summaryrefslogtreecommitdiff
path: root/spec/models/blob_viewer
diff options
context:
space:
mode:
authorMark Chao <mchao@gitlab.com>2018-09-12 14:34:55 +0800
committerMark Chao <mchao@gitlab.com>2018-09-19 09:13:33 +0800
commit3bd607f280b70bdc7c574a4c217168adb1a88ecd (patch)
treed94505e6ab20b12dc0a3e0a59f9072432951f668 /spec/models/blob_viewer
parent2dac058de25dc6ed03d0ed6f8b099aa17cdc1cab (diff)
downloadgitlab-ce-3bd607f280b70bdc7c574a4c217168adb1a88ecd.tar.gz
Fix xss vulnerability sourced from package.json's homepage
Diffstat (limited to 'spec/models/blob_viewer')
-rw-r--r--spec/models/blob_viewer/package_json_spec.rb21
1 files changed, 17 insertions, 4 deletions
diff --git a/spec/models/blob_viewer/package_json_spec.rb b/spec/models/blob_viewer/package_json_spec.rb
index 5ed2f4400bc..fbaa8d47a71 100644
--- a/spec/models/blob_viewer/package_json_spec.rb
+++ b/spec/models/blob_viewer/package_json_spec.rb
@@ -40,13 +40,14 @@ describe BlobViewer::PackageJson do
end
context 'when package.json has "private": true' do
+ let(:homepage) { 'http://example.com' }
let(:data) do
<<-SPEC.strip_heredoc
{
"name": "module-name",
"version": "10.3.1",
"private": true,
- "homepage": "myawesomepackage.com"
+ "homepage": #{homepage.to_json}
}
SPEC
end
@@ -54,10 +55,22 @@ describe BlobViewer::PackageJson do
subject { described_class.new(blob) }
describe '#package_url' do
- it 'returns homepage if any' do
- expect(subject).to receive(:prepare!)
+ context 'when the homepage has a valid URL' do
+ it 'returns homepage URL' do
+ expect(subject).to receive(:prepare!)
+
+ expect(subject.package_url).to eq(homepage)
+ end
+ end
+
+ context 'when the homepage has an invalid URL' do
+ let(:homepage) { 'javascript:alert()' }
+
+ it 'returns nil' do
+ expect(subject).to receive(:prepare!)
- expect(subject.package_url).to eq('myawesomepackage.com')
+ expect(subject.package_url).to be_nil
+ end
end
end
View Lorry Controller Status