1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Projects::WikisController, feature_category: :wiki do
using RSpec::Parameterized::TableSyntax
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :wiki_repo, namespace: user.namespace) }
let_it_be(:project_wiki) { create(:project_wiki, project: project, user: user) }
let_it_be(:wiki_page) do
create(:wiki_page,
wiki: project_wiki,
title: 'home', content: "Look at this [image](#{path})\n\n ")
end
let_it_be(:csp_nonce) { 'just=some=noncense' }
before do
sign_in(user)
allow_next_instance_of(described_class) do |instance|
allow(instance).to receive(:content_security_policy_nonce).and_return(csp_nonce)
end
end
shared_examples 'embed.diagrams.net frame-src directive' do
it 'adds drawio frame-src directive to the Content Security Policy header' do
frame_src = response.headers['Content-Security-Policy'].split(';')
.map(&:strip)
.find { |entry| entry.starts_with?('frame-src') }
expect(frame_src).to include('https://embed.diagrams.net')
end
end
describe 'CSP policy' do
describe '#new' do
before do
get wiki_path(project_wiki, action: :new)
end
it_behaves_like 'embed.diagrams.net frame-src directive'
end
describe '#edit' do
before do
get wiki_page_path(project_wiki, wiki_page, action: 'edit')
end
it_behaves_like 'embed.diagrams.net frame-src directive'
end
describe '#create' do
before do
# Creating a page with an invalid title to render edit page
post wiki_path(project_wiki, action: 'create'), params: { wiki: { title: 'home' } }
end
it_behaves_like 'embed.diagrams.net frame-src directive'
end
describe '#update' do
before do
# Setting an invalid page title to render edit page
put wiki_page_path(project_wiki, wiki_page), params: { wiki: { title: '' } }
end
it_behaves_like 'embed.diagrams.net frame-src directive'
end
end
end
|
