Merge branch 'open-redirect-fix-continue-to' into 'security'

Fix for open redirect vuln involving continue[to] params

See merge request !2083

1 files changed, 8 insertions, 1 deletions

diff --git a/spec/controllers/projects/imports_controller_spec.rb b/spec/controllers/projects/imports_controller_spec.rb
index 7c75815f3c4..6724b474179 100644
--- a/spec/controllers/projects/imports_controller_spec.rb
+++ b/spec/controllers/projects/imports_controller_spec.rb
@@ -96,12 +96,19 @@ describe Projects::ImportsController do
             }
           end
 
-          it 'redirects to params[:to]' do
+          it 'redirects to internal params[:to]' do
             get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params
 
             expect(flash[:notice]).to eq params[:notice]
             expect(response).to redirect_to params[:to]
           end
+
+          it 'does not redirect to external params[:to]' do
+            params[:to] = "//google.com"
+
+            get :show, namespace_id: project.namespace.to_param, project_id: project, continue: params
+            expect(response).not_to redirect_to params[:to]
+          end
         end
       end