diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-18 19:00:14 +0000 |
commit | 05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2 (patch) | |
tree | 11d0f2a6ec31c7793c184106cedc2ded3d9a2cc5 /spec/controllers/concerns/content_security_policy_patch_spec.rb | |
parent | ec73467c23693d0db63a797d10194da9e72a74af (diff) | |
download | gitlab-ce-05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2.tar.gz |
Add latest changes from gitlab-org/gitlab@15-8-stable-eev15.8.0-rc42
Diffstat (limited to 'spec/controllers/concerns/content_security_policy_patch_spec.rb')
-rw-r--r-- | spec/controllers/concerns/content_security_policy_patch_spec.rb | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/spec/controllers/concerns/content_security_policy_patch_spec.rb b/spec/controllers/concerns/content_security_policy_patch_spec.rb new file mode 100644 index 00000000000..6322950977c --- /dev/null +++ b/spec/controllers/concerns/content_security_policy_patch_spec.rb @@ -0,0 +1,116 @@ +# frozen_string_literal: true + +require "spec_helper" + +# Based on https://github.com/rails/rails/pull/45115/files#diff-35ef6d1bd8b8d3b037ec819a704cd78db55db916a57abfc2859882826fc679b6 +RSpec.describe ContentSecurityPolicyPatch, feature_category: :not_owned do + include Rack::Test::Methods + + let(:routes) do + ActionDispatch::Routing::RouteSet.new.tap do |routes| + routes.draw do + # Using Testing module defined below + scope module: "testing" do + get "/", to: "policy#index" + end + end + end + end + + let(:csp) do + ActionDispatch::ContentSecurityPolicy.new do |p| + p.default_src -> { :self } + p.script_src -> { :https } + end + end + + let(:policy_middleware) do + Module.new do + def self.new(app, policy) + ->(env) do + env["action_dispatch.content_security_policy"] = policy + + app.call(env) + end + end + end + end + + subject(:app) do + build_app(routes) do |middleware| + middleware.use policy_middleware, csp + middleware.use ActionDispatch::ContentSecurityPolicy::Middleware + end + end + + def setup_controller + application_controller = Class.new(ActionController::Base) do # rubocop:disable Rails/ApplicationController + helper_method :sky_is_blue? + def sky_is_blue? + true + end + end + + policy_controller = Class.new(application_controller) do + extend ContentSecurityPolicyPatch + + content_security_policy_with_context do |p| + p.default_src "https://example.com" + p.script_src "https://example.com" if helpers.sky_is_blue? + end + + def index + head :ok + end + end + + stub_const("Testing::ApplicationController", application_controller) + stub_const("Testing::PolicyController", policy_controller) + end + + def build_app(routes) + stack = ActionDispatch::MiddlewareStack.new do |middleware| + middleware.use ActionDispatch::DebugExceptions + middleware.use ActionDispatch::ActionableExceptions + middleware.use ActionDispatch::Callbacks + middleware.use ActionDispatch::Cookies + middleware.use ActionDispatch::Flash + middleware.use Rack::MethodOverride + middleware.use Rack::Head + + yield(middleware) if block_given? + end + + app = stack.build(routes) + + ->(env) { app.call(env) } + end + + it "calls helper method" do + setup_controller + + response = get "/" + + csp_header = response.headers["Content-Security-Policy"] + + expect(csp_header).to include "default-src https://example.com" + expect(csp_header).to include "script-src https://example.com" + end + + it "does not emit any warnings" do + expect { setup_controller }.not_to output.to_stderr + end + + context "with Rails version 7.2" do + before do + version = Gem::Version.new("7.2.0") + allow(Rails).to receive(:gem_version).and_return(version) + end + + it "emits a deprecation warning" do + expect { setup_controller } + .to output(/Use content_security_policy instead/) + .to_stderr + end + end +end |