diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 18:08:03 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 18:08:03 +0000 |
commit | dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch) | |
tree | 5e77ce228c33619201ac6706b9789d4a2eed2a3b /spec/requests/api/groups_spec.rb | |
parent | e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff) | |
download | gitlab-ce-dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/requests/api/groups_spec.rb')
-rw-r--r-- | spec/requests/api/groups_spec.rb | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index ea60f783b48..30c1f99569b 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -642,6 +642,20 @@ describe API::Groups do expect(json_response['default_branch_protection']).to eq(::Gitlab::Access::MAINTAINER_PROJECT_ACCESS) end + context 'malicious group name' do + subject { put api("/groups/#{group1.id}", user1), params: { name: "<SCRIPT>alert('DOUBLE-ATTACK!')</SCRIPT>" } } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it 'does not update group name' do + expect { subject }.not_to change { group1.reload.name } + end + end + it 'returns 404 for a non existing group' do put api('/groups/1328', user1), params: { name: new_group_name } @@ -1083,6 +1097,20 @@ describe API::Groups do expect(json_response["parent_id"]).to eq(parent.id) end + context 'malicious group name' do + subject { post api("/groups", user3), params: group_params } + + let(:group_params) { attributes_for_group_api name: "<SCRIPT>alert('ATTACKED!')</SCRIPT>", path: "unique-url" } + + it 'returns bad request' do + subject + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it { expect { subject }.not_to change { Group.count } } + end + it "does not create group, duplicate" do post api("/groups", user3), params: { name: 'Duplicate Test', path: group2.path } |