diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2023-01-31 11:45:59 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2023-01-31 11:45:59 +0000 |
commit | 637146034ce2a23df46d90b8e0b77d75553fdbb9 (patch) | |
tree | 7c6244459250fc610480d52bc0231f411d0547c4 /spec/models/concerns/sanitizable_spec.rb | |
parent | c3e54801bb461b6d53c48e3194f87cb5ebf3f5ba (diff) | |
parent | 383efe57adfb30756ce6ce0d3f47c32a33c2ca85 (diff) | |
download | gitlab-ce-637146034ce2a23df46d90b8e0b77d75553fdbb9.tar.gz |
Merge remote-tracking branch 'dev/15-8-stable' into 15-8-stable
Diffstat (limited to 'spec/models/concerns/sanitizable_spec.rb')
-rw-r--r-- | spec/models/concerns/sanitizable_spec.rb | 53 |
1 files changed, 52 insertions, 1 deletions
diff --git a/spec/models/concerns/sanitizable_spec.rb b/spec/models/concerns/sanitizable_spec.rb index 4a1d463d666..be7169f8dca 100644 --- a/spec/models/concerns/sanitizable_spec.rb +++ b/spec/models/concerns/sanitizable_spec.rb @@ -75,7 +75,58 @@ RSpec.describe Sanitizable do it 'is not valid', :aggregate_failures do expect(record).not_to be_valid - expect(record.errors.full_messages).to include('Name cannot contain escaped HTML entities') + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped HTML entities', + 'Description cannot contain escaped HTML entities' + ) + end + end + + context 'when input contains double-escaped data' do + let_it_be(:input) do + '%2526lt%253Bscript%2526gt%253Balert%25281%2529%2526lt%253B%252Fscript%2526gt%253B' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain escaped components', + 'Description cannot contain escaped components' + ) + end + end + + context 'when input contains a path traversal attempt' do + let_it_be(:input) { 'main../../../../../../api/v4/projects/1/import_project_members/2' } + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Description cannot contain a path traversal component' + ) + end + end + + context 'when input contains both path traversal attempt and pre-escaped entities' do + let_it_be(:input) do + 'main../../../../../../api/v4/projects/1/import_project_members/2<script>alert(1)</script>' + end + + it_behaves_like 'noop' + + it 'is not valid', :aggregate_failures do + expect(record).not_to be_valid + expect(record.errors.full_messages).to contain_exactly( + 'Name cannot contain a path traversal component', + 'Name cannot contain escaped HTML entities', + 'Description cannot contain a path traversal component', + 'Description cannot contain escaped HTML entities' + ) end end end |