diff options
Diffstat (limited to 'spec/lib')
11 files changed, 93 insertions, 252 deletions
diff --git a/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb b/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb new file mode 100644 index 00000000000..317ac7ef854 --- /dev/null +++ b/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb @@ -0,0 +1,51 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Banzai::Filter::BroadcastMessageSanitizationFilter do + include FilterSpecHelper + + it_behaves_like 'default whitelist' + + describe 'custom whitelist' do + it_behaves_like 'XSS prevention' + it_behaves_like 'sanitize link' + + subject { filter(exp).to_html } + + context 'allows `a` elements' do + let(:exp) { %q{<a href="/">Link</a>} } + + it { is_expected.to eq(exp) } + end + + context 'allows `br` elements' do + let(:exp) { %q{Hello<br>World} } + + it { is_expected.to eq(exp) } + end + + context 'when `a` elements have `style` attribute' do + let(:whitelisted_style) { 'color: red; border: blue; background: green; padding: 10px; margin: 10px; text-decoration: underline;' } + + context 'allows specific properties' do + let(:exp) { %{<a href="#" style="#{whitelisted_style}">Stylish Link</a>} } + + it { is_expected.to eq(exp) } + end + + it 'disallows other properties in `style` attribute on `a` elements' do + style = [whitelisted_style, 'position: fixed'].join(';') + doc = filter(%{<a href="#" style="#{style}">Stylish Link</a>}) + + expect(doc.at_css('a')['style']).to eq(whitelisted_style) + end + end + + context 'allows `class` on `a` elements' do + let(:exp) { %q{<a href="#" class="btn">Button Link</a>} } + + it { is_expected.to eq(exp) } + end + end +end diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb index a17a645d4d0..1efca647b8b 100644 --- a/spec/lib/banzai/filter/relative_link_filter_spec.rb +++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb @@ -157,7 +157,7 @@ describe Banzai::Filter::RelativeLinkFilter do end it 'does not modify relative URLs in system notes' do - path = "#{project_path}/merge_requests/1/diffs" + path = "#{project_path}/-/merge_requests/1/diffs" doc = filter(link(path), system_note: true) expect(doc.at_css('a')['href']).to eq path diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 8a4b819e4d6..607dc3fda47 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -5,48 +5,12 @@ require 'spec_helper' describe Banzai::Filter::SanitizationFilter do include FilterSpecHelper - describe 'default whitelist' do - it 'sanitizes tags that are not whitelisted' do - act = %q{<textarea>no inputs</textarea> and <blink>no blinks</blink>} - exp = 'no inputs and no blinks' - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes tag attributes' do - act = %q{<a href="http://example.com/bar.html" onclick="bar">Text</a>} - exp = %q{<a href="http://example.com/bar.html">Text</a>} - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes javascript in attributes' do - act = %q(<a href="javascript:alert('foo')">Text</a>) - exp = '<a>Text</a>' - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes mixed-cased javascript in attributes' do - act = %q(<a href="javaScript:alert('foo')">Text</a>) - exp = '<a>Text</a>' - expect(filter(act).to_html).to eq exp - end - - it 'allows whitelisted HTML tags from the user' do - exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>" - expect(filter(act).to_html).to eq exp - end - - it 'sanitizes `class` attribute on any element' do - act = %q{<strong class="foo">Strong</strong>} - expect(filter(act).to_html).to eq %q{<strong>Strong</strong>} - end - - it 'sanitizes `id` attribute on any element' do - act = %q{<em id="foo">Emphasis</em>} - expect(filter(act).to_html).to eq %q{<em>Emphasis</em>} - end - end + it_behaves_like 'default whitelist' describe 'custom whitelist' do + it_behaves_like 'XSS prevention' + it_behaves_like 'sanitize link' + it 'customizes the whitelist only once' do instance = described_class.new('Foo') control_count = instance.whitelist[:transformers].size @@ -167,142 +131,6 @@ describe Banzai::Filter::SanitizationFilter do expect(filter(html).to_html).to eq(output) end - it 'removes `rel` attribute from `a` elements' do - act = %q{<a href="#" rel="nofollow">Link</a>} - exp = %q{<a href="#">Link</a>} - - expect(filter(act).to_html).to eq exp - end - - # Adapted from the Sanitize test suite: http://git.io/vczrM - protocols = { - 'protocol-based JS injection: simple, no spaces' => { - input: '<a href="javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces before' => { - input: '<a href="javascript :alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces after' => { - input: '<a href="javascript: alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: simple, spaces before and after' => { - input: '<a href="javascript : alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: preceding colon' => { - input: '<a href=":javascript:alert(\'XSS\');">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long UTF-8 encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long UTF-8 encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: hex encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: long hex encoding' => { - input: '<a href="javascript:">foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: hex encoding without semicolons' => { - input: '<a href=javascript:alert('XSS')>foo</a>', - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: null char' => { - input: "<a href=java\0script:alert(\"XSS\")>foo</a>", - output: '<a href="java"></a>' - }, - - 'protocol-based JS injection: invalid URL char' => { - input: '<img src=java\script:alert("XSS")>', - output: '<img>' - }, - - 'protocol-based JS injection: Unicode' => { - input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>), - output: '<a>foo</a>' - }, - - 'protocol-based JS injection: spaces and entities' => { - input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a href="">foo</a>' - }, - - 'protocol whitespace' => { - input: '<a href=" http://example.com/"></a>', - output: '<a href="http://example.com/"></a>' - } - } - - protocols.each do |name, data| - it "disallows #{name}" do - doc = filter(data[:input]) - - expect(doc.to_html).to eq data[:output] - end - end - - it 'disallows data links' do - input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>XSS</a>' - end - - it 'disallows vbscript links' do - input = '<a href="vbscript:alert(document.domain)">XSS</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>XSS</a>' - end - - it 'disallows invalid URIs' do - expect(Addressable::URI).to receive(:parse).with('foo://example.com') - .and_raise(Addressable::URI::InvalidURIError) - - input = '<a href="foo://example.com">Foo</a>' - output = filter(input) - - expect(output.to_html).to eq '<a>Foo</a>' - end - - it 'allows non-standard anchor schemes' do - exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>} - act = filter(exp) - - expect(act.to_html).to eq exp - end - - it 'allows relative links' do - exp = %q{<a href="foo/bar.md">foo/bar.md</a>} - act = filter(exp) - - expect(act.to_html).to eq exp - end - it 'allows the `data-sourcepos` attribute globally' do exp = %q{<p data-sourcepos="1:1-1:10">foo/bar.md</p>} act = filter(exp) diff --git a/spec/lib/banzai/pipeline/broadcast_message_pipeline_spec.rb b/spec/lib/banzai/pipeline/broadcast_message_pipeline_spec.rb new file mode 100644 index 00000000000..9832b132b58 --- /dev/null +++ b/spec/lib/banzai/pipeline/broadcast_message_pipeline_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Banzai::Pipeline::BroadcastMessagePipeline do + before do + stub_commonmark_sourcepos_disabled + end + + subject { described_class.to_html(exp, project: spy) } + + context "allows `a` elements" do + let(:exp) { "<a>Link</a>" } + + it { is_expected.to eq("<p>#{exp}</p>") } + end + + context "allows `br` elements" do + let(:exp) { "Hello<br>World" } + + it { is_expected.to eq("<p>#{exp}</p>") } + end +end diff --git a/spec/lib/gitlab/ci/pipeline/seed/build/resource_group_spec.rb b/spec/lib/gitlab/ci/pipeline/seed/build/resource_group_spec.rb deleted file mode 100644 index bf6985156d3..00000000000 --- a/spec/lib/gitlab/ci/pipeline/seed/build/resource_group_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe Gitlab::Ci::Pipeline::Seed::Build::ResourceGroup do - let_it_be(:project) { create(:project) } - let(:job) { build(:ci_build, project: project) } - let(:seed) { described_class.new(job, resource_group_key) } - - describe '#to_resource' do - subject { seed.to_resource } - - context 'when resource group key is specified' do - let(:resource_group_key) { 'iOS' } - - it 'returns a resource group object' do - is_expected.to be_a(Ci::ResourceGroup) - expect(subject.key).to eq('iOS') - end - - context 'when environment has an invalid URL' do - let(:resource_group_key) { ':::' } - - it 'returns nothing' do - is_expected.to be_nil - end - end - - context 'when there is a resource group already' do - let!(:resource_group) { create(:ci_resource_group, project: project, key: 'iOS') } - - it 'does not create a new resource group' do - expect { subject }.not_to change { Ci::ResourceGroup.count } - end - end - end - - context 'when resource group key is nil' do - let(:resource_group_key) { nil } - - it 'returns nothing' do - is_expected.to be_nil - end - end - end -end diff --git a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb index 5526ec9e16f..2ae513aea1b 100644 --- a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb +++ b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb @@ -231,15 +231,6 @@ describe Gitlab::Ci::Pipeline::Seed::Build do end end end - - context 'when job belongs to a resource group' do - let(:attributes) { { name: 'rspec', ref: 'master', resource_group_key: 'iOS' } } - - it 'returns a job with resource group' do - expect(subject.resource_group).not_to be_nil - expect(subject.resource_group.key).to eq('iOS') - end - end end context 'when job is a bridge' do diff --git a/spec/lib/gitlab/ci/yaml_processor_spec.rb b/spec/lib/gitlab/ci/yaml_processor_spec.rb index f61b28b06c8..8f9c5c74260 100644 --- a/spec/lib/gitlab/ci/yaml_processor_spec.rb +++ b/spec/lib/gitlab/ci/yaml_processor_spec.rb @@ -241,21 +241,6 @@ module Gitlab end end end - - describe 'resource group' do - context 'when resource group is defined' do - let(:config) do - YAML.dump(rspec: { - script: 'test', - resource_group: 'iOS' - }) - end - - it 'has the attributes' do - expect(subject[:resource_group_key]).to eq 'iOS' - end - end - end end describe '#stages_attributes' do diff --git a/spec/lib/gitlab/data_builder/pipeline_spec.rb b/spec/lib/gitlab/data_builder/pipeline_spec.rb index 635bf56b72e..86ab7f888ca 100644 --- a/spec/lib/gitlab/data_builder/pipeline_spec.rb +++ b/spec/lib/gitlab/data_builder/pipeline_spec.rb @@ -77,7 +77,7 @@ describe Gitlab::DataBuilder::Pipeline do expect(merge_request_attrs[:target_project_id]).to eq(merge_request.target_project_id) expect(merge_request_attrs[:state]).to eq(merge_request.state) expect(merge_request_attrs[:merge_status]).to eq(merge_request.merge_status) - expect(merge_request_attrs[:url]).to eq("http://localhost/#{merge_request.target_project.full_path}/merge_requests/#{merge_request.iid}") + expect(merge_request_attrs[:url]).to eq("http://localhost/#{merge_request.target_project.full_path}/-/merge_requests/#{merge_request.iid}") end end end diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml index 16fe5f23d14..8d436fb28e0 100644 --- a/spec/lib/gitlab/import_export/all_models.yml +++ b/spec/lib/gitlab/import_export/all_models.yml @@ -444,7 +444,6 @@ project: - service_desk_setting - import_failures - container_expiration_policy -- resource_groups award_emoji: - awardable - user diff --git a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb index f549216ccb0..ec1b935ad63 100644 --- a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb +++ b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb @@ -240,6 +240,16 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do expect(sentry_issue.sentry_issue_identifier).to eq(1234567891) end + it 'restores container_expiration_policy' do + policy = Project.find_by_path('project').container_expiration_policy + + aggregate_failures do + expect(policy).to be_an_instance_of(ContainerExpirationPolicy) + expect(policy).to be_persisted + expect(policy.cadence).to eq('3month') + end + end + context 'Merge requests' do it 'always has the new project as a target' do expect(MergeRequest.find_by_title('MR1').target_project).to eq(@project) diff --git a/spec/lib/gitlab/url_builder_spec.rb b/spec/lib/gitlab/url_builder_spec.rb index 0aab02b6c4c..d349c2928b0 100644 --- a/spec/lib/gitlab/url_builder_spec.rb +++ b/spec/lib/gitlab/url_builder_spec.rb @@ -55,7 +55,7 @@ describe Gitlab::UrlBuilder do url = described_class.build(merge_request) - expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/merge_requests/#{merge_request.iid}" + expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/-/merge_requests/#{merge_request.iid}" end end @@ -118,7 +118,7 @@ describe Gitlab::UrlBuilder do url = described_class.build(note) - expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/merge_requests/#{merge_request.iid}#note_#{note.id}" + expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/-/merge_requests/#{merge_request.iid}#note_#{note.id}" end end @@ -129,7 +129,7 @@ describe Gitlab::UrlBuilder do url = described_class.build(note) - expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/merge_requests/#{merge_request.iid}#note_#{note.id}" + expect(url).to eq "#{Settings.gitlab['url']}/#{merge_request.project.full_path}/-/merge_requests/#{merge_request.iid}#note_#{note.id}" end end |