From 37f194bbc19045abe013a58274494c1a6c8bbdd5 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 1 Jun 2022 07:28:22 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee --- spec/features/security/group/private_access_spec.rb | 2 +- spec/frontend/gfm_auto_complete_spec.js | 15 +++++++++++++++ spec/requests/api/members_spec.rb | 15 +++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) (limited to 'spec') diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb index fc1fb3e3848..f733145b5e3 100644 --- a/spec/features/security/group/private_access_spec.rb +++ b/spec/features/security/group/private_access_spec.rb @@ -97,7 +97,7 @@ RSpec.describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_allowed_for(project_guest) } + it { is_expected.to be_denied_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } diff --git a/spec/frontend/gfm_auto_complete_spec.js b/spec/frontend/gfm_auto_complete_spec.js index aa98b2774ea..552377e3381 100644 --- a/spec/frontend/gfm_auto_complete_spec.js +++ b/spec/frontend/gfm_auto_complete_spec.js @@ -868,4 +868,19 @@ describe('GfmAutoComplete', () => { ); }); }); + + describe('Contacts', () => { + it('escapes name and email correct', () => { + const xssPayload = ''; + const escapedPayload = '<script>alert(1)</script>'; + + expect( + GfmAutoComplete.Contacts.templateFunction({ + email: xssPayload, + firstName: xssPayload, + lastName: xssPayload, + }), + ).toBe(`
  • ${escapedPayload} ${escapedPayload} ${escapedPayload}
    • `); + }); + }); }); diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb index 0db42e7439c..63ef8643088 100644 --- a/spec/requests/api/members_spec.rb +++ b/spec/requests/api/members_spec.rb @@ -184,6 +184,21 @@ RSpec.describe API::Members do expect(json_response).to be_an Array expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id] end + + context 'with a subgroup' do + let(:group) { create(:group, :private)} + let(:subgroup) { create(:group, :private, parent: group)} + let(:project) { create(:project, group: subgroup) } + + before do + subgroup.add_developer(developer) + end + + it 'subgroup member cannot get parent group members list' do + get api("/groups/#{group.id}/members/all", developer) + expect(response).to have_gitlab_http_status(:forbidden) + end + end end shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all| -- cgit v1.2.1