Add latest changes from gitlab-org/security/gitlab@15-10-stable-eev15.10.1

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 13:26:49 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 13:26:49 +0000
commit: a2b7634113a2b2f3b9aad86b1a98c52c380e5e76 (patch)
tree: c9c9ebb914be91d9c5996f708721110276a38be1 /spec/controllers/concerns/confirm_email_warning_spec.rb
parent: 2504d16ea735532cdb5a79403221b5fe262eb65f (diff)
download: gitlab-ce-a2b7634113a2b2f3b9aad86b1a98c52c380e5e76.tar.gz
1 files changed, 33 insertions, 1 deletions
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb
index fca99d37000..7cfbd86cdcb 100644
--- a/spec/controllers/concerns/confirm_email_warning_spec.rb
+++ b/spec/controllers/concerns/confirm_email_warning_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe ConfirmEmailWarning do
+RSpec.describe ConfirmEmailWarning, feature_category: :system_access do
   before do
     stub_application_setting_enum('email_confirmation_setting', 'soft')
   end
@@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do
             it { is_expected.to set_confirm_warning_for(user.email) }
           end
         end
+
+        context 'when user is being impersonated' do
+          let(:impersonator) { create(:admin) }
+
+          before do
+            allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id })
+
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when impersonated user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
+
+        context 'when user is not being impersonated' do
+          before do
+            get :index
+          end
+
+          it { is_expected.to set_confirm_warning_for(user.email) }
+
+          context 'when user email has html in their email' do
+            let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") }
+
+            it { is_expected.to set_confirm_warning_for("malicious@test.com&lt;form&gt;&lt;input/title=&#39;&lt;script&gt;alert(document.domain)&lt;/script&gt;&#39;&gt;") }
+          end
+        end
       end
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 13:26:49 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 13:26:49 +0000
commit	a2b7634113a2b2f3b9aad86b1a98c52c380e5e76 (patch)
tree	c9c9ebb914be91d9c5996f708721110276a38be1 /spec/controllers/concerns/confirm_email_warning_spec.rb
parent	2504d16ea735532cdb5a79403221b5fe262eb65f (diff)
download	gitlab-ce-a2b7634113a2b2f3b9aad86b1a98c52c380e5e76.tar.gz