summaryrefslogtreecommitdiff
path: root/spec/frontend
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 10:19:31 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-10-27 10:19:47 +0000
commit25e94f0fc4c4666dbbacfcbdd6bce0380b8fe1d0 (patch)
treecb756f7da033b1827b9677dec8ffe20757a80f20 /spec/frontend
parent1ef777bffd5e64ea5764920a30998a4d7c5241e3 (diff)
downloadgitlab-ce-25e94f0fc4c4666dbbacfcbdd6bce0380b8fe1d0.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee
Diffstat (limited to 'spec/frontend')
-rw-r--r--spec/frontend/lib/dompurify_spec.js6
-rw-r--r--spec/frontend/lib/utils/url_utility_spec.js21
2 files changed, 26 insertions, 1 deletions
diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js
index 324441fa2c9..47a94a4dcde 100644
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -22,12 +22,16 @@ const safeUrls = {
const unsafeUrls = [
'/an/evil/url',
'../../../evil/url',
- 'https://evil.url/assets/icons-123a.svg',
+ 'https://evil.url/assets/icons-123a.svg#test',
'https://evil.url/assets/icons-456b.svg',
`https://evil.url/${rootGon.sprite_icons}`,
`https://evil.url/${rootGon.sprite_file_icons}`,
`https://evil.url/${absoluteGon.sprite_icons}`,
`https://evil.url/${absoluteGon.sprite_file_icons}`,
+ `${rootGon.sprite_icons}/../evil/path`,
+ `${rootGon.sprite_file_icons}/../../evil/path`,
+ `${absoluteGon.sprite_icons}/../evil/path`,
+ `${absoluteGon.sprite_file_icons}/../../https://evil.url`,
];
const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
diff --git a/spec/frontend/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js
index 18b68d91e01..36e1a453ef4 100644
--- a/spec/frontend/lib/utils/url_utility_spec.js
+++ b/spec/frontend/lib/utils/url_utility_spec.js
@@ -607,6 +607,27 @@ describe('URL utility', () => {
});
});
+ describe('getNormalizedURL', () => {
+ it.each`
+ url | base | result
+ ${'./foo'} | ${''} | ${'http://test.host/foo'}
+ ${'../john.md'} | ${''} | ${'http://test.host/john.md'}
+ ${'/images/img.png'} | ${'https://gitlab.com'} | ${'https://gitlab.com/images/img.png'}
+ ${'/images/../img.png'} | ${'https://gitlab.com'} | ${'https://gitlab.com/img.png'}
+ ${'/images/./img.png'} | ${'https://gitlab.com'} | ${'https://gitlab.com/images/img.png'}
+ ${'./images/img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/user/images/img.png'}
+ ${'../images/../img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/img.png'}
+ ${'/images/img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/images/img.png'}
+ ${'/images/../img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/img.png'}
+ ${'/images/./img.png'} | ${'https://gitlab.com/user/project'} | ${'https://gitlab.com/images/img.png'}
+ `(
+ 'converts url "$url" with base "$base" to normalized url => "expected"',
+ ({ url, base, result }) => {
+ expect(urlUtils.getNormalizedURL(url, base)).toBe(result);
+ },
+ );
+ });
+
describe('getWebSocketProtocol', () => {
it.each`
protocol | expectation