diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-30 04:50:46 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-30 04:50:46 +0000 |
commit | e6572d41b847c839ce49bc022a8cd1b99216798b (patch) | |
tree | 419eeffb09aafcd9d5a82e43c823b8cfbf88963e /spec/requests | |
parent | 1f6654659564013b8aa4f3572158cb63d3a519c1 (diff) | |
download | gitlab-ce-e6572d41b847c839ce49bc022a8cd1b99216798b.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee
Diffstat (limited to 'spec/requests')
-rw-r--r-- | spec/requests/jira_connect/users_controller_spec.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/spec/requests/jira_connect/users_controller_spec.rb b/spec/requests/jira_connect/users_controller_spec.rb index c648d28c1bc..6e927aaba91 100644 --- a/spec/requests/jira_connect/users_controller_spec.rb +++ b/spec/requests/jira_connect/users_controller_spec.rb @@ -31,5 +31,16 @@ RSpec.describe JiraConnect::UsersController do expect(response.body).not_to include('Return to GitLab') end end + + context 'with a script injected' do + let(:return_to) { 'javascript://test.atlassian.net/%250dalert(document.domain)' } + + it 'does not include a return url' do + get '/-/jira_connect/users', params: { return_to: return_to } + + expect(response).to have_gitlab_http_status(:ok) + expect(response.body).not_to include('Return to GitLab') + end + end end end |