Add latest changes from gitlab-org/security/gitlab@13-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-03-03 22:32:18 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-03-03 22:32:18 +0000
commit: b7a47b151165e1313c9c526e1af8032601f7afd7 (patch)
tree: 8966651a39b27595341c180ef14d65f147c2b527 /spec
parent: fa206403d6b6a501488b70173ba873189776edc6 (diff)
download: gitlab-ce-b7a47b151165e1313c9c526e1af8032601f7afd7.tar.gz
2 files changed, 87 insertions, 7 deletions
diff --git a/spec/helpers/wiki_page_version_helper_spec.rb b/spec/helpers/wiki_page_version_helper_spec.rb
new file mode 100644
index 00000000000..bc500c28c5a
--- /dev/null
+++ b/spec/helpers/wiki_page_version_helper_spec.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe WikiPageVersionHelper do
+  let_it_be(:project) { create(:project, :public, :repository) }
+  let_it_be(:user) { create(:user, username: 'foo') }
+
+  let(:commit_with_user) { create(:commit, project: project, author: user)}
+  let(:commit_without_user) { create(:commit, project: project, author_name: 'Foo', author_email: 'foo@example.com')}
+  let(:wiki_page_version) { Gitlab::Git::WikiPageVersion.new(commit, nil) }
+
+  describe '#wiki_page_version_author_url' do
+    subject { helper.wiki_page_version_author_url(wiki_page_version) }
+
+    context 'when user exists' do
+      let(:commit) { commit_with_user }
+
+      it 'returns the link to the user profile' do
+        expect(subject).to eq('http://localhost/foo')
+      end
+    end
+
+    context 'when user does not exist' do
+      let(:commit) { commit_without_user }
+
+      it 'returns the mailto link' do
+        expect(subject).to eq "mailto:#{commit_without_user.author_email}"
+      end
+    end
+  end
+
+  describe '#wiki_page_version_author_avatar' do
+    let(:commit) { commit_with_user }
+
+    subject { helper.wiki_page_version_author_avatar(wiki_page_version) }
+
+    it 'returns the user avatar', :aggregate_failures do
+      avatar = Nokogiri::HTML.parse(subject)
+
+      expect(avatar.css('img')[0].attr('class')).to eq('avatar s24 float-none gl-mr-0! lazy')
+      expect(avatar.css('img')[0].attr('data-src')).not_to be_empty
+      expect(avatar.css('img')[0].attr('src')).not_to be_empty
+    end
+  end
+
+  describe '#wiki_page_version_author_header', :aggregate_failures do
+    let(:commit_with_xss) { create(:commit, project: project, author_email: "#' style=animation-name:blinking-dot onanimationstart=alert(document.domain) other", author_name: "<i>foo</i>") }
+    let(:header) { Nokogiri::HTML.parse(subject) }
+
+    subject { helper.wiki_page_version_author_header(wiki_page_version) }
+
+    context 'when user exists' do
+      let(:commit) { commit_with_user }
+
+      it 'renders commit header with user info' do
+        expect(header.css('a')[0].attr('href')).to eq("http://localhost/foo")
+        expect(header.css('a')[0].children[2].to_s).to eq("<strong>#{user.name}</strong>")
+      end
+    end
+
+    context 'when user does not exist' do
+      let(:commit) { commit_without_user }
+
+      it 'renders commit header with info from commit' do
+        expect(header.css('a')[0].attr('href')).to eq("mailto:#{commit.author_email}")
+        expect(header.css('a')[0].children[2].to_s).to eq("<strong>#{wiki_page_version.author_name}</strong>")
+      end
+    end
+
+    context 'when user info has XSS' do
+      let(:commit) { commit_with_xss }
+
+      it 'sets the right href and escapes HTML chars' do
+        expect(header.css('a')[0].attr('href')).to eq("mailto:#{commit.author_email}")
+        expect(header.css('a')[0].children[2].to_s).to eq("<strong>&lt;i&gt;foo&lt;/i&gt;</strong>")
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/git/wiki_page_version_spec.rb b/spec/lib/gitlab/git/wiki_page_version_spec.rb
index 836fa2449ec..b117e757f6e 100644
--- a/spec/lib/gitlab/git/wiki_page_version_spec.rb
+++ b/spec/lib/gitlab/git/wiki_page_version_spec.rb
@@ -4,24 +4,24 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Git::WikiPageVersion do
   let_it_be(:project) { create(:project, :public, :repository) }
-  let(:user) { create(:user, username: 'someone') }
+  let_it_be(:user) { create(:user, username: 'someone') }
 
-  describe '#author_url' do
-    subject(:author_url) { described_class.new(commit, nil).author_url }
+  describe '#author' do
+    subject(:author) { described_class.new(commit, nil).author }
 
     context 'user exists in gitlab' do
       let(:commit) { create(:commit, project: project, author: user) }
 
-      it 'returns the profile link of the user' do
-        expect(author_url).to eq('http://localhost/someone')
+      it 'returns the user' do
+        expect(author).to eq user
       end
     end
 
     context 'user does not exist in gitlab' do
       let(:commit) { create(:commit, project: project, author_email: "someone@somewebsite.com") }
 
-      it 'returns a mailto: url' do
-        expect(author_url).to eq('mailto:someone@somewebsite.com')
+      it 'returns nil' do
+        expect(author).to be_nil
       end
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-03-03 22:32:18 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-03-03 22:32:18 +0000
commit	b7a47b151165e1313c9c526e1af8032601f7afd7 (patch)
tree	8966651a39b27595341c180ef14d65f147c2b527 /spec
parent	fa206403d6b6a501488b70173ba873189776edc6 (diff)
download	gitlab-ce-b7a47b151165e1313c9c526e1af8032601f7afd7.tar.gz