diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 21:08:03 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 21:08:03 +0300 |
commit | dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch) | |
tree | 5e77ce228c33619201ac6706b9789d4a2eed2a3b /spec/controllers/groups_controller_spec.rb | |
parent | e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/controllers/groups_controller_spec.rb')
-rw-r--r-- | spec/controllers/groups_controller_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 11c70d3aeca..22427f581d4 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -258,6 +258,18 @@ describe GroupsController do end end end + + context "malicious group name" do + subject { post :create, params: { group: { name: "<script>alert('Mayday!');</script>", path: "invalid_group_url" } } } + + before do + sign_in(user) + end + + it { expect { subject }.not_to change { Group.count } } + + it { expect(subject).to render_template(:new) } + end end describe 'GET #index' do @@ -836,6 +848,16 @@ describe GroupsController do put :update, params: { id: group.to_param, group: { name: 'world' } } end.to change { group.reload.name } end + + context "malicious group name" do + subject { put :update, params: { id: group.to_param, group: { name: "<script>alert('Attack!');</script>" } } } + + it { is_expected.to render_template(:edit) } + + it 'does not update name' do + expect { subject }.not_to change { group.reload.name } + end + end end describe 'DELETE #destroy' do |