Add latest changes from gitlab-org/security/gitlab@13-0-stable-ee

5 files changed, 61 insertions, 34 deletions

diff --git a/spec/features/groups/clusters/user_spec.rb b/spec/features/groups/clusters/user_spec.rb
index e9ef66e31a2..a29afba99e4 100644
--- a/spec/features/groups/clusters/user_spec.rb
+++ b/spec/features/groups/clusters/user_spec.rb
@@ -39,7 +39,7 @@ describe 'User Cluster', :js do
           expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
             .to have_content('http://example.com')
           expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-            .to have_content('my-token')
+            .to be_empty
         end
       end
 
diff --git a/spec/features/projects/clusters/user_spec.rb b/spec/features/projects/clusters/user_spec.rb
index 79676927fa2..5c82d848563 100644
--- a/spec/features/projects/clusters/user_spec.rb
+++ b/spec/features/projects/clusters/user_spec.rb
@@ -46,7 +46,7 @@ describe 'User Cluster', :js do
         expect(page.find_field('cluster[platform_kubernetes_attributes][api_url]').value)
           .to have_content('http://example.com')
         expect(page.find_field('cluster[platform_kubernetes_attributes][token]').value)
-          .to have_content('my-token')
+          .to be_empty
       end
 
       it 'user sees RBAC is enabled by default' do
diff --git a/spec/frontend/clusters/clusters_bundle_spec.js b/spec/frontend/clusters/clusters_bundle_spec.js
index d7c648bcd20..9d0ed423759 100644
--- a/spec/frontend/clusters/clusters_bundle_spec.js
+++ b/spec/frontend/clusters/clusters_bundle_spec.js
@@ -82,28 +82,6 @@ describe('Clusters', () => {
     });
   });
 
-  describe('showToken', () => {
-    it('should update token field type', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('text');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.tokenField.getAttribute('type')).toEqual('password');
-    });
-
-    it('should update show token button text', () => {
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Hide');
-
-      cluster.showTokenButton.click();
-
-      expect(cluster.showTokenButton.textContent).toEqual('Show');
-    });
-  });
-
   describe('checkForNewInstalls', () => {
     const INITIAL_APP_MAP = {
       helm: { status: null, title: 'Helm Tiller' },
diff --git a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
index 216ec345552..8ab7c8b9e50 100644
--- a/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
+++ b/spec/frontend/monitoring/components/duplicate_dashboard_form_spec.js
@@ -3,9 +3,17 @@ import DuplicateDashboardForm from '~/monitoring/components/duplicate_dashboard_
 
 import { dashboardGitResponse } from '../mock_data';
 
-describe('DuplicateDashboardForm', () => {
-  let wrapper;
+let wrapper;
+
+const createMountedWrapper = (props = {}) => {
+  // Use `mount` to render native input elements
+  wrapper = mount(DuplicateDashboardForm, {
+    propsData: { ...props },
+    sync: false,
+  });
+};
 
+describe('DuplicateDashboardForm', () => {
   const defaultBranch = 'master';
 
   const findByRef = ref => wrapper.find({ ref });
@@ -20,14 +28,7 @@ describe('DuplicateDashboardForm', () => {
   };
 
   beforeEach(() => {
-    // Use `mount` to render native input elements
-    wrapper = mount(DuplicateDashboardForm, {
-      propsData: {
-        dashboard: dashboardGitResponse[0],
-        defaultBranch,
-      },
-      sync: false,
-    });
+    createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch });
   });
 
   it('renders correctly', () => {
@@ -146,3 +147,18 @@ describe('DuplicateDashboardForm', () => {
     });
   });
 });
+
+describe('DuplicateDashboardForm escapes elements', () => {
+  const branchToEscape = "<img/src='x'onerror=alert(document.domain)>";
+
+  beforeEach(() => {
+    createMountedWrapper({ dashboard: dashboardGitResponse[0], defaultBranch: branchToEscape });
+  });
+
+  it('should escape branch name data', () => {
+    const branchOptionHtml = wrapper.vm.branchOptions[0].html;
+    const escapedBranch = '&lt;img/src=&#39;x&#39;onerror=alert(document.domain)&gt';
+
+    expect(branchOptionHtml).toEqual(expect.stringContaining(escapedBranch));
+  });
+});
diff --git a/spec/services/clusters/update_service_spec.rb b/spec/services/clusters/update_service_spec.rb
index d487edd8850..5a7726eded8 100644
--- a/spec/services/clusters/update_service_spec.rb
+++ b/spec/services/clusters/update_service_spec.rb
@@ -47,6 +47,39 @@ describe Clusters::UpdateService do
           expect(cluster.platform.namespace).to eq('custom-namespace')
         end
       end
+
+      context 'when service token is empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: ''
+              }
+          }
+        end
+
+        it 'does not update the token' do
+          current_token = cluster.platform.token
+          is_expected.to eq(true)
+          cluster.platform.reload
+
+          expect(cluster.platform.token).to eq(current_token)
+        end
+      end
+
+      context 'when service token is not empty' do
+        let(:params) do
+          {
+              platform_kubernetes_attributes: {
+                  token: 'new secret token'
+              }
+          }
+        end
+
+        it 'updates the token' do
+          is_expected.to eq(true)
+          expect(cluster.platform.token).to eq('new secret token')
+        end
+      end
     end
 
     context 'when invalid params' do