diff options
author | Robert Speicher <rspeicher@gmail.com> | 2021-01-20 13:34:23 -0600 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2021-01-20 13:34:23 -0600 |
commit | 6438df3a1e0fb944485cebf07976160184697d72 (patch) | |
tree | 00b09bfd170e77ae9391b1a2f5a93ef6839f2597 /spec/lib/banzai | |
parent | 42bcd54d971da7ef2854b896a7b34f4ef8601067 (diff) | |
download | gitlab-ce-6438df3a1e0fb944485cebf07976160184697d72.tar.gz |
Add latest changes from gitlab-org/gitlab@13-8-stable-eev13.8.0-rc42
Diffstat (limited to 'spec/lib/banzai')
8 files changed, 89 insertions, 33 deletions
diff --git a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb index 2a4ee28130b..1f886059bf6 100644 --- a/spec/lib/banzai/filter/asset_proxy_filter_spec.rb +++ b/spec/lib/banzai/filter/asset_proxy_filter_spec.rb @@ -35,8 +35,8 @@ RSpec.describe Banzai::Filter::AssetProxyFilter do expect(Gitlab.config.asset_proxy.enabled).to be_truthy expect(Gitlab.config.asset_proxy.secret_key).to eq 'shared-secret' expect(Gitlab.config.asset_proxy.url).to eq 'https://assets.example.com' - expect(Gitlab.config.asset_proxy.whitelist).to eq %w(gitlab.com *.mydomain.com) - expect(Gitlab.config.asset_proxy.domain_regexp).to eq /^(gitlab\.com|.*?\.mydomain\.com)$/i + expect(Gitlab.config.asset_proxy.allowlist).to eq %w(gitlab.com *.mydomain.com) + expect(Gitlab.config.asset_proxy.domain_regexp).to eq(/^(gitlab\.com|.*?\.mydomain\.com)$/i) end context 'when whitelist is empty' do @@ -46,7 +46,7 @@ RSpec.describe Banzai::Filter::AssetProxyFilter do described_class.initialize_settings - expect(Gitlab.config.asset_proxy.whitelist).to eq [Gitlab.config.gitlab.host] + expect(Gitlab.config.asset_proxy.allowlist).to eq [Gitlab.config.gitlab.host] end end end @@ -56,8 +56,8 @@ RSpec.describe Banzai::Filter::AssetProxyFilter do stub_asset_proxy_setting(enabled: true) stub_asset_proxy_setting(secret_key: 'shared-secret') stub_asset_proxy_setting(url: 'https://assets.example.com') - stub_asset_proxy_setting(whitelist: %W(gitlab.com *.mydomain.com #{Gitlab.config.gitlab.host})) - stub_asset_proxy_setting(domain_regexp: described_class.compile_whitelist(Gitlab.config.asset_proxy.whitelist)) + stub_asset_proxy_setting(allowlist: %W(gitlab.com *.mydomain.com #{Gitlab.config.gitlab.host})) + stub_asset_proxy_setting(domain_regexp: described_class.compile_allowlist(Gitlab.config.asset_proxy.allowlist)) @context = described_class.transform_context({}) end diff --git a/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb b/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb index 1f65268bd3c..67b480f8973 100644 --- a/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/broadcast_message_sanitization_filter_spec.rb @@ -5,9 +5,9 @@ require 'spec_helper' RSpec.describe Banzai::Filter::BroadcastMessageSanitizationFilter do include FilterSpecHelper - it_behaves_like 'default whitelist' + it_behaves_like 'default allowlist' - describe 'custom whitelist' do + describe 'custom allowlist' do it_behaves_like 'XSS prevention' it_behaves_like 'sanitize link' @@ -26,19 +26,19 @@ RSpec.describe Banzai::Filter::BroadcastMessageSanitizationFilter do end context 'when `a` elements have `style` attribute' do - let(:whitelisted_style) { 'color: red; border: blue; background: green; padding: 10px; margin: 10px; text-decoration: underline;' } + let(:allowed_style) { 'color: red; border: blue; background: green; padding: 10px; margin: 10px; text-decoration: underline;' } context 'allows specific properties' do - let(:exp) { %{<a href="#" style="#{whitelisted_style}">Stylish Link</a>} } + let(:exp) { %{<a href="#" style="#{allowed_style}">Stylish Link</a>} } it { is_expected.to eq(exp) } end it 'disallows other properties in `style` attribute on `a` elements' do - style = [whitelisted_style, 'position: fixed'].join(';') + style = [allowed_style, 'position: fixed'].join(';') doc = filter(%{<a href="#" style="#{style}">Stylish Link</a>}) - expect(doc.at_css('a')['style']).to eq(whitelisted_style) + expect(doc.at_css('a')['style']).to eq(allowed_style) end end diff --git a/spec/lib/banzai/filter/reference_redactor_filter_spec.rb b/spec/lib/banzai/filter/reference_redactor_filter_spec.rb index ac1cabb34cc..d0336e9e059 100644 --- a/spec/lib/banzai/filter/reference_redactor_filter_spec.rb +++ b/spec/lib/banzai/filter/reference_redactor_filter_spec.rb @@ -143,15 +143,32 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do expect(doc.css('a').length).to eq 1 end - it 'allows references for admin' do - admin = create(:admin) - project = create(:project, :public) - issue = create(:issue, :confidential, project: project) - link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + context 'for admin' do + context 'when admin mode is enabled', :enable_admin_mode do + it 'allows references' do + admin = create(:admin) + project = create(:project, :public) + issue = create(:issue, :confidential, project: project) + link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') + + doc = filter(link, current_user: admin) + + expect(doc.css('a').length).to eq 1 + end + end - doc = filter(link, current_user: admin) + context 'when admin mode is disabled' do + it 'removes references' do + admin = create(:admin) + project = create(:project, :public) + issue = create(:issue, :confidential, project: project) + link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue') - expect(doc.css('a').length).to eq 1 + doc = filter(link, current_user: admin) + + expect(doc.css('a').length).to eq 0 + end + end end context "when a confidential issue is moved from a public project to a private one" do diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 09dcd5518ff..bc4b60dfe60 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -5,31 +5,31 @@ require 'spec_helper' RSpec.describe Banzai::Filter::SanitizationFilter do include FilterSpecHelper - it_behaves_like 'default whitelist' + it_behaves_like 'default allowlist' - describe 'custom whitelist' do + describe 'custom allowlist' do it_behaves_like 'XSS prevention' it_behaves_like 'sanitize link' - it 'customizes the whitelist only once' do + it 'customizes the allowlist only once' do instance = described_class.new('Foo') - control_count = instance.whitelist[:transformers].size + control_count = instance.allowlist[:transformers].size - 3.times { instance.whitelist } + 3.times { instance.allowlist } - expect(instance.whitelist[:transformers].size).to eq control_count + expect(instance.allowlist[:transformers].size).to eq control_count end - it 'customizes the whitelist only once for different instances' do + it 'customizes the allowlist only once for different instances' do instance1 = described_class.new('Foo1') instance2 = described_class.new('Foo2') - control_count = instance1.whitelist[:transformers].size + control_count = instance1.allowlist[:transformers].size - instance1.whitelist - instance2.whitelist + instance1.allowlist + instance2.allowlist - expect(instance1.whitelist[:transformers].size).to eq control_count - expect(instance2.whitelist[:transformers].size).to eq control_count + expect(instance1.allowlist[:transformers].size).to eq control_count + expect(instance2.allowlist[:transformers].size).to eq control_count end it 'sanitizes `class` attribute from all elements' do diff --git a/spec/lib/banzai/filter/truncate_source_filter_spec.rb b/spec/lib/banzai/filter/truncate_source_filter_spec.rb new file mode 100644 index 00000000000..b0c6d91daa8 --- /dev/null +++ b/spec/lib/banzai/filter/truncate_source_filter_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Banzai::Filter::TruncateSourceFilter do + include FilterSpecHelper + + let(:short_text) { 'foo' * 10 } + let(:long_text) { ([short_text] * 10).join(' ') } + + it 'does nothing when limit is unspecified' do + output = filter(long_text) + + expect(output).to eq(long_text) + end + + it 'does nothing to a short-enough text' do + output = filter(short_text, limit: short_text.bytesize) + + expect(output).to eq(short_text) + end + + it 'truncates UTF-8 text by bytes, on a character boundary' do + utf8_text = '日本語の文字が大きい' + truncated = '日…' + + expect(filter(utf8_text, limit: truncated.bytesize)).to eq(truncated) + expect(filter(utf8_text, limit: utf8_text.bytesize)).to eq(utf8_text) + expect(filter(utf8_text, limit: utf8_text.mb_chars.size)).not_to eq(utf8_text) + end +end diff --git a/spec/lib/banzai/pipeline/description_pipeline_spec.rb b/spec/lib/banzai/pipeline/description_pipeline_spec.rb index 82d4f883e0d..be553433e9e 100644 --- a/spec/lib/banzai/pipeline/description_pipeline_spec.rb +++ b/spec/lib/banzai/pipeline/description_pipeline_spec.rb @@ -21,7 +21,7 @@ RSpec.describe Banzai::Pipeline::DescriptionPipeline do stub_commonmark_sourcepos_disabled end - it 'uses a limited whitelist' do + it 'uses a limited allowlist' do doc = parse('# Description') expect(doc.strip).to eq 'Description' diff --git a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb index 247f4591632..31047b9494a 100644 --- a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb +++ b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb @@ -176,8 +176,8 @@ RSpec.describe Banzai::Pipeline::GfmPipeline do stub_asset_proxy_setting(enabled: true) stub_asset_proxy_setting(secret_key: 'shared-secret') stub_asset_proxy_setting(url: 'https://assets.example.com') - stub_asset_proxy_setting(whitelist: %W(gitlab.com *.mydomain.com #{Gitlab.config.gitlab.host})) - stub_asset_proxy_setting(domain_regexp: Banzai::Filter::AssetProxyFilter.compile_whitelist(Gitlab.config.asset_proxy.whitelist)) + stub_asset_proxy_setting(allowlist: %W(gitlab.com *.mydomain.com #{Gitlab.config.gitlab.host})) + stub_asset_proxy_setting(domain_regexp: Banzai::Filter::AssetProxyFilter.compile_allowlist(Gitlab.config.asset_proxy.allowlist)) end it 'replaces a lazy loaded img src' do diff --git a/spec/lib/banzai/pipeline/pre_process_pipeline_spec.rb b/spec/lib/banzai/pipeline/pre_process_pipeline_spec.rb index fc74c592867..f0498f41b61 100644 --- a/spec/lib/banzai/pipeline/pre_process_pipeline_spec.rb +++ b/spec/lib/banzai/pipeline/pre_process_pipeline_spec.rb @@ -24,4 +24,12 @@ RSpec.describe Banzai::Pipeline::PreProcessPipeline do expect(result[:output]).to include "> blockquote\n" end end + + it 'truncates the text if requested' do + text = (['foo'] * 10).join(' ') + + result = described_class.call(text, limit: 12) + + expect(result[:output]).to eq('foo foo f…') + end end |