diff options
author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 22:53:48 +0000 |
---|---|---|
committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:14:15 -0500 |
commit | 5736d6606ad7c6d729baa6c4ef789a47ada4ceda (patch) | |
tree | 1ae542a04e8782f61a592e3bceeacc087639a1e5 /spec/controllers/oauth | |
parent | c0e5d9afee57745a79c072b0f57fdcbe164312da (diff) | |
download | gitlab-ce-5736d6606ad7c6d729baa6c4ef789a47ada4ceda.tar.gz |
Merge branch 'security-fix-uri-xss-applications' into 'master'
[master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols"
See merge request gitlab/gitlabhq!2572
Diffstat (limited to 'spec/controllers/oauth')
-rw-r--r-- | spec/controllers/oauth/applications_controller_spec.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/spec/controllers/oauth/applications_controller_spec.rb b/spec/controllers/oauth/applications_controller_spec.rb index ace8a954e92..b4219856fc0 100644 --- a/spec/controllers/oauth/applications_controller_spec.rb +++ b/spec/controllers/oauth/applications_controller_spec.rb @@ -40,6 +40,23 @@ describe Oauth::ApplicationsController do expect(response).to have_gitlab_http_status(302) expect(response).to redirect_to(profile_path) end + + context 'redirect_uri' do + render_views + + it 'shows an error for a forbidden URI' do + invalid_uri_params = { + doorkeeper_application: { + name: 'foo', + redirect_uri: 'javascript://alert()' + } + } + + post :create, invalid_uri_params + + expect(response.body).to include 'Redirect URI is forbidden by the server' + end + end end end |