Merge remote-tracking branch 'dev/14-0-stable' into 14-0-stable

3 files changed, 43 insertions, 5 deletions

diff --git a/spec/models/audit_event_spec.rb b/spec/models/audit_event_spec.rb
index 5c87c2e68db..bc603bc5ab6 100644
--- a/spec/models/audit_event_spec.rb
+++ b/spec/models/audit_event_spec.rb
@@ -3,9 +3,6 @@
 require 'spec_helper'
 
 RSpec.describe AuditEvent do
-  let_it_be(:audit_event) { create(:project_audit_event) }
-  subject { audit_event }
-
   describe 'validations' do
     include_examples 'validates IP address' do
       let(:attribute) { :ip_address }
@@ -13,6 +10,15 @@ RSpec.describe AuditEvent do
     end
   end
 
+  it 'sanitizes custom_message in the details hash' do
+    audit_event = create(:project_audit_event, details: { target_id: 678, custom_message: '<strong>Arnold</strong>' })
+
+    expect(audit_event.details).to include(
+      target_id: 678,
+      custom_message: 'Arnold'
+    )
+  end
+
   describe '#as_json' do
     context 'ip_address' do
       subject { build(:group_audit_event, ip_address: '192.168.1.1').as_json }
diff --git a/spec/models/protected_branch/push_access_level_spec.rb b/spec/models/protected_branch/push_access_level_spec.rb
index 17a589f0485..fa84cd660cb 100644
--- a/spec/models/protected_branch/push_access_level_spec.rb
+++ b/spec/models/protected_branch/push_access_level_spec.rb
@@ -44,7 +44,7 @@ RSpec.describe ProtectedBranch::PushAccessLevel do
     let(:can_push) { true }
 
     before_all do
-      project.add_guest(user)
+      project.add_maintainer(user)
     end
 
     context 'when this push_access_level is tied to a deploy key' do
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e5c86e69ffc..2185df0609e 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -387,6 +387,19 @@ RSpec.describe User do
           expect(user.errors.full_messages).to eq(['Username has already been taken'])
         end
       end
+
+      it 'validates format' do
+        Mime::EXTENSION_LOOKUP.keys.each do |type|
+          user = build(:user, username: "test.#{type}")
+
+          expect(user).not_to be_valid
+          expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.')
+        end
+      end
+
+      it 'validates format on updated record' do
+        expect(create(:user).update(username: 'profile.html')).to be_falsey
+      end
     end
 
     it 'has a DB-level NOT NULL constraint on projects_limit' do
@@ -2882,7 +2895,7 @@ RSpec.describe User do
   end
 
   describe '#sanitize_attrs' do
-    let(:user) { build(:user, name: 'test & user', skype: 'test&user') }
+    let(:user) { build(:user, name: 'test <& user', skype: 'test&user') }
 
     it 'encodes HTML entities in the Skype attribute' do
       expect { user.sanitize_attrs }.to change { user.skype }.to('test&amp;user')
@@ -2891,6 +2904,25 @@ RSpec.describe User do
     it 'does not encode HTML entities in the name attribute' do
       expect { user.sanitize_attrs }.not_to change { user.name }
     end
+
+    it 'sanitizes attr from html tags' do
+      user = create(:user, name: '<a href="//example.com">Test<a>', twitter: '<a href="//evil.com">https://twitter.com<a>')
+
+      expect(user.name).to eq('Test')
+      expect(user.twitter).to eq('https://twitter.com')
+    end
+
+    it 'sanitizes attr from js scripts' do
+      user = create(:user, name: '<script>alert("Test")</script>')
+
+      expect(user.name).to eq("alert(\"Test\")")
+    end
+
+    it 'sanitizes attr from iframe scripts' do
+      user = create(:user, name: 'User"><iframe src=javascript:alert()><iframe>')
+
+      expect(user.name).to eq('User">')
+    end
   end
 
   describe '#starred?' do