diff options
Diffstat (limited to 'spec/requests/projects/wikis_controller_spec.rb')
-rw-r--r-- | spec/requests/projects/wikis_controller_spec.rb | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/spec/requests/projects/wikis_controller_spec.rb b/spec/requests/projects/wikis_controller_spec.rb new file mode 100644 index 00000000000..4768e7134e8 --- /dev/null +++ b/spec/requests/projects/wikis_controller_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Projects::WikisController, feature_category: :wiki do + using RSpec::Parameterized::TableSyntax + + let_it_be(:user) { create(:user) } + let_it_be(:project) { create(:project, :wiki_repo, namespace: user.namespace) } + let_it_be(:project_wiki) { create(:project_wiki, project: project, user: user) } + let_it_be(:wiki_page) do + create(:wiki_page, + wiki: project_wiki, + title: 'home', content: "Look at this [image](#{path})\n\n ![alt text](#{path})") + end + + let_it_be(:csp_nonce) { 'just=some=noncense' } + + before do + sign_in(user) + + allow_next_instance_of(described_class) do |instance| + allow(instance).to receive(:content_security_policy_nonce).and_return(csp_nonce) + end + end + + shared_examples 'embed.diagrams.net frame-src directive' do + it 'adds drawio frame-src directive to the Content Security Policy header' do + frame_src = response.headers['Content-Security-Policy'].split(';') + .map(&:strip) + .find { |entry| entry.starts_with?('frame-src') } + + expect(frame_src).to include('https://embed.diagrams.net') + end + end + + describe 'CSP policy' do + describe '#new' do + before do + get wiki_path(project_wiki, action: :new) + end + + it_behaves_like 'embed.diagrams.net frame-src directive' + end + + describe '#edit' do + before do + get wiki_page_path(project_wiki, wiki_page, action: 'edit') + end + + it_behaves_like 'embed.diagrams.net frame-src directive' + end + + describe '#create' do + before do + # Creating a page with an invalid title to render edit page + post wiki_path(project_wiki, action: 'create'), params: { wiki: { title: 'home' } } + end + + it_behaves_like 'embed.diagrams.net frame-src directive' + end + + describe '#update' do + before do + # Setting an invalid page title to render edit page + put wiki_page_path(project_wiki, wiki_page), params: { wiki: { title: '' } } + print(response.body) + end + + it_behaves_like 'embed.diagrams.net frame-src directive' + end + end +end |