From ac9a8518364e91d64cb01732bf41896b6d2912b6 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 30 Mar 2021 22:42:44 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee

---
 .../user_views_open_merge_request_spec.rb          | 17 ++++++++++
 spec/initializers/json_validator_patch_spec.rb     | 39 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 spec/initializers/json_validator_patch_spec.rb

(limited to 'spec')

diff --git a/spec/features/merge_request/user_views_open_merge_request_spec.rb b/spec/features/merge_request/user_views_open_merge_request_spec.rb
index 9bda48a3ec5..5f99d762ecb 100644
--- a/spec/features/merge_request/user_views_open_merge_request_spec.rb
+++ b/spec/features/merge_request/user_views_open_merge_request_spec.rb
@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
       end
     end
   end
+
+  context 'XSS source branch' do
+    let(:project) { create(:project, :public, :repository) }
+    let(:source_branch) { "&#39;&gt;&lt;iframe/srcdoc=&#39;&#39;&gt;&lt;/iframe&gt;" }
+
+    before do
+      project.repository.create_branch(source_branch, "master")
+
+      mr = create(:merge_request, source_project: project, target_project: project, source_branch: source_branch)
+
+      visit(merge_request_path(mr))
+    end
+
+    it 'encodes branch name' do
+      expect(find('cite.ref-name')[:title]).to eq(source_branch)
+    end
+  end
 end
diff --git a/spec/initializers/json_validator_patch_spec.rb b/spec/initializers/json_validator_patch_spec.rb
new file mode 100644
index 00000000000..5d90364ae92
--- /dev/null
+++ b/spec/initializers/json_validator_patch_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'rspec-parameterized'
+
+RSpec.describe 'JSON validator patch' do
+  using RSpec::Parameterized::TableSyntax
+
+  let(:schema) { '{"format": "string"}' }
+
+  subject { JSON::Validator.validate(schema, data) }
+
+  context 'with invalid JSON' do
+    where(:data) do
+      [
+        'https://example.com',
+        '/tmp/test.txt'
+      ]
+    end
+
+    with_them do
+      it 'does not attempt to open a file or URI' do
+        allow(File).to receive(:read).and_call_original
+        allow(URI).to receive(:open).and_call_original
+        expect(File).not_to receive(:read).with(data)
+        expect(URI).not_to receive(:open).with(data)
+        expect(subject).to be true
+      end
+    end
+  end
+
+  context 'with valid JSON' do
+    let(:data) { %({ 'somekey': 'value' }) }
+
+    it 'validates successfully' do
+      expect(subject).to be true
+    end
+  end
+end
-- 
cgit v1.2.3