diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
commit | 43a25d93ebdabea52f99b05e15b06250cd8f07d7 (patch) | |
tree | dceebdc68925362117480a5d672bcff122fb625b /spec/validators | |
parent | 20c84b99005abd1c82101dfeff264ac50d2df211 (diff) |
Add latest changes from gitlab-org/gitlab@16-0-stable-eev16.0.0-rc42
Diffstat (limited to 'spec/validators')
-rw-r--r-- | spec/validators/addressable_url_validator_spec.rb | 70 |
1 files changed, 68 insertions, 2 deletions
diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb index 9109a899881..c95c0563a55 100644 --- a/spec/validators/addressable_url_validator_spec.rb +++ b/spec/validators/addressable_url_validator_spec.rb @@ -49,10 +49,15 @@ RSpec.describe AddressableUrlValidator do end end - it 'provides all arguments to UrlBlock validate' do + it 'provides all arguments to UrlBlocker.validate!' do + # AddressableUrlValidator evaluates all procs before passing as arguments. + expected_opts = described_class::BLOCKER_VALIDATE_OPTIONS.transform_values do |value| + value.is_a?(Proc) ? value.call : value + end + expect(Gitlab::UrlBlocker) .to receive(:validate!) - .with(badge.link_url, described_class::BLOCKER_VALIDATE_OPTIONS) + .with(badge.link_url, expected_opts) .and_return(true) subject @@ -302,6 +307,67 @@ RSpec.describe AddressableUrlValidator do end end + context 'when deny_all_requests_except_allowed is' do + let(:url) { 'http://example.com' } + let(:options) { { attributes: [:link_url] } } + let(:validator) { described_class.new(**options) } + + context 'true' do + let(:options) { super().merge(deny_all_requests_except_allowed: true) } + + it 'prevents the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_present + end + end + + context 'false' do + let(:options) { super().merge(deny_all_requests_except_allowed: false) } + + it 'allows the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_empty + end + end + + context 'not given' do + before do + allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true) + stub_application_setting(deny_all_requests_except_allowed: app_setting) + end + + context 'when app setting is true' do + let(:app_setting) { true } + + it 'prevents the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_present + end + end + + context 'when app setting is false' do + let(:app_setting) { false } + + it 'allows the url' do + badge.link_url = url + + subject + + expect(badge.errors).to be_empty + end + end + end + end + context 'when enforce_sanitization is' do let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) } let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" } |