diff options
author | Robert Speicher <rspeicher@gmail.com> | 2019-06-03 17:01:25 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2019-06-03 17:01:25 +0000 |
commit | 5906fb2e45f352b8fc02f0e98a6148d0c0b2db59 (patch) | |
tree | 98556faf9c2817d31098ef50e8641488e5969813 /spec/lib/banzai | |
parent | 2b13462ac4f091a56c538042712dcf736bb50474 (diff) | |
parent | a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2 (diff) | |
download | gitlab-ce-5906fb2e45f352b8fc02f0e98a6148d0c0b2db59.tar.gz |
Merge branch 'security-60143-address-xss-issue-master' into 'master'
Reject slug+uri concat if slug is deemed unsafe
See merge request gitlab/gitlabhq!3108
Diffstat (limited to 'spec/lib/banzai')
-rw-r--r-- | spec/lib/banzai/filter/wiki_link_filter_spec.rb | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/wiki_link_filter_spec.rb b/spec/lib/banzai/filter/wiki_link_filter_spec.rb index b9059b85fdc..cce1cd0b284 100644 --- a/spec/lib/banzai/filter/wiki_link_filter_spec.rb +++ b/spec/lib/banzai/filter/wiki_link_filter_spec.rb @@ -70,5 +70,47 @@ describe Banzai::Filter::WikiLinkFilter do expect(filtered_link.attribute('href').value).to eq(invalid_link) end end + + context "when the slug is deemed unsafe or invalid" do + let(:link) { "alert(1);" } + + invalid_slugs = [ + "javascript:", + "JaVaScRiPt:", + "\u0001java\u0003script:", + "javascript :", + "javascript: ", + "javascript : ", + ":javascript:", + "javascript:", + "javascript:", + "javascript:", + "javascript:", + "java\0script:", + "  javascript:" + ] + + invalid_slugs.each do |slug| + context "with the slug #{slug}" do + it "doesn't rewrite a (.) relative link" do + filtered_link = filter( + "<a href='.#{link}'>Link</a>", + project_wiki: wiki, + page_slug: slug).children[0] + + expect(filtered_link.attribute('href').value).not_to include(slug) + end + + it "doesn't rewrite a (..) relative link" do + filtered_link = filter( + "<a href='..#{link}'>Link</a>", + project_wiki: wiki, + page_slug: slug).children[0] + + expect(filtered_link.attribute('href').value).not_to include(slug) + end + end + end + end end end |