Merge branch 'svg-xss-fix' into 'security'

Fix for XSS vulnerability in SVG attachments

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059

1 files changed, 22 insertions, 0 deletions

diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index 570d9fa43f8..c9584ddf18c 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -4,6 +4,28 @@ describe UploadsController do
   let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
 
   describe "GET show" do
+    context 'Content-Disposition security measures' do
+      let(:project) { create(:empty_project, :public) }
+
+      context 'for PNG files' do
+        it 'returns Content-Disposition: inline' do
+          note = create(:note, :with_attachment, project: project)
+          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
+
+          expect(response['Content-Disposition']).to start_with('inline;')
+        end
+      end
+
+      context 'for SVG files' do
+        it 'returns Content-Disposition: attachment' do
+          note = create(:note, :with_svg_attachment, project: project)
+          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'
+
+          expect(response['Content-Disposition']).to start_with('attachment;')
+        end
+      end
+    end
+
     context "when viewing a user avatar" do
       context "when signed in" do
         before do