From 53f4f849956e10ccbbf4a9011b46b84da33129b0 Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Wed, 18 Jan 2017 12:02:44 +0100
Subject: [PATCH] Add URL validations for generic commit statuses

---
 app/models/generic_commit_status.rb       | 4 ++++
 spec/models/generic_commit_status_spec.rb | 7 +++++++
 spec/requests/api/commit_statuses_spec.rb | 9 ++++++---
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/models/generic_commit_status.rb b/app/models/generic_commit_status.rb
index 9f6ca11c0df..8867ba0d2ff 100644
--- a/app/models/generic_commit_status.rb
+++ b/app/models/generic_commit_status.rb
@@ -1,6 +1,10 @@
 class GenericCommitStatus < CommitStatus
   before_validation :set_default_values
 
+  validates :target_url, addressable_url: true,
+                         length: { maximum: 255 },
+                         allow_nil: true
+
   # GitHub compatible API
   alias_attribute :context, :name
 
diff --git a/spec/models/generic_commit_status_spec.rb b/spec/models/generic_commit_status_spec.rb
index b17d7cfe94c..f4c3e6d503f 100644
--- a/spec/models/generic_commit_status_spec.rb
+++ b/spec/models/generic_commit_status_spec.rb
@@ -10,6 +10,13 @@ describe GenericCommitStatus, models: true do
                                    target_url: external_url)
   end
 
+  describe 'validations' do
+    it { is_expected.to validate_length_of(:target_url).is_at_most(255) }
+    it { is_expected.to allow_value(nil).for(:target_url) }
+    it { is_expected.to allow_value('http://gitlab.com/s').for(:target_url) }
+    it { is_expected.not_to allow_value('javascript:alert(1)').for(:target_url) }
+  end
+
   describe '#context' do
     subject { generic_commit_status.context }
     before { generic_commit_status.context = 'my_context' }
diff --git a/spec/requests/api/commit_statuses_spec.rb b/spec/requests/api/commit_statuses_spec.rb
index 335efc4db6c..ffd38ff303a 100644
--- a/spec/requests/api/commit_statuses_spec.rb
+++ b/spec/requests/api/commit_statuses_spec.rb
@@ -152,8 +152,11 @@ describe API::CommitStatuses, api: true do
 
       context 'with all optional parameters' do
         before do
-          optional_params = { state: 'success', context: 'coverage',
-                              ref: 'develop', target_url: 'url', description: 'test' }
+          optional_params = { state: 'success',
+                              context: 'coverage',
+                              ref: 'develop',
+                              description: 'test',
+                              target_url: 'http://gitlab.com/status' }
 
           post api(post_url, developer), optional_params
         end
@@ -164,8 +167,8 @@ describe API::CommitStatuses, api: true do
           expect(json_response['status']).to eq('success')
           expect(json_response['name']).to eq('coverage')
           expect(json_response['ref']).to eq('develop')
-          expect(json_response['target_url']).to eq('url')
           expect(json_response['description']).to eq('test')
+          expect(json_response['target_url']).to eq('http://gitlab.com/status')
         end
       end
 
-- 
GitLab