Merge branch 'security-fix-uri-xss-applications' into 'master'

[master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2572
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 22:53:48 +0000
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:14:15 -0500
commit: 5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch)
tree: 1ae542a04e8782f61a592e3bceeacc087639a1e5 /spec/controllers/oauth
parent: c0e5d9afee57745a79c072b0f57fdcbe164312da (diff)
download: gitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz
1 files changed, 17 insertions, 0 deletions
diff --git a/spec/controllers/oauth/applications_controller_spec.rb b/spec/controllers/oauth/applications_controller_spec.rb
index ace8a954e92..b4219856fc0 100644
--- a/spec/controllers/oauth/applications_controller_spec.rb
+++ b/spec/controllers/oauth/applications_controller_spec.rb
@@ -40,6 +40,23 @@ describe Oauth::ApplicationsController do
         expect(response).to have_gitlab_http_status(302)
         expect(response).to redirect_to(profile_path)
       end
+
+      context 'redirect_uri' do
+        render_views
+
+        it 'shows an error for a forbidden URI' do
+          invalid_uri_params = {
+            doorkeeper_application: {
+              name: 'foo',
+              redirect_uri: 'javascript://alert()'
+            }
+          }
+
+          post :create, invalid_uri_params
+
+          expect(response.body).to include 'Redirect URI is forbidden by the server'
+        end
+      end
     end
   end
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 22:53:48 +0000
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:14:15 -0500
commit	5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch)
tree	1ae542a04e8782f61a592e3bceeacc087639a1e5 /spec/controllers/oauth
parent	c0e5d9afee57745a79c072b0f57fdcbe164312da (diff)
download	gitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz