diff options
| author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 16:10:32 +0000 |
|---|---|---|
| committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 16:10:32 +0000 |
| commit | 5b0b73d922f5081e84697d439b30959161966727 (patch) | |
| tree | 4b1aef1253a3895cea2ee42a86cf377a87ae617d /spec/models | |
| parent | f0b3edf2ca9f7f1dd64d3b17eda006ab9983cfc4 (diff) | |
| parent | c1c1496405620d99d5943b1c4b5277b4b7d6ad63 (diff) | |
| download | gitlab-ce-5b0b73d922f5081e84697d439b30959161966727.tar.gz | |
Merge branch 'security-redact-links' into 'master'
[master] Redact unsubscribe links in issuable texts
See merge request gitlab/gitlabhq!2528
Diffstat (limited to 'spec/models')
| -rw-r--r-- | spec/models/concerns/redactable_spec.rb | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/spec/models/concerns/redactable_spec.rb b/spec/models/concerns/redactable_spec.rb new file mode 100644 index 00000000000..7d320edd492 --- /dev/null +++ b/spec/models/concerns/redactable_spec.rb @@ -0,0 +1,69 @@ +require 'spec_helper' + +describe Redactable do + shared_examples 'model with redactable field' do + it 'redacts unsubscribe token' do + model[field] = 'some text /sent_notifications/00000000000000000000000000000000/unsubscribe more text' + + model.save! + + expect(model[field]).to eq 'some text /sent_notifications/REDACTED/unsubscribe more text' + end + + it 'ignores not hexadecimal tokens' do + text = 'some text /sent_notifications/token/unsubscribe more text' + model[field] = text + + model.save! + + expect(model[field]).to eq text + end + + it 'ignores not matching texts' do + text = 'some text /sent_notifications/.*/unsubscribe more text' + model[field] = text + + model.save! + + expect(model[field]).to eq text + end + + it 'redacts the field when saving the model before creating markdown cache' do + model[field] = 'some text /sent_notifications/00000000000000000000000000000000/unsubscribe more text' + + model.save! + + expected = 'some text /sent_notifications/REDACTED/unsubscribe more text' + expect(model[field]).to eq expected + expect(model["#{field}_html"]).to eq "<p dir=\"auto\">#{expected}</p>" + end + end + + context 'when model is an issue' do + it_behaves_like 'model with redactable field' do + let(:model) { create(:issue) } + let(:field) { :description } + end + end + + context 'when model is a merge request' do + it_behaves_like 'model with redactable field' do + let(:model) { create(:merge_request) } + let(:field) { :description } + end + end + + context 'when model is a note' do + it_behaves_like 'model with redactable field' do + let(:model) { create(:note) } + let(:field) { :note } + end + end + + context 'when model is a snippet' do + it_behaves_like 'model with redactable field' do + let(:model) { create(:snippet) } + let(:field) { :description } + end + end +end |