diff options
Diffstat (limited to 'spec/features/projects/issues/design_management/user_views_designs_with_svg_xss_spec.rb')
-rw-r--r-- | spec/features/projects/issues/design_management/user_views_designs_with_svg_xss_spec.rb | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/spec/features/projects/issues/design_management/user_views_designs_with_svg_xss_spec.rb b/spec/features/projects/issues/design_management/user_views_designs_with_svg_xss_spec.rb new file mode 100644 index 00000000000..a9e4aa899a7 --- /dev/null +++ b/spec/features/projects/issues/design_management/user_views_designs_with_svg_xss_spec.rb @@ -0,0 +1,55 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'User views an SVG design that contains XSS', :js do + include DesignManagementTestHelpers + + let(:project) { create(:project_empty_repo, :public) } + let(:issue) { create(:issue, project: project) } + let(:file) { Rails.root.join('spec', 'fixtures', 'logo_sample.svg') } + let(:design) { create(:design, :with_file, filename: 'xss.svg', file: file, issue: issue) } + + before do + enable_design_management + + visit designs_project_issue_path( + project, + issue, + { vueroute: design.filename } + ) + + wait_for_requests + end + + it 'has XSS within the SVG file' do + file_content = File.read(file) + + expect(file_content).to include("<script>alert('FAIL')</script>") + end + + it 'displays the SVG' do + expect(page).to have_selector("img.design-img[alt='xss.svg']", count: 1, visible: false) + end + + it 'does not execute the JavaScript within the SVG' do + # The expectation is that we can call the capybara `page.dismiss_prompt` + # method to close a JavaScript alert prompt without a `Capybara::ModalNotFound` + # being raised. + run_expectation = -> { + page.dismiss_prompt(wait: 1) + } + + # With the page loaded, there should be no alert modal + expect(run_expectation).to raise_error( + Capybara::ModalNotFound, + 'Unable to find modal dialog' + ) + + # Perform a negative control test of the above expectation. + # With an alert modal displaying, the modal should be dismissable. + execute_script('alert(true)') + + expect(run_expectation).not_to raise_error + end +end |