2022-02-05 19:09:49 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe JiraConnect::UsersController do
|
|
|
|
describe 'GET /-/jira_connect/users' do
|
|
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with a valid host' do
|
|
|
|
let(:return_to) { 'https://testcompany.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-staging.gitlab.com/gitlab-configuration' }
|
|
|
|
|
|
|
|
it 'includes a return url' do
|
|
|
|
get '/-/jira_connect/users', params: { return_to: return_to }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.body).to include('Return to GitLab')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with an invalid host' do
|
|
|
|
let(:return_to) { 'https://evil.com' }
|
|
|
|
|
|
|
|
it 'does not include a return url' do
|
|
|
|
get '/-/jira_connect/users', params: { return_to: return_to }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.body).not_to include('Return to GitLab')
|
|
|
|
end
|
|
|
|
end
|
2023-01-10 11:22:00 +05:30
|
|
|
|
|
|
|
context 'with a script injected' do
|
|
|
|
let(:return_to) { 'javascript://test.atlassian.net/%250dalert(document.domain)' }
|
|
|
|
|
|
|
|
it 'does not include a return url' do
|
|
|
|
get '/-/jira_connect/users', params: { return_to: return_to }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.body).not_to include('Return to GitLab')
|
|
|
|
end
|
|
|
|
end
|
2022-02-05 19:09:49 +05:30
|
|
|
end
|
|
|
|
end
|