diff options
| author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-01 19:47:39 +0300 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2018-10-01 19:47:39 +0300 |
| commit | bfd3062cd3479beedb327e8fed04767f52c5c135 (patch) | |
| tree | 1e132d8661b319d11b31163ef3d9c8d2ab896606 /spec | |
| parent | 1735088e7c5bf62a8f896a2b0e384964de83d118 (diff) | |
| parent | 6d360c210d3d822fc266eecc04753481ae4bda70 (diff) | |
Merge branch 'security-acet-issue-details' into 'master'
[master] Fix XSS on Issue details page.
See merge request gitlab/gitlabhq!2468
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/features/issues/issue_detail_spec.rb | 17 | ||||
| -rw-r--r-- | spec/javascripts/issue_show/index_spec.js | 19 |
2 files changed, 36 insertions, 0 deletions
diff --git a/spec/features/issues/issue_detail_spec.rb b/spec/features/issues/issue_detail_spec.rb index 088ab114df3..76bc93e9766 100644 --- a/spec/features/issues/issue_detail_spec.rb +++ b/spec/features/issues/issue_detail_spec.rb @@ -18,6 +18,23 @@ describe 'Issue Detail', :js do end end + context 'when issue description has xss snippet' do + before do + issue.update!(description: '') + sign_in(user) + visit project_issue_path(project, issue) + wait_for_requests + end + + it 'should encode the description to prevent xss issues' do + page.within('.issuable-details .detail-page-description') do + expect(page).to have_selector('img', count: 1) + expect(find('img')['onerror']).to be_nil + expect(find('img')['src']).to end_with('/a') + end + end + end + context 'when edited by a user who is later deleted' do before do sign_in(user) diff --git a/spec/javascripts/issue_show/index_spec.js b/spec/javascripts/issue_show/index_spec.js new file mode 100644 index 00000000000..fa0b426c06c --- /dev/null +++ b/spec/javascripts/issue_show/index_spec.js @@ -0,0 +1,19 @@ +import initIssueableApp from '~/issue_show'; + +describe('Issue show index', () => { + describe('initIssueableApp', () => { + it('should initialize app with no potential XSS attack', () => { + const d = document.createElement('div'); + d.id = 'js-issuable-app-initial-data'; + d.innerHTML = JSON.stringify({ + initialDescriptionHtml: '<img src=x onerror=alert(1)>', + }); + document.body.appendChild(d); + + const alertSpy = spyOn(window, 'alert'); + initIssueableApp(); + + expect(alertSpy).not.toHaveBeenCalled(); + }); + }); +}); |