diff options
author | Robert Speicher <robert@gitlab.com> | 2018-01-05 21:36:18 +0000 |
---|---|---|
committer | Oswaldo Ferreira <oswaldo@gitlab.com> | 2018-01-07 21:16:20 +0000 |
commit | a95e10137c3fab082839c4a4f118b4aaffa97288 (patch) | |
tree | c94830054f2c3598e3b971e7cbde8f6ead7b2ee8 /spec | |
parent | 65c5cdb6b050151e5acb205684c9ebbca4eb7358 (diff) | |
download | gitlab-ce-a95e10137c3fab082839c4a4f118b4aaffa97288.tar.gz |
Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook' into 'security-10-3'
Don't allow line breaks on HTTP headers
See merge request gitlab/gitlabhq!2277
(cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82)
073b8f9c Don't allow line breaks on HTTP headers
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/gitlab/utils_spec.rb | 16 | ||||
-rw-r--r-- | spec/models/hooks/web_hook_spec.rb | 6 |
2 files changed, 22 insertions, 0 deletions
diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb index e872a5290c5..bda239b7871 100644 --- a/spec/lib/gitlab/utils_spec.rb +++ b/spec/lib/gitlab/utils_spec.rb @@ -17,6 +17,22 @@ describe Gitlab::Utils do end end + describe '.remove_line_breaks' do + using RSpec::Parameterized::TableSyntax + + where(:original, :expected) do + "foo\nbar\nbaz" | "foobarbaz" + "foo\r\nbar\r\nbaz" | "foobarbaz" + "foobar" | "foobar" + end + + with_them do + it "replace line breaks with an empty string" do + expect(described_class.remove_line_breaks(original)).to eq(expected) + end + end + end + describe '.to_boolean' do it 'accepts booleans' do expect(to_boolean(true)).to be(true) diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb index 388120160ab..ea6d6e53ef5 100644 --- a/spec/models/hooks/web_hook_spec.rb +++ b/spec/models/hooks/web_hook_spec.rb @@ -29,6 +29,12 @@ describe WebHook do expect(hook.url).to eq('https://example.com') end end + + describe 'token' do + it { is_expected.to allow_value("foobar").for(:token) } + + it { is_expected.not_to allow_values("foo\nbar", "foo\r\nbar").for(:token) } + end end describe 'execute' do |