diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:54:01 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 02:54:01 +0300 |
| commit | 22afa6177e5cdd2843502d425cb584135a35df60 (patch) | |
| tree | 57a0d0b688f058b395f41445bdbc2372dc5da85e /spec/controllers/concerns/confirm_email_warning_spec.rb | |
| parent | 52dd3cdae10174cc35af6698b280acd1431cc4f8 (diff) | |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
Diffstat (limited to 'spec/controllers/concerns/confirm_email_warning_spec.rb')
| -rw-r--r-- | spec/controllers/concerns/confirm_email_warning_spec.rb | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb index 334c156e1ae..b8a4b94aa66 100644 --- a/spec/controllers/concerns/confirm_email_warning_spec.rb +++ b/spec/controllers/concerns/confirm_email_warning_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ConfirmEmailWarning do +RSpec.describe ConfirmEmailWarning, feature_category: :system_access do before do stub_feature_flags(soft_email_confirmation: true) end @@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do it { is_expected.to set_confirm_warning_for(user.email) } end end + + context 'when user is being impersonated' do + let(:impersonator) { create(:admin) } + + before do + allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id }) + + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when impersonated user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end + + context 'when user is not being impersonated' do + before do + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end end end end |