diff options
author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 21:37:12 +0300 |
---|---|---|
committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-29 03:07:29 +0300 |
commit | 4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6 (patch) | |
tree | 8187716680c85065ed8780632408d4ccf897ba50 /spec/lib/gitlab/url_blocker_spec.rb | |
parent | 1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (diff) |
Merge branch 'security-stored-xss-for-environments' into 'master'
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
Diffstat (limited to 'spec/lib/gitlab/url_blocker_spec.rb')
-rw-r--r-- | spec/lib/gitlab/url_blocker_spec.rb | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/spec/lib/gitlab/url_blocker_spec.rb b/spec/lib/gitlab/url_blocker_spec.rb index 8df0facdab3..35b550283b5 100644 --- a/spec/lib/gitlab/url_blocker_spec.rb +++ b/spec/lib/gitlab/url_blocker_spec.rb @@ -10,8 +10,8 @@ describe Gitlab::UrlBlocker do expect(described_class.blocked_url?(import_url)).to be false end - it 'allows imports from configured SSH host and port' do - import_url = "http://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git" + it 'allows mirroring from configured SSH host and port' do + import_url = "ssh://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git" expect(described_class.blocked_url?(import_url)).to be false end @@ -29,6 +29,14 @@ describe Gitlab::UrlBlocker do expect(described_class.blocked_url?('https://gitlab.com/foo/foo.git', protocols: ['http'])).to be true end + it 'returns true for bad protocol on configured web/SSH host and ports' do + web_url = "javascript://#{Gitlab.config.gitlab.host}:#{Gitlab.config.gitlab.port}/t.git%0aalert(1)" + expect(described_class.blocked_url?(web_url)).to be true + + ssh_url = "javascript://#{Gitlab.config.gitlab_shell.ssh_host}:#{Gitlab.config.gitlab_shell.ssh_port}/t.git%0aalert(1)" + expect(described_class.blocked_url?(ssh_url)).to be true + end + it 'returns true for localhost IPs' do expect(described_class.blocked_url?('https://0.0.0.0/foo/foo.git')).to be true expect(described_class.blocked_url?('https://[::1]/foo/foo.git')).to be true |