diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-12-21 18:34:34 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-01-16 17:04:38 -0800 |
| commit | 72a57525a87b694799cd6406e8e8f117a902a890 (patch) | |
| tree | bcca18e6a779039499a484fe8e9a69504a152017 /spec/lib/gitlab | |
| parent | 0424801ec8854167d17c76b68e6ae8c5b5a6a52a (diff) | |
| download | gitlab-ce-72a57525a87b694799cd6406e8e8f117a902a890.tar.gz | |
Merge branch 'ac/41346-xss-ci-job-output' into 'security-10-3'
[10.3] Fix XSS vulnerability in Pipeline job trace
See merge request gitlab/gitlabhq!2258
(cherry picked from commit 44caa80ed9a2514a74a5eeab10ff51849d64851b)
5f86f3ff Fix XSS vulnerability in Pipeline job trace
Diffstat (limited to 'spec/lib/gitlab')
| -rw-r--r-- | spec/lib/gitlab/ci/ansi2html_spec.rb | 55 |
1 files changed, 51 insertions, 4 deletions
diff --git a/spec/lib/gitlab/ci/ansi2html_spec.rb b/spec/lib/gitlab/ci/ansi2html_spec.rb index 05e2d94cbd6..7549e9941b6 100644 --- a/spec/lib/gitlab/ci/ansi2html_spec.rb +++ b/spec/lib/gitlab/ci/ansi2html_spec.rb @@ -217,11 +217,58 @@ describe Gitlab::Ci::Ansi2html do "#{section_end[0...-5]}</div>" end - it "prints light red" do - text = "#{section_start}\e[91mHello\e[0m\n#{section_end}" - html = %{#{section_start_html}<span class="term-fg-l-red">Hello</span><br>#{section_end_html}} + shared_examples 'forbidden char in section_name' do + it 'ignores sections' do + text = "#{section_start}Some text#{section_end}" + html = text.gsub("\033[0K", '').gsub('<', '<') - expect(convert_html(text)).to eq(html) + expect(convert_html(text)).to eq(html) + end + end + + shared_examples 'a legit section' do + let(:text) { "#{section_start}Some text#{section_end}" } + + it 'prints light red' do + text = "#{section_start}\e[91mHello\e[0m\n#{section_end}" + html = %{#{section_start_html}<span class="term-fg-l-red">Hello</span><br>#{section_end_html}} + + expect(convert_html(text)).to eq(html) + end + + it 'begins with a section_start html marker' do + expect(convert_html(text)).to start_with(section_start_html) + end + + it 'ends with a section_end html marker' do + expect(convert_html(text)).to end_with(section_end_html) + end + end + + it_behaves_like 'a legit section' + + context 'section name includes $' do + let(:section_name) { 'my_$ection'} + + it_behaves_like 'forbidden char in section_name' + end + + context 'section name includes <' do + let(:section_name) { '<a_tag>'} + + it_behaves_like 'forbidden char in section_name' + end + + context 'section name contains .-_' do + let(:section_name) { 'a.Legit-SeCtIoN_namE' } + + it_behaves_like 'a legit section' + end + + it 'do not allow XSS injections' do + text = "#{section_start}section_end:1:2<script>alert('XSS Hack!');</script>#{section_end}" + + expect(convert_html(text)).not_to include('<script>') end end |