Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-07 06:12:22 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-07 06:12:22 +0300
commit: 6a5b78ac6945c0b0cd42293f11c94c2b3750fddc (patch)
tree: 766f1d511d9737437d9f7e2b24f41c6887bf2229 /spec/services
parent: ec6dd14345a117d1ff4db3b0b19a1c0fa4c7e61b (diff)
2 files changed, 74 insertions, 4 deletions
diff --git a/spec/services/protected_branches/create_service_spec.rb b/spec/services/protected_branches/create_service_spec.rb
index 45462831a31..756c775be9b 100644
--- a/spec/services/protected_branches/create_service_spec.rb
+++ b/spec/services/protected_branches/create_service_spec.rb
@@ -7,13 +7,15 @@ RSpec.describe ProtectedBranches::CreateService do
   let(:user) { project.owner }
   let(:params) do
     {
-      name: 'master',
+      name: name,
       merge_access_levels_attributes: [{ access_level: Gitlab::Access::MAINTAINER }],
       push_access_levels_attributes: [{ access_level: Gitlab::Access::MAINTAINER }]
     }
   end
 
   describe '#execute' do
+    let(:name) { 'master' }
+
     subject(:service) { described_class.new(project, user, params) }
 
     it 'creates a new protected branch' do
@@ -22,6 +24,41 @@ RSpec.describe ProtectedBranches::CreateService do
       expect(project.protected_branches.last.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER])
     end
 
+    context 'when name has escaped HTML' do
+      let(:name) { 'feature-&gt;test' }
+
+      it 'creates the new protected branch matching the unescaped version' do
+        expect { service.execute }.to change(ProtectedBranch, :count).by(1)
+        expect(project.protected_branches.last.name).to eq('feature->test')
+      end
+
+      context 'and name contains HTML tags' do
+        let(:name) { '&lt;b&gt;master&lt;/b&gt;' }
+
+        it 'creates the new protected branch with sanitized name' do
+          expect { service.execute }.to change(ProtectedBranch, :count).by(1)
+          expect(project.protected_branches.last.name).to eq('master')
+        end
+
+        context 'and contains unsafe HTML' do
+          let(:name) { '&lt;script&gt;alert(&#39;foo&#39;);&lt;/script&gt;' }
+
+          it 'does not create the new protected branch' do
+            expect { service.execute }.not_to change(ProtectedBranch, :count)
+          end
+        end
+      end
+
+      context 'when name contains unescaped HTML tags' do
+        let(:name) { '<b>master</b>' }
+
+        it 'creates the new protected branch with sanitized name' do
+          expect { service.execute }.to change(ProtectedBranch, :count).by(1)
+          expect(project.protected_branches.last.name).to eq('master')
+        end
+      end
+    end
+
     context 'when user does not have permission' do
       let(:user) { create(:user) }
 
diff --git a/spec/services/protected_branches/update_service_spec.rb b/spec/services/protected_branches/update_service_spec.rb
index 88e58ad5907..b5cf1a54aff 100644
--- a/spec/services/protected_branches/update_service_spec.rb
+++ b/spec/services/protected_branches/update_service_spec.rb
@@ -6,17 +6,50 @@ RSpec.describe ProtectedBranches::UpdateService do
   let(:protected_branch) { create(:protected_branch) }
   let(:project) { protected_branch.project }
   let(:user) { project.owner }
-  let(:params) { { name: 'new protected branch name' } }
+  let(:params) { { name: new_name } }
 
   describe '#execute' do
+    let(:new_name) { 'new protected branch name' }
+    let(:result) { service.execute(protected_branch) }
+
     subject(:service) { described_class.new(project, user, params) }
 
     it 'updates a protected branch' do
-      result = service.execute(protected_branch)
-
       expect(result.reload.name).to eq(params[:name])
     end
 
+    context 'when name has escaped HTML' do
+      let(:new_name) { 'feature-&gt;test' }
+
+      it 'updates protected branch name with unescaped HTML' do
+        expect(result.reload.name).to eq('feature->test')
+      end
+
+      context 'and name contains HTML tags' do
+        let(:new_name) { '&lt;b&gt;master&lt;/b&gt;' }
+
+        it 'updates protected branch name with sanitized name' do
+          expect(result.reload.name).to eq('master')
+        end
+
+        context 'and contains unsafe HTML' do
+          let(:new_name) { '&lt;script&gt;alert(&#39;foo&#39;);&lt;/script&gt;' }
+
+          it 'does not update the protected branch' do
+            expect(result.reload.name).to eq(protected_branch.name)
+          end
+        end
+      end
+    end
+
+    context 'when name contains unescaped HTML tags' do
+      let(:new_name) { '<b>master</b>' }
+
+      it 'updates protected branch name with sanitized name' do
+        expect(result.reload.name).to eq('master')
+      end
+    end
+
     context 'without admin_project permissions' do
       let(:user) { create(:user) }
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-07 06:12:22 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-07 06:12:22 +0300
commit	6a5b78ac6945c0b0cd42293f11c94c2b3750fddc (patch)
tree	766f1d511d9737437d9f7e2b24f41c6887bf2229 /spec/services
parent	ec6dd14345a117d1ff4db3b0b19a1c0fa4c7e61b (diff)