1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe "ExternalRedirect::ExternalRedirectController requests", feature_category: :navigation do
let_it_be(:external_url) { 'https://google.com' }
let_it_be(:external_url_encoded) do
Addressable::URI.encode_component(external_url, Addressable::URI::CharacterClasses::QUERY)
end
let_it_be(:internal_url) { "#{Gitlab.config.gitlab.url}/foo/bar" }
let_it_be(:internal_url_encoded) do
Addressable::URI.encode_component(internal_url, Addressable::URI::CharacterClasses::QUERY)
end
let_it_be(:top_nav_partial) { 'layouts/header/_default' }
context "with valid url param" do
before do
get "/-/external_redirect?url=#{external_url_encoded}"
end
it "returns 200 and renders URL" do
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).to have_link(text: 'Proceed', href: external_url)
end
it "does not render nav" do
expect(response).not_to render_template(top_nav_partial)
end
end
context "with same origin url" do
before do
get "/-/external_redirect?url=#{internal_url_encoded}"
end
it "redirects" do
expect(response).to redirect_to(internal_url)
end
end
describe "with invalid url params" do
where(:case_name, :params) do
[
["when url is bad", "url=javascript:alert(1)"],
["when url is empty", "url="],
["when url param is missing", ""],
["when url points to self", "url=http://www.example.com/-/external_redirect?url=#{external_url_encoded}"],
["when url points to self encoded",
"url=http%3A%2F%2Fwww.example.com/-/external_redirect?url=#{external_url_encoded}"]
]
end
with_them do
it "returns 404" do
get "/-/external_redirect?#{params}"
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
|