1 files changed, 45 insertions, 0 deletions

diff --git a/spec/controllers/concerns/continue_params_spec.rb b/spec/controllers/concerns/continue_params_spec.rb
new file mode 100644
index 00000000000..e2f683ae393
--- /dev/null
+++ b/spec/controllers/concerns/continue_params_spec.rb
@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe ContinueParams do
+  let(:controller_class) do
+    Class.new(ActionController::Base) do
+      include ContinueParams
+
+      def request
+        @request ||= Struct.new(:host, :port).new('test.host', 80)
+      end
+    end
+  end
+  subject(:controller) { controller_class.new }
+
+  def strong_continue_params(params)
+    ActionController::Parameters.new(continue: params)
+  end
+
+  it 'cleans up any params that are not allowed' do
+    allow(controller).to receive(:params) do
+      strong_continue_params(to: '/hello',
+                             notice: 'world',
+                             notice_now: '!',
+                             something: 'else')
+    end
+
+    expect(controller.continue_params.keys).to contain_exactly(*%w(to notice notice_now))
+  end
+
+  it 'does not allow cross host redirection' do
+    allow(controller).to receive(:params) do
+      strong_continue_params(to: '//example.com')
+    end
+
+    expect(controller.continue_params[:to]).to be_nil
+  end
+
+  it 'allows redirecting to a path with querystring' do
+    allow(controller).to receive(:params) do
+      strong_continue_params(to: '/hello/world?query=string')
+    end
+
+    expect(controller.continue_params[:to]).to eq('/hello/world?query=string')
+  end
+end