Add latest changes from gitlab-org/gitlab@master

1 files changed, 28 insertions, 0 deletions

diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index ea60f783b48..30c1f99569b 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -642,6 +642,20 @@ describe API::Groups do
         expect(json_response['default_branch_protection']).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
       end
 
+      context 'malicious group name' do
+        subject { put api("/groups/#{group1.id}", user1), params: { name: "<SCRIPT>alert('DOUBLE-ATTACK!')</SCRIPT>" } }
+
+        it 'returns bad request' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+
+        it 'does not update group name' do
+          expect { subject }.not_to change { group1.reload.name }
+        end
+      end
+
       it 'returns 404 for a non existing group' do
         put api('/groups/1328', user1), params: { name: new_group_name }
 
@@ -1083,6 +1097,20 @@ describe API::Groups do
         expect(json_response["parent_id"]).to eq(parent.id)
       end
 
+      context 'malicious group name' do
+        subject { post api("/groups", user3), params: group_params }
+
+        let(:group_params) { attributes_for_group_api name: "<SCRIPT>alert('ATTACKED!')</SCRIPT>", path: "unique-url" }
+
+        it 'returns bad request' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:bad_request)
+        end
+
+        it { expect { subject }.not_to change { Group.count } }
+      end
+
       it "does not create group, duplicate" do
         post api("/groups", user3), params: { name: 'Duplicate Test', path: group2.path }