diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:22 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:28 +0000 |
commit | 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch) | |
tree | 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /spec | |
parent | de222caa576cab3d0894c65531f5822f205877d5 (diff) | |
download | gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/security/group/private_access_spec.rb | 2 | ||||
-rw-r--r-- | spec/frontend/gfm_auto_complete_spec.js | 15 | ||||
-rw-r--r-- | spec/requests/api/members_spec.rb | 15 |
3 files changed, 31 insertions, 1 deletions
diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb index fc1fb3e3848..f733145b5e3 100644 --- a/spec/features/security/group/private_access_spec.rb +++ b/spec/features/security/group/private_access_spec.rb @@ -97,7 +97,7 @@ RSpec.describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_allowed_for(project_guest) } + it { is_expected.to be_denied_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } diff --git a/spec/frontend/gfm_auto_complete_spec.js b/spec/frontend/gfm_auto_complete_spec.js index aa98b2774ea..552377e3381 100644 --- a/spec/frontend/gfm_auto_complete_spec.js +++ b/spec/frontend/gfm_auto_complete_spec.js @@ -868,4 +868,19 @@ describe('GfmAutoComplete', () => { ); }); }); + + describe('Contacts', () => { + it('escapes name and email correct', () => { + const xssPayload = '<script>alert(1)</script>'; + const escapedPayload = '<script>alert(1)</script>'; + + expect( + GfmAutoComplete.Contacts.templateFunction({ + email: xssPayload, + firstName: xssPayload, + lastName: xssPayload, + }), + ).toBe(`<li><small>${escapedPayload} ${escapedPayload}</small> ${escapedPayload}</li>`); + }); + }); }); diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb index 0db42e7439c..63ef8643088 100644 --- a/spec/requests/api/members_spec.rb +++ b/spec/requests/api/members_spec.rb @@ -184,6 +184,21 @@ RSpec.describe API::Members do expect(json_response).to be_an Array expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id] end + + context 'with a subgroup' do + let(:group) { create(:group, :private)} + let(:subgroup) { create(:group, :private, parent: group)} + let(:project) { create(:project, group: subgroup) } + + before do + subgroup.add_developer(developer) + end + + it 'subgroup member cannot get parent group members list' do + get api("/groups/#{group.id}/members/all", developer) + expect(response).to have_gitlab_http_status(:forbidden) + end + end end shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all| |