diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-31 01:42:44 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-31 01:43:07 +0300 |
| commit | ac9a8518364e91d64cb01732bf41896b6d2912b6 (patch) | |
| tree | 066754ab194088efaa216ae87e841e0ee9f1e36f /spec | |
| parent | d455bcf1e412ab4a4abdfbe691fc40e3d4a0ce8a (diff) | |
Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/features/merge_request/user_views_open_merge_request_spec.rb | 17 | ||||
| -rw-r--r-- | spec/initializers/json_validator_patch_spec.rb | 39 |
2 files changed, 56 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_views_open_merge_request_spec.rb b/spec/features/merge_request/user_views_open_merge_request_spec.rb index 9bda48a3ec5..5f99d762ecb 100644 --- a/spec/features/merge_request/user_views_open_merge_request_spec.rb +++ b/spec/features/merge_request/user_views_open_merge_request_spec.rb @@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do end end end + + context 'XSS source branch' do + let(:project) { create(:project, :public, :repository) } + let(:source_branch) { "'><iframe/srcdoc=''></iframe>" } + + before do + project.repository.create_branch(source_branch, "master") + + mr = create(:merge_request, source_project: project, target_project: project, source_branch: source_branch) + + visit(merge_request_path(mr)) + end + + it 'encodes branch name' do + expect(find('cite.ref-name')[:title]).to eq(source_branch) + end + end end diff --git a/spec/initializers/json_validator_patch_spec.rb b/spec/initializers/json_validator_patch_spec.rb new file mode 100644 index 00000000000..5d90364ae92 --- /dev/null +++ b/spec/initializers/json_validator_patch_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'rspec-parameterized' + +RSpec.describe 'JSON validator patch' do + using RSpec::Parameterized::TableSyntax + + let(:schema) { '{"format": "string"}' } + + subject { JSON::Validator.validate(schema, data) } + + context 'with invalid JSON' do + where(:data) do + [ + 'https://example.com', + '/tmp/test.txt' + ] + end + + with_them do + it 'does not attempt to open a file or URI' do + allow(File).to receive(:read).and_call_original + allow(URI).to receive(:open).and_call_original + expect(File).not_to receive(:read).with(data) + expect(URI).not_to receive(:open).with(data) + expect(subject).to be true + end + end + end + + context 'with valid JSON' do + let(:data) { %({ 'somekey': 'value' }) } + + it 'validates successfully' do + expect(subject).to be true + end + end +end |