[master] Stored XSS in Gitlab Merge Request from imported repository

1 files changed, 28 insertions, 0 deletions

diff --git a/spec/lib/gitlab/diff/highlight_spec.rb b/spec/lib/gitlab/diff/highlight_spec.rb
index 3c8cf9c56cc..5d0a603d11d 100644
--- a/spec/lib/gitlab/diff/highlight_spec.rb
+++ b/spec/lib/gitlab/diff/highlight_spec.rb
@@ -8,6 +8,20 @@ describe Gitlab::Diff::Highlight do
   let(:diff) { commit.raw_diffs.first }
   let(:diff_file) { Gitlab::Diff::File.new(diff, diff_refs: commit.diff_refs, repository: project.repository) }
 
+  shared_examples 'without inline diffs' do
+    let(:code) { '<h2 onmouseover="alert(2)">Test</h2>' }
+
+    before do
+      allow(Gitlab::Diff::InlineDiff).to receive(:for_lines).and_return([])
+      allow_any_instance_of(Gitlab::Diff::Line).to receive(:text).and_return(code)
+    end
+
+    it 'returns html escaped diff text' do
+      expect(subject[1].rich_text).to eq html_escape(code)
+      expect(subject[1].rich_text).to be_html_safe
+    end
+  end
+
   describe '#highlight' do
     context "with a diff file" do
       let(:subject) { described_class.new(diff_file, repository: project.repository).highlight }
@@ -38,6 +52,16 @@ describe Gitlab::Diff::Highlight do
 
         expect(subject[5].rich_text).to eq(code)
       end
+
+      context 'when no diff_refs' do
+        before do
+          allow(diff_file).to receive(:diff_refs).and_return(nil)
+        end
+
+        context 'when no inline diffs' do
+          it_behaves_like 'without inline diffs'
+        end
+      end
     end
 
     context "with diff lines" do
@@ -93,6 +117,10 @@ describe Gitlab::Diff::Highlight do
           expect { subject }. to raise_exception(RangeError)
         end
       end
+
+      context 'when no inline diffs' do
+        it_behaves_like 'without inline diffs'
+      end
     end
   end
 end