diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 20:56:41 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 20:56:41 +0300 |
| commit | e5121cd2a1ea1df276317fa68765e969a0b21eae (patch) | |
| tree | 3b9732ce48aab909276c030b9a60d1c12cee2525 /spec/controllers/groups_controller_spec.rb | |
| parent | 4ee3ab616fc8b89b957b531294b67097941e49f6 (diff) | |
| parent | 63745c932cc8bc81fc2b2d30e9a171e346f4b969 (diff) | |
Merge remote-tracking branch 'dev/12-9-stable' into 12-9-stable
Diffstat (limited to 'spec/controllers/groups_controller_spec.rb')
| -rw-r--r-- | spec/controllers/groups_controller_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 11c70d3aeca..22427f581d4 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -258,6 +258,18 @@ describe GroupsController do end end end + + context "malicious group name" do + subject { post :create, params: { group: { name: "<script>alert('Mayday!');</script>", path: "invalid_group_url" } } } + + before do + sign_in(user) + end + + it { expect { subject }.not_to change { Group.count } } + + it { expect(subject).to render_template(:new) } + end end describe 'GET #index' do @@ -836,6 +848,16 @@ describe GroupsController do put :update, params: { id: group.to_param, group: { name: 'world' } } end.to change { group.reload.name } end + + context "malicious group name" do + subject { put :update, params: { id: group.to_param, group: { name: "<script>alert('Attack!');</script>" } } } + + it { is_expected.to render_template(:edit) } + + it 'does not update name' do + expect { subject }.not_to change { group.reload.name } + end + end end describe 'DELETE #destroy' do |