diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 13:26:49 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-30 13:26:49 +0000 |
commit | a2b7634113a2b2f3b9aad86b1a98c52c380e5e76 (patch) | |
tree | c9c9ebb914be91d9c5996f708721110276a38be1 /spec/controllers/concerns/confirm_email_warning_spec.rb | |
parent | 2504d16ea735532cdb5a79403221b5fe262eb65f (diff) | |
download | gitlab-ce-a2b7634113a2b2f3b9aad86b1a98c52c380e5e76.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-10-stable-eev15.10.1
Diffstat (limited to 'spec/controllers/concerns/confirm_email_warning_spec.rb')
-rw-r--r-- | spec/controllers/concerns/confirm_email_warning_spec.rb | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/spec/controllers/concerns/confirm_email_warning_spec.rb b/spec/controllers/concerns/confirm_email_warning_spec.rb index fca99d37000..7cfbd86cdcb 100644 --- a/spec/controllers/concerns/confirm_email_warning_spec.rb +++ b/spec/controllers/concerns/confirm_email_warning_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe ConfirmEmailWarning do +RSpec.describe ConfirmEmailWarning, feature_category: :system_access do before do stub_application_setting_enum('email_confirmation_setting', 'soft') end @@ -82,6 +82,38 @@ RSpec.describe ConfirmEmailWarning do it { is_expected.to set_confirm_warning_for(user.email) } end end + + context 'when user is being impersonated' do + let(:impersonator) { create(:admin) } + + before do + allow(controller).to receive(:session).and_return({ impersonator_id: impersonator.id }) + + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when impersonated user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end + + context 'when user is not being impersonated' do + before do + get :index + end + + it { is_expected.to set_confirm_warning_for(user.email) } + + context 'when user email has html in their email' do + let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: "malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + + it { is_expected.to set_confirm_warning_for("malicious@test.com<form><input/title='<script>alert(document.domain)</script>'>") } + end + end end end end |