summaryrefslogtreecommitdiff
path: root/spec/lib
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 14:57:37 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-05-26 14:57:37 +0000
commit13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9 (patch)
treeec69b0b3f5e070aff23f995b97512ed2657d1793 /spec/lib
parent581d2902d00f62bb789ba56f80bbb750f989e6cf (diff)
downloadgitlab-ce-13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'spec/lib')
-rw-r--r--spec/lib/gitlab/static_site_editor/config_spec.rb18
-rw-r--r--spec/lib/gitlab/url_sanitizer_spec.rb24
2 files changed, 42 insertions, 0 deletions
diff --git a/spec/lib/gitlab/static_site_editor/config_spec.rb b/spec/lib/gitlab/static_site_editor/config_spec.rb
index a1db567db1a..4cfda83b8f6 100644
--- a/spec/lib/gitlab/static_site_editor/config_spec.rb
+++ b/spec/lib/gitlab/static_site_editor/config_spec.rb
@@ -65,5 +65,23 @@ describe Gitlab::StaticSiteEditor::Config do
it { is_expected.to include(is_supported_content: 'false') }
end
+
+ context 'when return_url is not a valid URL' do
+ let(:return_url) { 'example.com' }
+
+ it { is_expected.to include(return_url: nil) }
+ end
+
+ context 'when return_url has a javascript scheme' do
+ let(:return_url) { 'javascript:alert(document.domain)' }
+
+ it { is_expected.to include(return_url: nil) }
+ end
+
+ context 'when return_url is missing' do
+ let(:return_url) { nil }
+
+ it { is_expected.to include(return_url: nil) }
+ end
end
end
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index b39609c594b..caca22eb98b 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -60,6 +60,30 @@ describe Gitlab::UrlSanitizer do
end
end
+ describe '.valid_web?' do
+ where(:value, :url) do
+ false | nil
+ false | ''
+ false | '123://invalid:url'
+ false | 'valid@project:url.git'
+ false | 'valid:pass@project:url.git'
+ false | %w(test array)
+ false | 'ssh://example.com'
+ false | 'ssh://:@example.com'
+ false | 'ssh://foo@example.com'
+ false | 'ssh://foo:bar@example.com'
+ false | 'ssh://foo:bar@example.com/group/group/project.git'
+ false | 'git://example.com/group/group/project.git'
+ false | 'git://foo:bar@example.com/group/group/project.git'
+ true | 'http://foo:bar@example.com/group/group/project.git'
+ true | 'https://foo:bar@example.com/group/group/project.git'
+ end
+
+ with_them do
+ it { expect(described_class.valid_web?(url)).to eq(value) }
+ end
+ end
+
describe '#sanitized_url' do
context 'credentials in hash' do
where(username: ['foo', '', nil], password: ['bar', '', nil])