diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 14:57:37 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-26 14:57:37 +0000 |
| commit | 13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9 (patch) | |
| tree | ec69b0b3f5e070aff23f995b97512ed2657d1793 /spec | |
| parent | 581d2902d00f62bb789ba56f80bbb750f989e6cf (diff) | |
| download | gitlab-ce-13f0d48172df4463fd4c2dbded7fdbbbfe88e0a9.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/lib/gitlab/static_site_editor/config_spec.rb | 18 | ||||
| -rw-r--r-- | spec/lib/gitlab/url_sanitizer_spec.rb | 24 |
2 files changed, 42 insertions, 0 deletions
diff --git a/spec/lib/gitlab/static_site_editor/config_spec.rb b/spec/lib/gitlab/static_site_editor/config_spec.rb index a1db567db1a..4cfda83b8f6 100644 --- a/spec/lib/gitlab/static_site_editor/config_spec.rb +++ b/spec/lib/gitlab/static_site_editor/config_spec.rb @@ -65,5 +65,23 @@ describe Gitlab::StaticSiteEditor::Config do it { is_expected.to include(is_supported_content: 'false') } end + + context 'when return_url is not a valid URL' do + let(:return_url) { 'example.com' } + + it { is_expected.to include(return_url: nil) } + end + + context 'when return_url has a javascript scheme' do + let(:return_url) { 'javascript:alert(document.domain)' } + + it { is_expected.to include(return_url: nil) } + end + + context 'when return_url is missing' do + let(:return_url) { nil } + + it { is_expected.to include(return_url: nil) } + end end end diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb index b39609c594b..caca22eb98b 100644 --- a/spec/lib/gitlab/url_sanitizer_spec.rb +++ b/spec/lib/gitlab/url_sanitizer_spec.rb @@ -60,6 +60,30 @@ describe Gitlab::UrlSanitizer do end end + describe '.valid_web?' do + where(:value, :url) do + false | nil + false | '' + false | '123://invalid:url' + false | 'valid@project:url.git' + false | 'valid:pass@project:url.git' + false | %w(test array) + false | 'ssh://example.com' + false | 'ssh://:@example.com' + false | 'ssh://foo@example.com' + false | 'ssh://foo:bar@example.com' + false | 'ssh://foo:bar@example.com/group/group/project.git' + false | 'git://example.com/group/group/project.git' + false | 'git://foo:bar@example.com/group/group/project.git' + true | 'http://foo:bar@example.com/group/group/project.git' + true | 'https://foo:bar@example.com/group/group/project.git' + end + + with_them do + it { expect(described_class.valid_web?(url)).to eq(value) } + end + end + describe '#sanitized_url' do context 'credentials in hash' do where(username: ['foo', '', nil], password: ['bar', '', nil]) |