E2E Test to check XSS issue in @mentions autocomplete

author: Ramya Authappan <rauthappan@gitlab.com> 2019-07-04 04:21:09 +0000
committer: Mark Lapierre <mlapierre@gitlab.com> 2019-07-04 04:21:09 +0000
commit: 4e75c7135a4c5309c02a6335de583cd097cc72c7 (patch)
tree: 68ab979180a52d578c0542965c5d9b554f450b9c
parent: 19dc1105524e3d25821670706a750043775588fa (diff)
download: gitlab-ce-4e75c7135a4c5309c02a6335de583cd097cc72c7.tar.gz
7 files changed, 54 insertions, 0 deletions
diff --git a/qa/qa/page/project/show.rb b/qa/qa/page/project/show.rb
index 1a9a2fd413f..9fd668f812b 100644
--- a/qa/qa/page/project/show.rb
+++ b/qa/qa/page/project/show.rb
@@ -5,6 +5,7 @@ module QA
     module Project
       class Show < Page::Base
         include Page::Component::ClonePanel
+        include Page::Project::SubMenus::Settings
 
         view 'app/views/layouts/header/_new_dropdown.haml' do
           element :new_menu_toggle
diff --git a/qa/qa/page/project/sub_menus/ci_cd.rb b/qa/qa/page/project/sub_menus/ci_cd.rb
index adae2ce08c4..2f0bc8b9ba6 100644
--- a/qa/qa/page/project/sub_menus/ci_cd.rb
+++ b/qa/qa/page/project/sub_menus/ci_cd.rb
@@ -5,6 +5,8 @@ module QA
     module Project
       module SubMenus
         module CiCd
+          include Page::Project::SubMenus::Common
+
           def self.included(base)
             base.class_eval do
               view 'app/views/layouts/nav/sidebar/_project.html.haml' do
diff --git a/qa/qa/page/project/sub_menus/issues.rb b/qa/qa/page/project/sub_menus/issues.rb
index f81e4f34909..8fb8fa06346 100644
--- a/qa/qa/page/project/sub_menus/issues.rb
+++ b/qa/qa/page/project/sub_menus/issues.rb
@@ -5,6 +5,8 @@ module QA
     module Project
       module SubMenus
         module Issues
+          include Page::Project::SubMenus::Common
+
           def self.included(base)
             base.class_eval do
               view 'app/views/layouts/nav/sidebar/_project.html.haml' do
diff --git a/qa/qa/page/project/sub_menus/operations.rb b/qa/qa/page/project/sub_menus/operations.rb
index 24a99a9464c..d266cb21417 100644
--- a/qa/qa/page/project/sub_menus/operations.rb
+++ b/qa/qa/page/project/sub_menus/operations.rb
@@ -5,6 +5,8 @@ module QA
     module Project
       module SubMenus
         module Operations
+          include Page::Project::SubMenus::Common
+
           def self.included(base)
             base.class_eval do
               view 'app/views/layouts/nav/sidebar/_project.html.haml' do
diff --git a/qa/qa/page/project/sub_menus/repository.rb b/qa/qa/page/project/sub_menus/repository.rb
index 4cc73a6b25a..c53d805c61d 100644
--- a/qa/qa/page/project/sub_menus/repository.rb
+++ b/qa/qa/page/project/sub_menus/repository.rb
@@ -5,6 +5,8 @@ module QA
     module Project
       module SubMenus
         module Repository
+          include Page::Project::SubMenus::Common
+
           def self.included(base)
             base.class_eval do
               view 'app/views/layouts/nav/sidebar/_project.html.haml' do
diff --git a/qa/qa/page/project/sub_menus/settings.rb b/qa/qa/page/project/sub_menus/settings.rb
index 88b45ec55ae..1cd39fcff58 100644
--- a/qa/qa/page/project/sub_menus/settings.rb
+++ b/qa/qa/page/project/sub_menus/settings.rb
@@ -5,6 +5,8 @@ module QA
     module Project
       module SubMenus
         module Settings
+          include Page::Project::SubMenus::Common
+
           def self.included(base)
             base.class_eval do
               view 'app/views/layouts/nav/sidebar/_project.html.haml' do
diff --git a/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb b/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb
new file mode 100644
index 00000000000..013cea0a40e
--- /dev/null
+++ b/qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module QA
+  context 'Plan' do
+    describe 'check xss occurence in @mentions in issues' do
+      let(:issue_title) { 'issue title' }
+
+      it 'user mentions a user in comment' do
+        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        Page::Main::Login.perform(&:sign_in_using_credentials)
+
+        user = Resource::User.fabricate! do |user|
+          user.name = "eve <img src=x onerror=alert(2)&lt;img src=x onerror=alert(1)&gt;"
+          user.password = "test1234"
+        end
+
+        project = Resource::Project.fabricate! do |resource|
+          resource.name = 'xss-test-for-mentions-project'
+        end
+        project.visit!
+
+        Page::Project::Show.perform(&:go_to_members_settings)
+        Page::Project::Settings::Members.perform do |page|
+          page.add_member(user.username)
+        end
+
+        Resource::Issue.fabricate_via_browser_ui! do |issue|
+          issue.title = issue_title
+          issue.project = project
+        end
+
+        Page::Project::Issue::Show.perform do |show_page|
+          show_page.select_all_activities_filter
+          show_page.comment('cc-ing you here @eve')
+
+          expect do
+            expect(show_page).to have_content("cc-ing you here")
+          end.not_to raise_error # Selenium::WebDriver::Error::UnhandledAlertError
+        end
+      end
+    end
+  end
+end
author	Ramya Authappan <rauthappan@gitlab.com>	2019-07-04 04:21:09 +0000
committer	Mark Lapierre <mlapierre@gitlab.com>	2019-07-04 04:21:09 +0000
commit	4e75c7135a4c5309c02a6335de583cd097cc72c7 (patch)
tree	68ab979180a52d578c0542965c5d9b554f450b9c
parent	19dc1105524e3d25821670706a750043775588fa (diff)
download	gitlab-ce-4e75c7135a4c5309c02a6335de583cd097cc72c7.tar.gz