Merge branch 'security-49085-11.2-persistent-xss-rendering' into 'security-11-2'

[11.2] Port of Fixed persistent XSS rendering/escaping of diff location lines to 11.2 See merge request gitlab/gitlabhq!2473
author: José Iván Vargas López <jvargas@gitlab.com> 2018-08-24 21:29:20 +0300
committer: Jose Vargas <jvargas@gitlab.com> 2018-08-24 21:43:18 +0300
commit: 1f7a68f82cfcbca467392bc1accfde36763be698 (patch)
tree: 2ad5d7c3bdabf7056a4da4b43f1af35a598acfff /spec/features
parent: 61dce108f66739bebbc56a1a1bdd0752d502656e (diff)
1 files changed, 53 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_sees_diff_spec.rb b/spec/features/merge_request/user_sees_diff_spec.rb
index d6e7ff33d5d..2677c03ef34 100644
--- a/spec/features/merge_request/user_sees_diff_spec.rb
+++ b/spec/features/merge_request/user_sees_diff_spec.rb
@@ -2,6 +2,7 @@ require 'rails_helper'
 
 describe 'Merge request > User sees diff', :js do
   include ProjectForksHelper
+  include RepoHelpers
 
   let(:project) { create(:project, :public, :repository) }
   let(:merge_request) { create(:merge_request, source_project: project) }
@@ -81,5 +82,57 @@ describe 'Merge request > User sees diff', :js do
         expect(page).to have_selector('.js-cancel-fork-suggestion-button', count: 1)
       end
     end
+
+    context 'when file contains html' do
+      let(:current_user) { project.owner }
+      let(:branch_name) {"test_branch"}
+
+      def create_file(branch_name, file_name, content)
+        Files::CreateService.new(
+          project,
+          current_user,
+          start_branch: branch_name,
+          branch_name: branch_name,
+          commit_message: "Create file",
+          file_path: file_name,
+          file_content: content
+        ).execute
+        project.commit(branch_name)
+      end
+
+      it 'escapes any HTML special characters in the diff chunk header' do
+        file_content =
+          <<~CONTENT
+        function foo<input> {
+          let a = 1;
+          let b = 2;
+          let c = 3;
+          let d = 3;
+          }
+        CONTENT
+
+        new_file_content =
+          <<~CONTENT
+        function foo<input> {
+          let a = 1;
+          let b = 2;
+          let c = 3;
+          let x = 3;
+          }
+        CONTENT
+
+        file_name = 'xss_file.txt'
+
+        create_file('master', file_name, file_content)
+        merge_request = create(:merge_request, source_project: project)
+        create_file(merge_request.source_branch, file_name, new_file_content)
+
+        project.commit(merge_request.source_branch)
+
+        visit diffs_project_merge_request_path(project, merge_request)
+
+        expect(page).to have_text("function foo<input> {")
+      end
+    end
   end
 end
author	José Iván Vargas López <jvargas@gitlab.com>	2018-08-24 21:29:20 +0300
committer	Jose Vargas <jvargas@gitlab.com>	2018-08-24 21:43:18 +0300
commit	1f7a68f82cfcbca467392bc1accfde36763be698 (patch)
tree	2ad5d7c3bdabf7056a4da4b43f1af35a598acfff /spec/features
parent	61dce108f66739bebbc56a1a1bdd0752d502656e (diff)