Add a test to make sure there's no XSS for hook logstest-hook-logs-xss

author: Lin Jen-Shin <godfat@godfat.org> 2018-03-27 01:54:30 +0800
committer: Lin Jen-Shin <godfat@godfat.org> 2018-03-27 02:55:11 +0800
commit: 09ce4671848d79cff64a81c49c374abb281d6d94 (patch)
tree: 295ed1df9093c9a4922ae1fe2f92518482ee6449
parent: 3adbc579bc45bf61510bc83900d07e8b0bafa088 (diff)
download: gitlab-ce-test-hook-logs-xss.tar.gz
1 files changed, 21 insertions, 0 deletions
diff --git a/spec/features/projects/hook_logs/user_reads_log_spec.rb b/spec/features/projects/hook_logs/user_reads_log_spec.rb
new file mode 100644
index 00000000000..18e975fa653
--- /dev/null
+++ b/spec/features/projects/hook_logs/user_reads_log_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+feature 'Hook logs' do
+  given(:web_hook_log) { create(:web_hook_log, response_body: '<script>') }
+  given(:project) { web_hook_log.web_hook.project }
+  given(:user) { create(:user) }
+
+  before do
+    project.add_master(user)
+
+    sign_in(user)
+  end
+
+  scenario 'user reads log without getting XSS' do
+    visit(
+      project_hook_hook_log_path(
+        project, web_hook_log.web_hook, web_hook_log))
+
+    expect(page).to have_content('<script>')
+  end
+end
author	Lin Jen-Shin <godfat@godfat.org>	2018-03-27 01:54:30 +0800
committer	Lin Jen-Shin <godfat@godfat.org>	2018-03-27 02:55:11 +0800
commit	09ce4671848d79cff64a81c49c374abb281d6d94 (patch)
tree	295ed1df9093c9a4922ae1fe2f92518482ee6449
parent	3adbc579bc45bf61510bc83900d07e8b0bafa088 (diff)
download	gitlab-ce-test-hook-logs-xss.tar.gz