diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-04 15:10:36 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-04 15:10:36 +0000 |
| commit | be4b3134a282f7a8812306777abd2d3150deecdc (patch) | |
| tree | 0563327ce590b415047686c6feff43496742b49a /spec/features/runners_spec.rb | |
| parent | 998adcc422d4161515bf2960ef4dce71258f69a3 (diff) | |
| download | gitlab-ce-be4b3134a282f7a8812306777abd2d3150deecdc.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/features/runners_spec.rb')
| -rw-r--r-- | spec/features/runners_spec.rb | 67 |
1 files changed, 58 insertions, 9 deletions
diff --git a/spec/features/runners_spec.rb b/spec/features/runners_spec.rb index acfb7c2602a..64250931006 100644 --- a/spec/features/runners_spec.rb +++ b/spec/features/runners_spec.rb @@ -160,18 +160,67 @@ RSpec.describe 'Runners' do end end - context 'when application settings have shared_runners_text' do - let(:shared_runners_text) { 'custom **shared** runners description' } - let(:shared_runners_html) { 'custom shared runners description' } + context 'shared runner text' do + context 'when application settings have no shared_runners_text' do + it 'user sees default shared runners description' do + visit project_runners_path(project) - before do - stub_application_setting(shared_runners_text: shared_runners_text) + page.within("[data-testid='shared-runners-description']") do + expect(page).to have_content('The same shared runner executes code from multiple projects') + end + end end - it 'user sees shared runners description' do - visit project_runners_path(project) + context 'when application settings have shared_runners_text' do + let(:shared_runners_text) { 'custom **shared** runners description' } + let(:shared_runners_html) { 'custom shared runners description' } + + before do + stub_application_setting(shared_runners_text: shared_runners_text) + end + + it 'user sees shared runners description' do + visit project_runners_path(project) + + page.within("[data-testid='shared-runners-description']") do + expect(page).not_to have_content('The same shared runner executes code from multiple projects') + expect(page).to have_content(shared_runners_html) + end + end + end + + context 'when application settings have an unsafe link in shared_runners_text' do + let(:shared_runners_text) { '<a href="javascript:alert(\'xss\')">link</a>' } + + before do + stub_application_setting(shared_runners_text: shared_runners_text) + end + + it 'user sees no link' do + visit project_runners_path(project) + + page.within("[data-testid='shared-runners-description']") do + expect(page).to have_content('link') + expect(page).not_to have_link('link') + end + end + end - expect(page.find('.shared-runners-description')).to have_content(shared_runners_html) + context 'when application settings have an unsafe image in shared_runners_text' do + let(:shared_runners_text) { '<img src="404.png" onerror="alert(\'xss\')"/>' } + + before do + stub_application_setting(shared_runners_text: shared_runners_text) + end + + it 'user sees image safely' do + visit project_runners_path(project) + + page.within("[data-testid='shared-runners-description']") do + expect(page).to have_css('img') + expect(page).not_to have_css('img[onerror]') + end + end end end end @@ -190,7 +239,7 @@ RSpec.describe 'Runners' do click_on 'Enable shared runners' - expect(page.find('.shared-runners-description')).to have_content('Disable shared runners') + expect(page.find("[data-testid='shared-runners-description']")).to have_content('Disable shared runners') expect(page).not_to have_selector('#toggle-shared-runners-form') end end |