diff options
author | Douwe Maan <douwe@gitlab.com> | 2018-03-27 09:15:16 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2018-03-27 09:15:16 +0000 |
commit | 01c4f56546b9fc12da7333a8d367da22c1c42c46 (patch) | |
tree | f5084884819e079f6f6e8fe64b80ec93315358af | |
parent | 678af224a235e621530e13dd2b96bf2b1caff725 (diff) | |
parent | 09ce4671848d79cff64a81c49c374abb281d6d94 (diff) | |
download | gitlab-ce-01c4f56546b9fc12da7333a8d367da22c1c42c46.tar.gz |
Merge branch 'test-hook-logs-xss' into 'master'
Add a test to make sure there's no XSS for hook logs
See merge request gitlab-org/gitlab-ce!18005
-rw-r--r-- | spec/features/projects/hook_logs/user_reads_log_spec.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/features/projects/hook_logs/user_reads_log_spec.rb b/spec/features/projects/hook_logs/user_reads_log_spec.rb new file mode 100644 index 00000000000..18e975fa653 --- /dev/null +++ b/spec/features/projects/hook_logs/user_reads_log_spec.rb @@ -0,0 +1,21 @@ +require 'spec_helper' + +feature 'Hook logs' do + given(:web_hook_log) { create(:web_hook_log, response_body: '<script>') } + given(:project) { web_hook_log.web_hook.project } + given(:user) { create(:user) } + + before do + project.add_master(user) + + sign_in(user) + end + + scenario 'user reads log without getting XSS' do + visit( + project_hook_hook_log_path( + project, web_hook_log.web_hook, web_hook_log)) + + expect(page).to have_content('<script>') + end +end |