diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-03-26 18:29:10 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-03-26 18:29:10 +0300 |
commit | e47d479feab183a41392a2f7bea654d268e0c466 (patch) | |
tree | 60bacf25ad2727dc36df628d660cfef769c6e545 /spec | |
parent | 69bb8eb458236642e5c4476f5292e6229e4266cb (diff) | |
parent | 5e9fa5b2d8521c4318bd25ffa71e160e072b0c19 (diff) |
Merge branch 'security-2819-xss-resolve-conflicts-branch-name-11-8' into '11-8-stable'
Fix XSS in resolve conflicts form
See merge request gitlab/gitlabhq!2987
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/merge_request/user_resolves_conflicts_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_resolves_conflicts_spec.rb b/spec/features/merge_request/user_resolves_conflicts_spec.rb index 16c058ab6bd..8fd44b87e5a 100644 --- a/spec/features/merge_request/user_resolves_conflicts_spec.rb +++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb @@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do expect(page).to have_content('Gregor Samsa woke from troubled dreams') end end + + context "with malicious branch name" do + let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" } + let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') } + let(:merge_request) { create_merge_request(branch.name) } + + before do + visit project_merge_request_path(project, merge_request) + click_link('conflicts', href: %r{/conflicts\Z}) + end + + it "renders bad name without xss issues" do + expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name) + end + end end UNRESOLVABLE_CONFLICTS = { |