From 25e94f0fc4c4666dbbacfcbdd6bce0380b8fe1d0 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Oct 2021 10:19:31 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

---
 spec/frontend/lib/dompurify_spec.js         |  6 +++++-
 spec/frontend/lib/utils/url_utility_spec.js | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

(limited to 'spec/frontend')

diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js
index 324441fa2c9..47a94a4dcde 100644
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -22,12 +22,16 @@ const safeUrls = {
 const unsafeUrls = [
   '/an/evil/url',
   '../../../evil/url',
-  'https://evil.url/assets/icons-123a.svg',
+  'https://evil.url/assets/icons-123a.svg#test',
   'https://evil.url/assets/icons-456b.svg',
   `https://evil.url/${rootGon.sprite_icons}`,
   `https://evil.url/${rootGon.sprite_file_icons}`,
   `https://evil.url/${absoluteGon.sprite_icons}`,
   `https://evil.url/${absoluteGon.sprite_file_icons}`,
+  `${rootGon.sprite_icons}/../evil/path`,
+  `${rootGon.sprite_file_icons}/../../evil/path`,
+  `${absoluteGon.sprite_icons}/../evil/path`,
+  `${absoluteGon.sprite_file_icons}/../../https://evil.url`,
 ];
 
 const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
diff --git a/spec/frontend/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js
index 18b68d91e01..36e1a453ef4 100644
--- a/spec/frontend/lib/utils/url_utility_spec.js
+++ b/spec/frontend/lib/utils/url_utility_spec.js
@@ -607,6 +607,27 @@ describe('URL utility', () => {
     });
   });
 
+  describe('getNormalizedURL', () => {
+    it.each`
+      url                       | base                                 | result
+      ${'./foo'}                | ${''}                                | ${'http://test.host/foo'}
+      ${'../john.md'}           | ${''}                                | ${'http://test.host/john.md'}
+      ${'/images/img.png'}      | ${'https://gitlab.com'}              | ${'https://gitlab.com/images/img.png'}
+      ${'/images/../img.png'}   | ${'https://gitlab.com'}              | ${'https://gitlab.com/img.png'}
+      ${'/images/./img.png'}    | ${'https://gitlab.com'}              | ${'https://gitlab.com/images/img.png'}
+      ${'./images/img.png'}     | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/user/images/img.png'}
+      ${'../images/../img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/img.png'}
+      ${'/images/img.png'}      | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/images/img.png'}
+      ${'/images/../img.png'}   | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/img.png'}
+      ${'/images/./img.png'}    | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/images/img.png'}
+    `(
+      'converts url "$url" with base "$base" to normalized url => "expected"',
+      ({ url, base, result }) => {
+        expect(urlUtils.getNormalizedURL(url, base)).toBe(result);
+      },
+    );
+  });
+
   describe('getWebSocketProtocol', () => {
     it.each`
       protocol    | expectation
-- 
cgit v1.2.3