Add URL validations for generic commit statuses

53f4f849 · Grzegorz Bizon · 2e088c06 · 53f4f849 · 53f4f849 · 53f4f849
Commit 53f4f849 authored 8 years ago by Grzegorz Bizon
--- a/app/models/generic_commit_status.rb
+++ b/app/models/generic_commit_status.rb
 class GenericCommitStatus < CommitStatus
  before_validation :set_default_values
+  validates :target_url, addressable_url: true,
+                         length: { maximum: 255 },
+                         allow_nil: true
  # GitHub compatible API
  alias_attribute :context, :name

--- a/spec/models/generic_commit_status_spec.rb
+++ b/spec/models/generic_commit_status_spec.rb
@@ -10,6 +10,13 @@ describe GenericCommitStatus, models: true do
                                   target_url: external_url)
  end
+  describe 'validations' do
+    it { is_expected.to validate_length_of(:target_url).is_at_most(255) }
+    it { is_expected.to allow_value(nil).for(:target_url) }
+    it { is_expected.to allow_value('http://gitlab.com/s').for(:target_url) }
+    it { is_expected.not_to allow_value('javascript:alert(1)').for(:target_url) }
+  end
  describe '#context' do
    subject { generic_commit_status.context }
    before { generic_commit_status.context = 'my_context' }

--- a/spec/requests/api/commit_statuses_spec.rb
+++ b/spec/requests/api/commit_statuses_spec.rb
@@ -152,8 +152,11 @@ describe API::CommitStatuses, api: true do
      context 'with all optional parameters' do
        before do
-          optional_params = { state: 'success', context: 'coverage',
+          optional_params = { state: 'success',
-                              ref: 'develop', target_url: 'url', description: 'test' }
+                              context: 'coverage',
+                              ref: 'develop',
+                              description: 'test',
+                              target_url: 'http://gitlab.com/status' }
          post api(post_url, developer), optional_params
        end
@@ -164,8 +167,8 @@ describe API::CommitStatuses, api: true do
          expect(json_response['status']).to eq('success')
          expect(json_response['name']).to eq('coverage')
          expect(json_response['ref']).to eq('develop')
-          expect(json_response['target_url']).to eq('url')
          expect(json_response['description']).to eq('test')
+          expect(json_response['target_url']).to eq('http://gitlab.com/status')
        end
      end