nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add XSS spec for application's name

Browse source
This commit is contained in:
augier 2015-10-10 12:10:29 +02:00 committed by theworldbright
parent 9c9880d880
commit 6fcb9a9d3a
6 changed files with 23 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/presenters/user_application_presenter.rb
View file

@ -14,7 +14,7 @@ class UserApplicationPresenter
end end
def name def name
@app.client_name CGI::escape @app.client_name
end end
def image def image

4
features/desktop/user_applications.feature
View file

@ -21,7 +21,3 @@ Feature: managing authorized applications
Then I should see 1 authorized applications Then I should see 1 authorized applications
And I revoke the first authorization And I revoke the first authorization
Then I should see 0 authorized applications Then I should see 0 authorized applications
Scenario: XSS escaping
When An application manually registers
Then I should not see "<script>alert(0);</script>"

6
features/step_definitions/user_applications_steps.rb
View file

@ -14,9 +14,3 @@ end
When /^I revoke the first authorization$/ do When /^I revoke the first authorization$/ do
find(".app-revoke", match: :first).click find(".app-revoke", match: :first).click
end end
When /^An application manually registers$/ do
post api_openid_connect_authorizations_new_path, client_name: "<script>alert(0);</script>",
redirect_uri: "http://example.org/", response_type: "id_token", scope: "openid",
state: 1234, display: "page", prompt: "none"
end

1
spec/controllers/api/openid_connect/authorizations_controller_spec.rb
View file

@ -130,7 +130,6 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
end end
end end
end end
context "when already authorized" do context "when already authorized" do
let!(:auth) { let!(:auth) {
Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice, Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,

17
spec/controllers/api/openid_connect/user_applications_spec.rb Normal file
View file

@ -0,0 +1,17 @@
require "spec_helper"
describe Api::OpenidConnect::UserApplicationsController, type: :controller do
before do
@app = FactoryGirl.create(:o_auth_application_with_xss)
@user = FactoryGirl.create :user
FactoryGirl.create :auth_with_read, user: @user, o_auth_application: @app
sign_in :user, @user
end
context "when try to XSS" do
it "should not include XSS script" do
get :index
expect(response.body).to_not include("<script>alert(0);</script>")
end
end
end

5
spec/factories.rb
View file

@ -340,6 +340,11 @@ FactoryGirl.define do
redirect_uris %w(http://localhost:3000/ http://localhost/) redirect_uris %w(http://localhost:3000/ http://localhost/)
end end
factory :o_auth_application_with_xss, class: Api::OpenidConnect::OAuthApplication do
client_name "<script>alert(0);</script>"
redirect_uris %w(http://localhost:3000/)
end
factory :auth_with_read, class: Api::OpenidConnect::Authorization do factory :auth_with_read, class: Api::OpenidConnect::Authorization do
o_auth_application o_auth_application
user user