Add XSS spec for application's name

2015-10-10 12:10:29 +02:00 · 2015-10-10 12:10:29 +02:00 · 6fcb9a9d3a
commit 6fcb9a9d3a
parent 9c9880d880
6 changed files with 23 additions and 12 deletions
--- a/app/presenters/user_application_presenter.rb
+++ b/app/presenters/user_application_presenter.rb
@ -14,7 +14,7 @@ class UserApplicationPresenter
  end

  def name
-    @app.client_name
+    CGI::escape @app.client_name
  end

  def image
--- a/features/desktop/user_applications.feature
+++ b/features/desktop/user_applications.feature
@ -21,7 +21,3 @@ Feature: managing authorized applications
    Then I should see 1 authorized applications
    And I revoke the first authorization
    Then I should see 0 authorized applications
-
-  Scenario: XSS escaping
-    When An application manually registers
-    Then I should not see "<script>alert(0);</script>"
--- a/features/step_definitions/user_applications_steps.rb
+++ b/features/step_definitions/user_applications_steps.rb
@ -14,9 +14,3 @@ end
 When /^I revoke the first authorization$/ do
  find(".app-revoke", match: :first).click
 end
-
-When /^An application manually registers$/ do
-  post api_openid_connect_authorizations_new_path, client_name: "<script>alert(0);</script>",
-       redirect_uri: "http://example.org/", response_type: "id_token", scope: "openid",
-       state: 1234, display: "page", prompt: "none"
-end
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@ -130,7 +130,6 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
        end
      end
    end
-
    context "when already authorized" do
      let!(:auth) {
        Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
--- a/spec/controllers/api/openid_connect/user_applications_spec.rb
+++ b/spec/controllers/api/openid_connect/user_applications_spec.rb
@ -0,0 +1,17 @@
+require "spec_helper"
+
+describe Api::OpenidConnect::UserApplicationsController, type: :controller do
+  before do
+    @app = FactoryGirl.create(:o_auth_application_with_xss)
+    @user = FactoryGirl.create :user
+    FactoryGirl.create :auth_with_read, user: @user, o_auth_application: @app
+    sign_in :user, @user
+  end
+
+  context "when try to XSS" do
+    it "should not include XSS script" do
+      get :index
+      expect(response.body).to_not include("<script>alert(0);</script>")
+    end
+  end
+end
--- a/spec/factories.rb
+++ b/spec/factories.rb
@ -340,6 +340,11 @@ FactoryGirl.define do
    redirect_uris %w(http://localhost:3000/ http://localhost/)
  end

+  factory :o_auth_application_with_xss, class: Api::OpenidConnect::OAuthApplication do
+    client_name "<script>alert(0);</script>"
+    redirect_uris %w(http://localhost:3000/)
+  end
+
  factory :auth_with_read, class: Api::OpenidConnect::Authorization do
    o_auth_application
    user