diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
commit | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (patch) | |
tree | d9b28159a53c3814c8a2e6b33a5f01557b757439 /spec/lib/banzai | |
parent | 2b0b97e746e327c6168505df7740e667b690a27f (diff) | |
download | gitlab-ce-11e9b7b58837da351f08c18e6f0f4faba4d7d301.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'spec/lib/banzai')
-rw-r--r-- | spec/lib/banzai/filter/abstract_reference_filter_spec.rb | 12 | ||||
-rw-r--r-- | spec/lib/banzai/filter/upload_link_filter_spec.rb | 1 | ||||
-rw-r--r-- | spec/lib/banzai/pipeline/full_pipeline_spec.rb | 2 |
3 files changed, 14 insertions, 1 deletions
diff --git a/spec/lib/banzai/filter/abstract_reference_filter_spec.rb b/spec/lib/banzai/filter/abstract_reference_filter_spec.rb index 798112d0f53..6890a70518b 100644 --- a/spec/lib/banzai/filter/abstract_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/abstract_reference_filter_spec.rb @@ -20,6 +20,18 @@ describe Banzai::Filter::AbstractReferenceFilter do end end + describe '#data_attributes_for' do + let_it_be(:issue) { create(:issue, project: project) } + + it 'is not an XSS vector' do + allow(described_class).to receive(:object_class).and_return(Issue) + + data_attributes = filter.data_attributes_for('xss <img onerror=alert(1) src=x>', project, issue, link_content: true) + + expect(data_attributes[:original]).to eq('xss &lt;img onerror=alert(1) src=x&gt;') + end + end + describe '#parent_per_reference' do it 'returns a Hash containing projects grouped per parent paths' do expect(filter).to receive(:references_per_parent) diff --git a/spec/lib/banzai/filter/upload_link_filter_spec.rb b/spec/lib/banzai/filter/upload_link_filter_spec.rb index c366f774895..8844ad78306 100644 --- a/spec/lib/banzai/filter/upload_link_filter_spec.rb +++ b/spec/lib/banzai/filter/upload_link_filter_spec.rb @@ -229,6 +229,7 @@ describe Banzai::Filter::UploadLinkFilter do 'invalid UTF-8 byte sequences' | '%FF' 'garbled path' | 'open(/var/tmp/):%20/location%0Afrom:%20/test' 'whitespace' | "d18213acd3732630991986120e167e3d/Landscape_8.jpg\nand more" + 'null byte' | "%00" end with_them do diff --git a/spec/lib/banzai/pipeline/full_pipeline_spec.rb b/spec/lib/banzai/pipeline/full_pipeline_spec.rb index 4fa39da3eb4..b4047e369fb 100644 --- a/spec/lib/banzai/pipeline/full_pipeline_spec.rb +++ b/spec/lib/banzai/pipeline/full_pipeline_spec.rb @@ -24,7 +24,7 @@ describe Banzai::Pipeline::FullPipeline do it 'escapes the data-original attribute on a reference' do markdown = %Q{[">bad things](#{issue.to_reference})} result = described_class.to_html(markdown, project: project) - expect(result).to include(%{data-original='\">bad things'}) + expect(result).to include(%{data-original='\"&gt;bad things'}) end end |