From 62e0c3c7d73f028e4c6c8c179d6f04f811a0859f Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Jul 2022 19:06:07 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-2-stable-ee

---
 spec/serializers/build_details_entity_spec.rb | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'spec/serializers')

diff --git a/spec/serializers/build_details_entity_spec.rb b/spec/serializers/build_details_entity_spec.rb
index dd8238456aa..916798c669c 100644
--- a/spec/serializers/build_details_entity_spec.rb
+++ b/spec/serializers/build_details_entity_spec.rb
@@ -170,6 +170,24 @@ RSpec.describe BuildDetailsEntity do
           expect(message).to include('could not retrieve the needed artifacts.')
         end
       end
+
+      context 'when dependency contains invalid dependency names' do
+        invalid_name = 'XSS<a href=# data-disable-with="<img src=x onerror=alert(document.domain)>">'
+        let!(:test1) { create(:ci_build, :success, :expired, pipeline: pipeline, name: invalid_name, stage_idx: 0) }
+        let!(:build) { create(:ci_build, :pending, pipeline: pipeline, stage_idx: 1, options: { dependencies: [invalid_name] }) }
+
+        before do
+          build.pipeline.unlocked!
+          build.drop!(:missing_dependency_failure)
+        end
+
+        it { is_expected.to include(failure_reason: 'missing_dependency_failure') }
+
+        it 'escapes the invalid dependency names' do
+          escaped_name = html_escape(invalid_name)
+          expect(message).to include(escaped_name)
+        end
+      end
     end
 
     context 'when a build has environment with latest deployment' do
-- 
cgit v1.2.3