diff options
author | Robert Speicher <robert@gitlab.com> | 2017-02-14 01:42:46 +0300 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-02-15 18:42:13 +0300 |
commit | dd944bf14f4a0fd555db32d5833325fa459d9565 (patch) | |
tree | 7822980b0076e2b116933bd1732d31c3e9d160e7 /spec/controllers/uploads_controller_spec.rb | |
parent | 7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (diff) |
Merge branch 'svg-xss-fix' into 'security'
Fix for XSS vulnerability in SVG attachments
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
Diffstat (limited to 'spec/controllers/uploads_controller_spec.rb')
-rw-r--r-- | spec/controllers/uploads_controller_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb index 570d9fa43f8..c9584ddf18c 100644 --- a/spec/controllers/uploads_controller_spec.rb +++ b/spec/controllers/uploads_controller_spec.rb @@ -4,6 +4,28 @@ describe UploadsController do let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) } describe "GET show" do + context 'Content-Disposition security measures' do + let(:project) { create(:empty_project, :public) } + + context 'for PNG files' do + it 'returns Content-Disposition: inline' do + note = create(:note, :with_attachment, project: project) + get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png' + + expect(response['Content-Disposition']).to start_with('inline;') + end + end + + context 'for SVG files' do + it 'returns Content-Disposition: attachment' do + note = create(:note, :with_svg_attachment, project: project) + get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg' + + expect(response['Content-Disposition']).to start_with('attachment;') + end + end + end + context "when viewing a user avatar" do context "when signed in" do before do |