diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 10:02:12 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-03 10:02:27 +0000 |
commit | 01a6adb2b453b852a9348365c4e867d6a36ddeb1 (patch) | |
tree | c48732c5bd6dc8881de252ed147277d49c365d22 /spec | |
parent | f617de3476794b7198f07eba70b84fa401eded71 (diff) | |
download | gitlab-ce-01a6adb2b453b852a9348365c4e867d6a36ddeb1.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/protected_branches_spec.rb | 6 | ||||
-rw-r--r-- | spec/services/protected_branches/create_service_spec.rb | 39 | ||||
-rw-r--r-- | spec/services/protected_branches/update_service_spec.rb | 39 |
3 files changed, 77 insertions, 7 deletions
diff --git a/spec/features/protected_branches_spec.rb b/spec/features/protected_branches_spec.rb index 6fbed21acdb..15ec11c256f 100644 --- a/spec/features/protected_branches_spec.rb +++ b/spec/features/protected_branches_spec.rb @@ -118,12 +118,12 @@ RSpec.describe 'Protected Branches', :js do it "allows creating explicit protected branches" do visit project_protected_branches_path(project) set_defaults - set_protected_branch_name('some-branch') + set_protected_branch_name('some->branch') click_on "Protect" - within(".protected-branches-list") { expect(page).to have_content('some-branch') } + within(".protected-branches-list") { expect(page).to have_content('some->branch') } expect(ProtectedBranch.count).to eq(1) - expect(ProtectedBranch.last.name).to eq('some-branch') + expect(ProtectedBranch.last.name).to eq('some->branch') end it "displays the last commit on the matching branch if it exists" do diff --git a/spec/services/protected_branches/create_service_spec.rb b/spec/services/protected_branches/create_service_spec.rb index 45462831a31..756c775be9b 100644 --- a/spec/services/protected_branches/create_service_spec.rb +++ b/spec/services/protected_branches/create_service_spec.rb @@ -7,13 +7,15 @@ RSpec.describe ProtectedBranches::CreateService do let(:user) { project.owner } let(:params) do { - name: 'master', + name: name, merge_access_levels_attributes: [{ access_level: Gitlab::Access::MAINTAINER }], push_access_levels_attributes: [{ access_level: Gitlab::Access::MAINTAINER }] } end describe '#execute' do + let(:name) { 'master' } + subject(:service) { described_class.new(project, user, params) } it 'creates a new protected branch' do @@ -22,6 +24,41 @@ RSpec.describe ProtectedBranches::CreateService do expect(project.protected_branches.last.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MAINTAINER]) end + context 'when name has escaped HTML' do + let(:name) { 'feature->test' } + + it 'creates the new protected branch matching the unescaped version' do + expect { service.execute }.to change(ProtectedBranch, :count).by(1) + expect(project.protected_branches.last.name).to eq('feature->test') + end + + context 'and name contains HTML tags' do + let(:name) { '<b>master</b>' } + + it 'creates the new protected branch with sanitized name' do + expect { service.execute }.to change(ProtectedBranch, :count).by(1) + expect(project.protected_branches.last.name).to eq('master') + end + + context 'and contains unsafe HTML' do + let(:name) { '<script>alert('foo');</script>' } + + it 'does not create the new protected branch' do + expect { service.execute }.not_to change(ProtectedBranch, :count) + end + end + end + + context 'when name contains unescaped HTML tags' do + let(:name) { '<b>master</b>' } + + it 'creates the new protected branch with sanitized name' do + expect { service.execute }.to change(ProtectedBranch, :count).by(1) + expect(project.protected_branches.last.name).to eq('master') + end + end + end + context 'when user does not have permission' do let(:user) { create(:user) } diff --git a/spec/services/protected_branches/update_service_spec.rb b/spec/services/protected_branches/update_service_spec.rb index 88e58ad5907..b5cf1a54aff 100644 --- a/spec/services/protected_branches/update_service_spec.rb +++ b/spec/services/protected_branches/update_service_spec.rb @@ -6,17 +6,50 @@ RSpec.describe ProtectedBranches::UpdateService do let(:protected_branch) { create(:protected_branch) } let(:project) { protected_branch.project } let(:user) { project.owner } - let(:params) { { name: 'new protected branch name' } } + let(:params) { { name: new_name } } describe '#execute' do + let(:new_name) { 'new protected branch name' } + let(:result) { service.execute(protected_branch) } + subject(:service) { described_class.new(project, user, params) } it 'updates a protected branch' do - result = service.execute(protected_branch) - expect(result.reload.name).to eq(params[:name]) end + context 'when name has escaped HTML' do + let(:new_name) { 'feature->test' } + + it 'updates protected branch name with unescaped HTML' do + expect(result.reload.name).to eq('feature->test') + end + + context 'and name contains HTML tags' do + let(:new_name) { '<b>master</b>' } + + it 'updates protected branch name with sanitized name' do + expect(result.reload.name).to eq('master') + end + + context 'and contains unsafe HTML' do + let(:new_name) { '<script>alert('foo');</script>' } + + it 'does not update the protected branch' do + expect(result.reload.name).to eq(protected_branch.name) + end + end + end + end + + context 'when name contains unescaped HTML tags' do + let(:new_name) { '<b>master</b>' } + + it 'updates protected branch name with sanitized name' do + expect(result.reload.name).to eq('master') + end + end + context 'without admin_project permissions' do let(:user) { create(:user) } |