Merge branch 'test-hook-logs-xss' into 'master'

Add a test to make sure there's no XSS for hook logs See merge request gitlab-org/gitlab-ce!18005
author: Douwe Maan <douwe@gitlab.com> 2018-03-27 09:15:16 +0000
committer: Douwe Maan <douwe@gitlab.com> 2018-03-27 09:15:16 +0000
commit: 01c4f56546b9fc12da7333a8d367da22c1c42c46 (patch)
tree: f5084884819e079f6f6e8fe64b80ec93315358af
parent: 678af224a235e621530e13dd2b96bf2b1caff725 (diff)
parent: 09ce4671848d79cff64a81c49c374abb281d6d94 (diff)
download: gitlab-ce-01c4f56546b9fc12da7333a8d367da22c1c42c46.tar.gz
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/features/projects/hook_logs/user_reads_log_spec.rb b/spec/features/projects/hook_logs/user_reads_log_spec.rb
new file mode 100644
index 00000000000..18e975fa653
--- /dev/null
+++ b/spec/features/projects/hook_logs/user_reads_log_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+feature 'Hook logs' do
+  given(:web_hook_log) { create(:web_hook_log, response_body: '<script>') }
+  given(:project) { web_hook_log.web_hook.project }
+  given(:user) { create(:user) }
+
+  before do
+    project.add_master(user)
+
+    sign_in(user)
+  end
+
+  scenario 'user reads log without getting XSS' do
+    visit(
+      project_hook_hook_log_path(
+        project, web_hook_log.web_hook, web_hook_log))
+
+    expect(page).to have_content('<script>')
+  end
+end
author	Douwe Maan <douwe@gitlab.com>	2018-03-27 09:15:16 +0000
committer	Douwe Maan <douwe@gitlab.com>	2018-03-27 09:15:16 +0000
commit	01c4f56546b9fc12da7333a8d367da22c1c42c46 (patch)
tree	f5084884819e079f6f6e8fe64b80ec93315358af
parent	678af224a235e621530e13dd2b96bf2b1caff725 (diff)
parent	09ce4671848d79cff64a81c49c374abb281d6d94 (diff)
download	gitlab-ce-01c4f56546b9fc12da7333a8d367da22c1c42c46.tar.gz