debian-mirror-gitlab/spec/requests/jira_connect/users_controller_spec.rb
2023-01-10 11:22:00 +05:30

46 lines
1.3 KiB
Ruby

# frozen_string_literal: true
require 'spec_helper'
RSpec.describe JiraConnect::UsersController do
describe 'GET /-/jira_connect/users' do
let_it_be(:user) { create(:user) }
before do
sign_in(user)
end
context 'with a valid host' do
let(:return_to) { 'https://testcompany.atlassian.net/plugins/servlet/ac/gitlab-jira-connect-staging.gitlab.com/gitlab-configuration' }
it 'includes a return url' do
get '/-/jira_connect/users', params: { return_to: return_to }
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).to include('Return to GitLab')
end
end
context 'with an invalid host' do
let(:return_to) { 'https://evil.com' }
it 'does not include a return url' do
get '/-/jira_connect/users', params: { return_to: return_to }
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).not_to include('Return to GitLab')
end
end
context 'with a script injected' do
let(:return_to) { 'javascript://test.atlassian.net/%250dalert(document.domain)' }
it 'does not include a return url' do
get '/-/jira_connect/users', params: { return_to: return_to }
expect(response).to have_gitlab_http_status(:ok)
expect(response.body).not_to include('Return to GitLab')
end
end
end
end