diff options
-rw-r--r-- | app/assets/javascripts/blob/openapi/index.js | 2 | ||||
-rw-r--r-- | config/application.rb | 3 | ||||
-rw-r--r-- | jest.config.integration.js | 1 | ||||
-rw-r--r-- | spec/features/projects/blobs/blob_show_spec.rb | 2 | ||||
-rw-r--r-- | spec/frontend/blob/openapi/index_spec.js | 2 | ||||
-rw-r--r-- | spec/initializers/rails_yaml_safe_load_spec.rb | 43 |
6 files changed, 49 insertions, 4 deletions
diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js index 943001b7ec4..24a54358de5 100644 --- a/app/assets/javascripts/blob/openapi/index.js +++ b/app/assets/javascripts/blob/openapi/index.js @@ -5,7 +5,7 @@ const createSandbox = () => { const iframeEl = document.createElement('iframe'); setAttributes(iframeEl, { src: '/-/sandbox/swagger', - sandbox: 'allow-scripts', + sandbox: 'allow-scripts allow-popups', frameBorder: 0, width: '100%', // The height will be adjusted dynamically. diff --git a/config/application.rb b/config/application.rb index 368036ce064..d7e16117d53 100644 --- a/config/application.rb +++ b/config/application.rb @@ -564,7 +564,8 @@ module Gitlab # Used in app/services/web_hooks/log_execution_service.rb: log_execution ActiveSupport::TimeWithZone, ActiveSupport::TimeZone, - Gitlab::Color # https://gitlab.com/gitlab-org/gitlab/-/issues/368844 + Gitlab::Color, # https://gitlab.com/gitlab-org/gitlab/-/issues/368844, + Hashie::Array # https://gitlab.com/gitlab-org/gitlab/-/issues/378089 ] # on_master_start yields immediately in unclustered environments and runs diff --git a/jest.config.integration.js b/jest.config.integration.js index df25c2b247b..e2ce32218e0 100644 --- a/jest.config.integration.js +++ b/jest.config.integration.js @@ -25,4 +25,5 @@ module.exports = { }, }), timers: 'real', + testTimeout: process.env.CI ? 20000 : 7000, }; diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb index d679d1eeeb9..e01382cf31f 100644 --- a/spec/features/projects/blobs/blob_show_spec.rb +++ b/spec/features/projects/blobs/blob_show_spec.rb @@ -1002,7 +1002,7 @@ RSpec.describe 'File blob', :js do end it 'renders sandboxed iframe' do - expected = %(<iframe src="/-/sandbox/swagger" sandbox="allow-scripts" frameborder="0" width="100%" height="1000">) + expected = %(<iframe src="/-/sandbox/swagger" sandbox="allow-scripts allow-popups" frameborder="0" width="100%" height="1000">) expect(page.html).to include(expected) end end diff --git a/spec/frontend/blob/openapi/index_spec.js b/spec/frontend/blob/openapi/index_spec.js index 5884b27d951..17e718df495 100644 --- a/spec/frontend/blob/openapi/index_spec.js +++ b/spec/frontend/blob/openapi/index_spec.js @@ -21,7 +21,7 @@ describe('OpenAPI blob viewer', () => { it('initializes SwaggerUI with the correct configuration', () => { expect(document.body.innerHTML).toContain( - '<iframe src="/-/sandbox/swagger" sandbox="allow-scripts" frameborder="0" width="100%" height="1000"></iframe>', + '<iframe src="/-/sandbox/swagger" sandbox="allow-scripts allow-popups" frameborder="0" width="100%" height="1000"></iframe>', ); }); }); diff --git a/spec/initializers/rails_yaml_safe_load_spec.rb b/spec/initializers/rails_yaml_safe_load_spec.rb new file mode 100644 index 00000000000..8cf6a3676e0 --- /dev/null +++ b/spec/initializers/rails_yaml_safe_load_spec.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'Rails YAML safe load' do + let(:unsafe_load) { false } + + let(:klass) do + Class.new(ActiveRecord::Base) do + self.table_name = 'issues' + + serialize :description + end + end + + let(:instance) { klass.new(description: data) } + + context 'with default permitted classes' do + let(:data) do + { + 'time' => Time.now, + 'date' => Date.today, + 'number' => 1, + 'hashie-array' => Hashie::Array.new([1, 2]), + 'array' => [5, 6] + } + end + + it 'deserializes data' do + instance.save! + + expect(klass.find(instance.id).description).to eq(data) + end + + context 'with unpermitted classes' do + let(:data) { { 'test' => create(:user) } } + + it 'throws an exception' do + expect { instance.save! }.to raise_error(Psych::DisallowedClass) + end + end + end +end |