response).to have_gitlab_http_status(302)
+      end
+    end
+  end
+end
--- a/spec/features/projects/import_export/import_file_spec.rb
+++ b/spec/features/projects/import_export/import_file_spec.rb
@@ -32,7 +32,7 @@ feature 'Import/Export - project import integration test', :js do

        expect(page).to have_content('Import an exported GitLab project')
        expect(URI.parse(current_url).query).to eq("namespace_id=#{namespace.id}&path=#{project_path}")
-        expect(Gitlab::ImportExport).to receive(:import_upload_path).with(filename: /\A\h{32}_test-project-path\h*\z/).and_call_original
+        expect(Gitlab::ImportExport).to receive(:import_upload_path).with(filename: /\A\h{32}\z/).and_call_original

        attach_file('file', file)
        click_on 'Import project'

--- a/spec/services/projects/gitlab_projects_import_service_spec.rb
+++ b/spec/services/projects/gitlab_projects_import_service_spec.rb
+require 'spec_helper'
+
+describe Projects::GitlabProjectsImportService do
+  set(:namespace) { build(:namespace) }
+  let(:file) { fixture_file_upload(Rails.root + 'spec/fixtures/doc_sample.txt', 'text/plain') }
+  subject { described_class.new(namespace.owner, { namespace_id: namespace.id, path: path, file: file }) }
+
+  describe '#execute' do
+    context 'with an invalid path' do
+      let(:path) { '/invalid-path/' }
+
+      it 'returns an invalid project' do
+        project = subject.execute
+
+        expect(project).not_to be_persisted
+        expect(project).not_to be_valid
+      end
+    end
+
+    context 'with a valid path' do
+      let(:path) { 'test-path' }
+
+      it 'creates a project' do
+        project = subject.execute
+
+        expect(project).to be_persisted
+        expect(project).to be_valid
+      end
+    end
+  end
+end