diff options
| author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 18:37:12 +0000 |
|---|---|---|
| committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 19:07:29 -0500 |
| commit | 4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6 (patch) | |
| tree | 8187716680c85065ed8780632408d4ccf897ba50 /spec/migrations | |
| parent | 1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (diff) | |
| download | gitlab-ce-4bc6f2e3ac8e6997ebc3b06867049dc38aa6d6e6.tar.gz | |
Merge branch 'security-stored-xss-for-environments' into 'master'
[master] Stored XSS for Environments
Closes #2727
See merge request gitlab/gitlabhq!2594
Diffstat (limited to 'spec/migrations')
| -rw-r--r-- | spec/migrations/cleanup_environments_external_url_spec.rb | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/spec/migrations/cleanup_environments_external_url_spec.rb b/spec/migrations/cleanup_environments_external_url_spec.rb new file mode 100644 index 00000000000..07ddaf3d38f --- /dev/null +++ b/spec/migrations/cleanup_environments_external_url_spec.rb @@ -0,0 +1,28 @@ +require 'spec_helper' +require Rails.root.join('db', 'migrate', '20181108091549_cleanup_environments_external_url.rb') + +describe CleanupEnvironmentsExternalUrl, :migration do + let(:environments) { table(:environments) } + let(:invalid_entries) { environments.where(environments.arel_table[:external_url].matches('javascript://%')) } + let(:namespaces) { table(:namespaces) } + let(:projects) { table(:projects) } + + before do + namespace = namespaces.create(name: 'foo', path: 'foo') + project = projects.create!(namespace_id: namespace.id) + + environments.create!(id: 1, project_id: project.id, name: 'poisoned', slug: 'poisoned', external_url: 'javascript://alert("1")') + end + + it 'clears every environment with a javascript external_url' do + expect do + subject.up + end.to change { invalid_entries.count }.from(1).to(0) + end + + it 'do not removes environments' do + expect do + subject.up + end.not_to change { environments.count } + end +end |