Test for what should not be there as wellevn-add-neg-tests

author: ernstvn <ernst@gitlab.com> 2017-09-25 17:56:52 -0700
committer: ernstvn <ernst@gitlab.com> 2017-09-25 17:56:52 -0700
commit: e16878bbef17385d126fe98eb7d14086df86ee25 (patch)
tree: 28e56a37b7f02404beb5e6f571f10e405de00162 /doc/development/testing.md
parent: 53b3ad5f7ce50bfdb1dd0c72b3cc2b020f52abe1 (diff)
download: gitlab-ce-e16878bbef17385d126fe98eb7d14086df86ee25.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/development/testing.md b/doc/development/testing.md
index 83269303005..386e8bef972 100644
--- a/doc/development/testing.md
+++ b/doc/development/testing.md
@@ -150,6 +150,16 @@ always in-sync with the codebase.
 [GitLab QA]: https://gitlab.com/gitlab-org/gitlab-qa
 [part of GitLab Rails]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/qa
 
+## Test for what should not be there
+
+This is particularly important for permission calls and might be called a
+negative assertion: make sure only the bare minimum is returned and nothing else.
+
+See an issue about [leaking tokens] as an example of a vulnerability that is
+captured by such a test. 
+
+[leaking tokens]: https://gitlab.com/gitlab-org/gitlab-ce/issues/37948
+
 ## How to test at the correct level?
 
 As many things in life, deciding what to test at each level of testing is a
author	ernstvn <ernst@gitlab.com>	2017-09-25 17:56:52 -0700
committer	ernstvn <ernst@gitlab.com>	2017-09-25 17:56:52 -0700
commit	e16878bbef17385d126fe98eb7d14086df86ee25 (patch)
tree	28e56a37b7f02404beb5e6f571f10e405de00162 /doc/development/testing.md
parent	53b3ad5f7ce50bfdb1dd0c72b3cc2b020f52abe1 (diff)
download	gitlab-ce-e16878bbef17385d126fe98eb7d14086df86ee25.tar.gz