pact_broker 2.58.2 → 2.58.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (22) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/release_gem.yml +1 -1
  3. data/CHANGELOG.md +7 -0
  4. data/lib/pact_broker/api/renderers/html_pact_renderer.rb +26 -8
  5. data/lib/pact_broker/badges/service.rb +3 -2
  6. data/lib/pact_broker/doc/views/layouts/main.haml +1 -1
  7. data/lib/pact_broker/test/test_data_builder.rb +4 -4
  8. data/lib/pact_broker/ui/controllers/clusters.rb +1 -1
  9. data/lib/pact_broker/ui/controllers/groups.rb +2 -2
  10. data/lib/pact_broker/ui/controllers/index.rb +1 -1
  11. data/lib/pact_broker/ui/controllers/matrix.rb +2 -2
  12. data/lib/pact_broker/ui/views/groups/show.html.erb +3 -3
  13. data/lib/pact_broker/ui/views/index/show-with-tags.haml +10 -10
  14. data/lib/pact_broker/ui/views/index/show.haml +6 -6
  15. data/lib/pact_broker/ui/views/layouts/main.haml +1 -1
  16. data/lib/pact_broker/ui/views/matrix/show.haml +4 -5
  17. data/lib/pact_broker/version.rb +1 -1
  18. data/public/javascripts/pact.js +6 -2
  19. data/script/seed.rb +5 -7
  20. data/spec/lib/pact_broker/api/renderers/html_pact_renderer_spec.rb +24 -6
  21. data/spec/lib/pact_broker/badges/service_spec.rb +6 -6
  22. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d2dc3ce078c6b984d9e17ec748d50487434740c1b4cc828ffe93c222bb64709e
4
- data.tar.gz: 20b4316a8e3ecc24902b82e5c600c6d2bb9b3e861e6574317c2704ce952d7f26
3
+ metadata.gz: d611d8e291d4c25885cdec1db9564bd63ae43f58e41f825230f5cd9559b97215
4
+ data.tar.gz: c91ad0b976e927fa50e772f60f26209feabed55f61a66bbdb436aad76382917d
5
5
  SHA512:
6
- metadata.gz: bed27eae0215a6d2f499bfa99b9717c0085c825cf8e7b721a66c27d91d4d2ecac56aedeba2e42989399d50a5d45a938b1c4ac9cede35ce70956bbb0d3de0d6e3
7
- data.tar.gz: f5b82be7ede7645c77182541a99d9c69ff7047bd7d6c7ddb7e01870ed12ae859ee7a08f8b8a8cbbc66c6e407adef34ab136674258c0664c7b2fba0e899509814
6
+ metadata.gz: e8530b299bd5e514e094f6755f11f5480461e0e08677a90684f8e3158dd90294bab34b86a6a6edbe326a329bbba9a6ec9c6c4729075b500e7a2dcf7e9263e749
7
+ data.tar.gz: 7498da7a9f31184892846c19469655522ef98ee68382ae22d149a227894f2c565a12125e55c351ea15427c100e1268376f0cd16a79e798ae82092aac5a144c27
data/.github/workflows/release_gem.yml CHANGED
@@ -6,7 +6,7 @@ on:
6
6
  - release-triggered
7
7
 
8
8
  jobs:
9
- build:
9
+ release:
10
10
  runs-on: ubuntu-latest
11
11
  steps:
12
12
  - uses: actions/checkout@v2
data/CHANGELOG.md CHANGED
@@ -1,3 +1,10 @@
1
+ <a name="v2.58.3"></a>
2
+ ### v2.58.3 (2020-07-25)
3
+
4
+ #### Bug Fixes
5
+
6
+ * correctly encode user entered data in attributes, Javascript, and HTML ([523980e2](/../../commit/523980e2))
7
+
1
8
  <a name="v2.58.2"></a>
2
9
  ### v2.58.2 (2020-07-17)
3
10
 
data/lib/pact_broker/api/renderers/html_pact_renderer.rb CHANGED
@@ -4,6 +4,7 @@ require 'redcarpet'
4
4
  require 'pact/doc/markdown/consumer_contract_renderer'
5
5
  require 'pact_broker/api/pact_broker_urls'
6
6
  require 'pact_broker/logging'
7
+ require 'rack'
7
8
 
8
9
  module PactBroker
9
10
  module Api
@@ -58,8 +59,8 @@ module PactBroker
58
59
  #{badge_list_item}
59
60
  #{badge_markdown_item}
60
61
  <li>
61
- <span class='name'>#{@pact.consumer.name} version:</span>
62
- <span class='value'>#{@pact.consumer_version_number}#{tags}</span>
62
+ <span class='name'>#{consumer_name} version:</span>
63
+ <span class='value'>#{consumer_version_number}#{tags}</span>
63
64
  </li>
64
65
  <li>
65
66
  <span class='name' title='#{published_date}'>Date published:</span>
@@ -75,9 +76,9 @@ module PactBroker
75
76
  <a href=\"#{base_url}/\">Home</a>
76
77
  </li>
77
78
  <li>
78
- <span data-consumer-name=\"#{@pact.consumer.name}\"
79
- data-provider-name=\"#{@pact.provider.name}\"
80
- data-consumer-version-number=\"#{@pact.consumer_version_number}\"
79
+ <span data-consumer-name=\"#{consumer_name}\"
80
+ data-provider-name=\"#{provider_name}\"
81
+ data-consumer-version-number=\"#{consumer_version_number}\"
81
82
  data-pact-url=\"#{pact_url}\"
82
83
  class='more-options glyphicon glyphicon-option-horizontal'
83
84
  aria-hidden='true'></span>
@@ -88,7 +89,7 @@ module PactBroker
88
89
 
89
90
  def badge_list_item
90
91
  "<li class='pact-badge'>
91
- <img src='#{badge_url}'/>
92
+ <img src=\"#{badge_url}\"/>
92
93
  </li>
93
94
  "
94
95
  end
@@ -117,7 +118,19 @@ module PactBroker
117
118
  end
118
119
 
119
120
  def title
120
- "Pact between #{@pact.consumer.name} and #{@pact.provider.name}"
121
+ "Pact between #{consumer_name} and #{provider_name}"
122
+ end
123
+
124
+ def consumer_version_number
125
+ h(@pact.consumer_version_number)
126
+ end
127
+
128
+ def consumer_name
129
+ h(@pact.consumer.name)
130
+ end
131
+
132
+ def provider_name
133
+ h(@pact.provider.name)
121
134
  end
122
135
 
123
136
  def published_date
@@ -154,7 +167,8 @@ module PactBroker
154
167
 
155
168
  def tags
156
169
  if @pact.consumer_version_tag_names.any?
157
- " (#{@pact.consumer_version_tag_names.join(", ")})"
170
+ tag_names = @pact.consumer_version_tag_names.collect{ |t| h(t) }.join(", ")
171
+ " (#{tag_names})"
158
172
  else
159
173
  ""
160
174
  end
@@ -179,6 +193,10 @@ module PactBroker
179
193
  logger.info "Could not parse the following content to a Pact due to #{e.class} #{e.message}, showing raw content instead: #{@json_content}"
180
194
  raise NotAPactError
181
195
  end
196
+
197
+ def h string
198
+ Rack::Utils.escape_html(string)
199
+ end
182
200
  end
183
201
  end
184
202
  end
data/lib/pact_broker/badges/service.rb CHANGED
@@ -4,6 +4,7 @@ require 'pact_broker/project_root'
4
4
  require 'pact_broker/logging'
5
5
  require 'pact_broker/configuration'
6
6
  require 'pact_broker/build_http_options'
7
+ require 'erb'
7
8
 
8
9
  module PactBroker
9
10
  module Badges
@@ -45,7 +46,7 @@ module PactBroker
45
46
  title = case (label || '').downcase
46
47
  when 'consumer' then consumer_name
47
48
  when 'provider' then provider_name
48
- else "#{consumer_name}%2F#{provider_name}"
49
+ else "#{consumer_name}/#{provider_name}"
49
50
  end
50
51
  "#{title} pact".downcase
51
52
  end
@@ -111,7 +112,7 @@ module PactBroker
111
112
  end
112
113
 
113
114
  def escape_text text
114
- text.gsub(" ", "%20").gsub("-", "--").gsub("_", "__")
115
+ ERB::Util.url_encode(text.gsub("-", "--").gsub("_", "__"))
115
116
  end
116
117
 
117
118
  def do_request(uri)
data/lib/pact_broker/doc/views/layouts/main.haml CHANGED
@@ -2,4 +2,4 @@
2
2
  %head
3
3
  %link{rel: 'stylesheet', href: "#{base_url}/css/bootstrap.min.css"}
4
4
  %body{style: 'margin:20px'}
5
- = yield
5
+ != yield
data/lib/pact_broker/test/test_data_builder.rb CHANGED
@@ -73,14 +73,14 @@ module PactBroker
73
73
  self
74
74
  end
75
75
 
76
- def create_pact_with_hierarchy consumer_name = "Consumer", consumer_version_number = "1.2.3", provider_name = "Provider", json_content = default_json_content
76
+ def create_pact_with_hierarchy consumer_name = "Consumer", consumer_version_number = "1.2.3", provider_name = "Provider", json_content = nil
77
77
  use_consumer(consumer_name)
78
78
  create_consumer(consumer_name) if !consumer
79
79
  use_provider(provider_name)
80
80
  create_provider provider_name if !provider
81
81
  use_consumer_version(consumer_version_number)
82
82
  create_consumer_version(consumer_version_number) if !consumer_version
83
- create_pact json_content: json_content
83
+ create_pact json_content: json_content || default_json_content
84
84
  self
85
85
  end
86
86
 
@@ -436,10 +436,10 @@ module PactBroker
436
436
  def default_json_content
437
437
  {
438
438
  "consumer" => {
439
- "name" => "Condor"
439
+ "name" => consumer.name
440
440
  },
441
441
  "provider" => {
442
- "name" => "Pricing Service"
442
+ "name" => provider.name
443
443
  },
444
444
  "interactions" => [],
445
445
  "random" => rand
data/lib/pact_broker/ui/controllers/clusters.rb CHANGED
@@ -19,7 +19,7 @@ module PactBroker
19
19
 
20
20
  get "/" do
21
21
  view_model = ViewDomain::IndexItems.new(pacticipant_service.find_index_items, base_url: base_url)
22
- haml 'clusters/show', locals: {relationships: view_model, base_url: base_url}
22
+ haml 'clusters/show', locals: { relationships: view_model, base_url: base_url }, escape_html: true
23
23
  end
24
24
 
25
25
  end
data/lib/pact_broker/ui/controllers/groups.rb CHANGED
@@ -13,13 +13,13 @@ module PactBroker
13
13
  pacticipant = pacticipant_service.find_pacticipant_by_name(params[:name])
14
14
  erb :'groups/show.html', {
15
15
  locals: {
16
- csv_path: "#{base_url}/groups/#{params[:name]}.csv",
16
+ csv_path: "#{base_url}/groups/#{ERB::Util.url_encode(params[:name])}.csv",
17
17
  pacticipant_name: params[:name],
18
18
  repository_url: pacticipant&.repository_url,
19
19
  base_url: base_url
20
20
  }
21
21
  }, {
22
- layout: 'layouts/main'
22
+ layout: 'layouts/main',
23
23
  }
24
24
  end
25
25
 
data/lib/pact_broker/ui/controllers/index.rb CHANGED
@@ -36,7 +36,7 @@ module PactBroker
36
36
  base_url: base_url
37
37
  }
38
38
 
39
- haml page, {locals: locals, layout: :'layouts/main'}
39
+ haml page, { locals: locals, layout: :'layouts/main', escape_html: true }
40
40
  end
41
41
 
42
42
  def set_headers
data/lib/pact_broker/ui/controllers/matrix.rb CHANGED
@@ -42,7 +42,7 @@ module PactBroker
42
42
  Padrino.logger.exception(e) unless e.is_a?(PactBroker::Error)
43
43
  locals[:errors] = [e.message]
44
44
  end
45
- haml :'matrix/show', {locals: locals, layout: :'layouts/main'}
45
+ haml :'matrix/show', { locals: locals, layout: :'layouts/main', escape_html: true }
46
46
  end
47
47
 
48
48
  get "/provider/:provider_name/consumer/:consumer_name" do
@@ -60,7 +60,7 @@ module PactBroker
60
60
  badge_url: nil,
61
61
  base_url: base_url
62
62
  }
63
- haml :'matrix/show', {locals: locals, layout: :'layouts/main'}
63
+ haml :'matrix/show', { locals: locals, layout: :'layouts/main', escape_html: true }
64
64
  end
65
65
 
66
66
  def create_selector_objects(selector_hashes)
data/lib/pact_broker/ui/views/groups/show.html.erb CHANGED
@@ -31,13 +31,13 @@ body{
31
31
  <!-- developed by Duncan Alexander - hypothete.com -->
32
32
  </head>
33
33
  <body>
34
- <h1>Network graph of <%= pacticipant_name %> relationships</h1>
34
+ <h1>Network graph of <%= escape_html(pacticipant_name) %> relationships</h1>
35
35
 
36
36
  <% if repository_url %>
37
37
  <p>Repository URL:
38
38
 
39
39
  <%
40
- repository_link = "<a href='#{repository_url}'>#{escape_html(repository_url)}</a>"
40
+ repository_link = "<a href=\"#{repository_url}\">#{repository_url}</a>"
41
41
  %>
42
42
 
43
43
  <%= Sanitize.fragment(repository_link, Sanitize::Config::BASIC) %>
@@ -105,7 +105,7 @@ var relationshipPath = function(relationship, nodeLocations, pacticipants) {
105
105
 
106
106
  var latestPactUrl = function (consumerName, providerName) {
107
107
  //TODO send this with the relationship data
108
- return '<%= base_url %>/pacts/provider/' + providerName + '/consumer/' + consumerName + '/latest';
108
+ return '<%= base_url %>' + '/pacts/provider/' + encodeURIComponent(providerName) + '/consumer/' + encodeURIComponent(consumerName) + '/latest';
109
109
  };
110
110
 
111
111
  var relationshipData = function(pacticipant, relationships) {
data/lib/pact_broker/ui/views/index/show-with-tags.haml CHANGED
@@ -1,9 +1,9 @@
1
1
  %body
2
- = render :haml, :'index/_css_and_js', :layout => false
2
+ != render :haml, :'index/_css_and_js', :layout => false
3
3
  .container
4
- = render :haml, :'index/_navbar', :layout => false, locals: {tag_toggle: false, base_url: base_url}
4
+ != render :haml, :'index/_navbar', :layout => false, locals: {tag_toggle: false, base_url: base_url}
5
5
  - if index_items.empty?
6
- = render :haml, :'index/_getting-started', :layout => false
6
+ != render :haml, :'index/_getting-started', :layout => false
7
7
  %h1.page-header
8
8
  Pacts
9
9
  %table.table.table-bordered.table-striped{ id: 'relationships' }
@@ -37,10 +37,10 @@
37
37
  %tr{'data-pact-versions-url': index_item.pact_versions_url, 'data-consumer-name': index_item.consumer_name, 'data-provider-name': index_item.provider_name, 'data-integration-url': index_item.integration_url}
38
38
  %td.consumer
39
39
  %a{:href => index_item.consumer_group_url }
40
- = escape_html(index_item.consumer_name)
40
+ = index_item.consumer_name
41
41
  %td.consumer-version-number{"data-text": index_item.consumer_version_order}
42
42
  %div.clippable
43
- = escape_html(index_item.consumer_version_number)
43
+ = index_item.consumer_version_number
44
44
  - if index_item.consumer_version_number
45
45
  %button.clippy.invisible{ title: "Copy to clipboard" }
46
46
  %span.glyphicon.glyphicon-copy
@@ -49,7 +49,7 @@
49
49
  latest
50
50
  - index_item.consumer_version_latest_tag_names.each do | tag_name |
51
51
  .tag.label.label-primary
52
- = escape_html(tag_name)
52
+ = tag_name
53
53
  %td.pact
54
54
  %span.pact
55
55
  %a{ href: index_item.pact_url, title: "View pact" }
@@ -57,16 +57,16 @@
57
57
  %a{ href: index_item.pact_matrix_url, title: "View pact matrix" }
58
58
  %td.provider
59
59
  %a{ href: index_item.provider_group_url }
60
- = escape_html(index_item.provider_name)
60
+ = index_item.provider_name
61
61
  %td.provider-version-number
62
62
  %div.clippable
63
- = escape_html(index_item.provider_version_number)
63
+ = index_item.provider_version_number
64
64
  - if index_item.provider_version_number
65
65
  %button.clippy.invisible{ title: "Copy to clipboard" }
66
66
  %span.glyphicon.glyphicon-copy
67
67
  - index_item.provider_version_latest_tag_names.each do | tag_name |
68
68
  .tag.label.label-primary
69
- = escape_html(tag_name)
69
+ = tag_name
70
70
  %td{"data-text": index_item.publication_date_of_latest_pact_order}
71
71
  = index_item.publication_date_of_latest_pact.gsub("about ", "")
72
72
  %td{ class: index_item.webhook_status }
@@ -86,7 +86,7 @@
86
86
  %div.pagination
87
87
 
88
88
  - pagination_locals = { page_number: page_number, page_size: page_size, pagination_record_count: pagination_record_count, current_page_size: current_page_size }
89
- = render :haml, :'index/_pagination', :layout => false, locals: pagination_locals
89
+ != render :haml, :'index/_pagination', :layout => false, locals: pagination_locals
90
90
 
91
91
  :javascript
92
92
  $(function(){
data/lib/pact_broker/ui/views/index/show.haml CHANGED
@@ -1,9 +1,9 @@
1
1
  %body
2
- = render :haml, :'index/_css_and_js', :layout => false
2
+ != render :haml, :'index/_css_and_js', :layout => false
3
3
  .container
4
- = render :haml, :'index/_navbar', :layout => false, locals: {tag_toggle: true, base_url: base_url}
4
+ != render :haml, :'index/_navbar', :layout => false, locals: {tag_toggle: true, base_url: base_url}
5
5
  - if index_items.empty?
6
- = render :haml, :'index/_getting-started', :layout => false
6
+ != render :haml, :'index/_getting-started', :layout => false
7
7
  %h1.page-header
8
8
  Pacts
9
9
  %table.table.table-bordered.table-striped{ id: 'relationships' }
@@ -32,7 +32,7 @@
32
32
  %td
33
33
  %td.consumer
34
34
  %a{ href: index_item.consumer_group_url }
35
- = escape_html(index_item.consumer_name)
35
+ = index_item.consumer_name
36
36
  %td.pact
37
37
  %span.pact
38
38
  %a{ href: index_item.latest_pact_url, :title => "View pact" }
@@ -40,7 +40,7 @@
40
40
  %a{ href: index_item.pact_matrix_url, title: "View pact matrix" }
41
41
  %td.provider
42
42
  %a{ href: index_item.provider_group_url }
43
- = escape_html(index_item.provider_name)
43
+ = index_item.provider_name
44
44
  %td
45
45
  %td{"data-text": index_item.publication_date_of_latest_pact_order}
46
46
  = index_item.publication_date_of_latest_pact
@@ -58,7 +58,7 @@
58
58
  %div.pagination
59
59
 
60
60
  - pagination_locals = { page_number: page_number, page_size: page_size, pagination_record_count: pagination_record_count, current_page_size: current_page_size }
61
- = render :haml, :'index/_pagination', :layout => false, locals: pagination_locals
61
+ != render :haml, :'index/_pagination', :layout => false, locals: pagination_locals
62
62
 
63
63
 
64
64
  :javascript
data/lib/pact_broker/ui/views/layouts/main.haml CHANGED
@@ -6,4 +6,4 @@
6
6
  %link{rel: 'stylesheet', href: "#{base_url}/css/bootstrap.min.css"}
7
7
  %script{type: 'text/javascript', src:"#{base_url}/javascripts/jquery-3.3.1.min.js"}
8
8
  %script{type: 'text/javascript', src:"#{base_url}/js/bootstrap.min.js"}
9
- = yield
9
+ != yield
data/lib/pact_broker/ui/views/matrix/show.haml CHANGED
@@ -20,15 +20,14 @@
20
20
  - if defined?(errors) && errors.any?
21
21
  - errors.each do | error |
22
22
  %div.alert.alert-danger
23
- = escape_html(error)
24
-
23
+ = error
25
24
 
26
25
  %form{action: "#{base_url}/matrix", onsubmit:'return onSubmit()'}
27
26
  - selectors.each_with_index do | selector, index |
28
27
  .selector
29
28
  %label{for: "pacticipant#{index}"}
30
29
  Pacticipant name
31
- %input{name: 'q[]pacticipant', id: "pacticipant1#{index}", class: 'pacticipant_name', value: escape_html(selector.pacticipant_name)}
30
+ %input{name: 'q[]pacticipant', id: "pacticipant1#{index}", class: 'pacticipant_name', value: selector.pacticipant_name}
32
31
 
33
32
  .input-group
34
33
 
@@ -45,9 +44,9 @@
45
44
  %option{ value: 'specify-all-tagged', selected: selector.specify_all_tagged }
46
45
  All versions with tag...
47
46
 
48
- %input{name: 'q[]version', type: 'text', id: "pacticipant#{index}_version", class: 'version', value: escape_html(selector.pacticipant_version_number)}
47
+ %input{name: 'q[]version', type: 'text', id: "pacticipant#{index}_version", class: 'version', value: selector.pacticipant_version_number}
49
48
 
50
- %input{name: 'q[]tag', type: 'text', id: "pacticipant#{index}_tag", class: 'tag', value: escape_html(selector.tag)}
49
+ %input{name: 'q[]tag', type: 'text', id: "pacticipant#{index}_tag", class: 'tag', value: selector.tag}
51
50
 
52
51
  %input{name: 'q[]latest', value: 'true', hidden: true, class: 'latest-flag'}
53
52
 
data/lib/pact_broker/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module PactBroker
2
- VERSION = '2.58.2'
2
+ VERSION = '2.58.3'
3
3
  end
data/public/javascripts/pact.js CHANGED
@@ -39,10 +39,14 @@ $(document).ready(function() {
39
39
  });
40
40
  });
41
41
 
42
+ function h(string) {
43
+ return jQuery('<div/>').text(string).html();
44
+ }
45
+
42
46
  function createDeletionConfirmationText(data) {
43
47
  return `Do you wish to delete the pact for version ${
44
- data.consumerVersionNumber
45
- } of ${data.consumerName}?`;
48
+ h(data.consumerVersionNumber)
49
+ } of ${h(data.consumerName)}?`;
46
50
  }
47
51
 
48
52
  function confirmDeleteResource(
data/script/seed.rb CHANGED
@@ -58,13 +58,11 @@ TestDataBuilder.new
58
58
  url: "http://localhost:9292/verification-published-webhook",
59
59
  body: webhook_body.to_json)
60
60
  .set_now(Date.today - 101)
61
- .tap{ | it |
62
- 2.times do | i |
63
- it.create_pact_with_verification("Foo", i.to_s, "Bar", i.to_s)
64
- .create_pact_with_verification("Bar", i.to_s, "Foo", i.to_s)
65
- .add_day
66
- end
67
- }.create_pact_with_hierarchy("Foo", "100", "Bar")
61
+ .create_pact_with_hierarchy("Foo/Foo", "100", "Bar/Bar")
62
+ .create_pact_with_hierarchy("Foo", "1", "Bar")
63
+ .create_pact_with_hierarchy("<script>alert('hello')</script>", "<script>alert(\"version\")</script>", "Bar/Bar")
64
+ .create_consumer_version_tag("prod")
65
+ .create_verification(provider_version: "1", tag_names: "prod")
68
66
 
69
67
 
70
68
  # .create_certificate(path: 'spec/fixtures/certificates/self-signed.badssl.com.pem')
data/spec/lib/pact_broker/api/renderers/html_pact_renderer_spec.rb CHANGED
@@ -23,22 +23,26 @@ module PactBroker
23
23
  Timecop.return
24
24
  end
25
25
 
26
- let(:consumer) { double('consumer', name: 'Consumer')}
27
- let(:provider) { double('provider', name: 'Provider')}
26
+ let(:consumer_name) { 'Consumer' }
27
+ let(:provider_name) { 'Provider' }
28
+ let(:consumer_version_number) { '1.2.3' }
29
+ let(:consumer) { double('consumer', name: consumer_name) }
30
+ let(:provider) { double('provider', name: provider_name) }
28
31
  let(:consumer_version) { double('consumer version') }
29
32
  let(:created_at) { DateTime.new(2014, 02, 27) }
30
33
  let(:json_content) { load_fixture('renderer_pact.json') }
31
34
  let(:pact) do
32
35
  double('pact',
33
36
  json_content: json_content,
34
- consumer_version_number: '1.2.3',
37
+ consumer_version_number: consumer_version_number,
35
38
  consumer: consumer,
36
39
  provider: provider,
37
- consumer_version_tag_names: ['prod', 'master'],
40
+ consumer_version_tag_names: consumer_version_tag_names,
38
41
  created_at: created_at,
39
42
  consumer_version: consumer_version
40
43
  )
41
44
  end
45
+ let(:consumer_version_tag_names) { ['prod', 'master'] }
42
46
  let(:pact_url) { '/pact/url' }
43
47
  let(:matrix_url) { '/matrix/url' }
44
48
  let(:options) do
@@ -49,7 +53,7 @@ module PactBroker
49
53
  end
50
54
  let(:logger) { double('logger').as_null_object }
51
55
 
52
- subject { HtmlPactRenderer.call pact, options }
56
+ subject { HtmlPactRenderer.call(pact, options) }
53
57
 
54
58
  describe ".call" do
55
59
  it "renders the pact as HTML" do
@@ -69,7 +73,7 @@ module PactBroker
69
73
  end
70
74
 
71
75
  it "renders the badge image" do
72
- expect(subject).to include "<img src='http://badge'/>"
76
+ expect(subject).to include "<img src=\"http://badge\"/>"
73
77
  end
74
78
 
75
79
  it "renders a text area with the badge markdown" do
@@ -81,6 +85,20 @@ module PactBroker
81
85
  expect(subject).to include matrix_url
82
86
  end
83
87
 
88
+ context "with dodgey data" do
89
+ let(:consumer_name) { '<script>alert("consumer");</script>' }
90
+ let(:provider_name) { '<script>alert("provider");</script>' }
91
+ let(:consumer_version_number) { '<script>alert("version");</script>' }
92
+ let(:consumer_version_tag_names) { ['<script>alert("tag");</script>'] }
93
+
94
+ it "does not contain the literal <script> anywhere except the badge markdown" do
95
+ expect(subject).to_not include consumer_version_number
96
+ expect(subject.scan(consumer_name).count).to eq 1
97
+ expect(subject.scan(provider_name).count).to eq 1
98
+ expect(subject).to include '[![<script>alert("consumer");</script>/<script>alert("provider");</script> Pact Status](http://badge)]'
99
+ end
100
+ end
101
+
84
102
  context "when enable_public_badge_access is false" do
85
103
  before do
86
104
  PactBroker.configuration.enable_public_badge_access = false
data/spec/lib/pact_broker/badges/service_spec.rb CHANGED
@@ -13,7 +13,7 @@ module PactBroker
13
13
  let(:expected_url) { "https://img.shields.io/badge/#{expected_left_text}-#{expected_right_text}-#{expected_color}.svg" }
14
14
  let(:expected_color) { "brightgreen" }
15
15
  let(:expected_right_text) { "verified" }
16
- let(:expected_left_text) { "foo--bar%2fthing__blah%20pact" }
16
+ let(:expected_left_text) { "foo--bar%2Fthing__blah%20pact" }
17
17
  let(:response_status) { 200 }
18
18
  let!(:http_request) do
19
19
  stub_request(:get, expected_url).to_return(:status => response_status, :body => "svg")
@@ -62,7 +62,7 @@ module PactBroker
62
62
  end
63
63
 
64
64
  context "when initials is true" do
65
- let(:expected_left_text) { "fb%2ftb%20pact" }
65
+ let(:expected_left_text) { "fb%2Ftb%20pact" }
66
66
  let(:initials) { true }
67
67
 
68
68
  it "creates a badge with the consumer and provider initials" do
@@ -73,7 +73,7 @@ module PactBroker
73
73
  end
74
74
 
75
75
  context "when initials is true but the consumer and provider names only contain one word" do
76
- let(:expected_left_text) { "foo%2fbar%20pact" }
76
+ let(:expected_left_text) { "foo%2Fbar%20pact" }
77
77
  let(:initials) { true }
78
78
  let(:pact) { double("pact", consumer_name: "Foo", provider_name: "Bar") }
79
79
 
@@ -85,7 +85,7 @@ module PactBroker
85
85
  end
86
86
 
87
87
  context "when initials is true but the consumer and provider names are one camel cased word" do
88
- let(:expected_left_text) { "fa%2fbp%20pact" }
88
+ let(:expected_left_text) { "fa%2Fbp%20pact" }
89
89
  let(:initials) { true }
90
90
  let(:pact) { double("pact", consumer_name: "FooApp", provider_name: "barProvider") }
91
91
 
@@ -97,7 +97,7 @@ module PactBroker
97
97
  end
98
98
 
99
99
  context "when initials is true but the consumer and provider names are one camel cased word" do
100
- let(:expected_left_text) { "fa%2fdat%20pact" }
100
+ let(:expected_left_text) { "fa%2Fdat%20pact" }
101
101
  let(:initials) { true }
102
102
  let(:pact) { double("pact", consumer_name: "FooApp", provider_name: "doAThing") }
103
103
 
@@ -111,7 +111,7 @@ module PactBroker
111
111
  context "when the tags are supplied" do
112
112
  let(:tags) { { consumer_tag: "prod", provider_tag: "master" } }
113
113
 
114
- let(:expected_left_text) { "foo--bar%20(prod)%2fthing__blah%20(master)%20pact" }
114
+ let(:expected_left_text) { "foo--bar%20%28prod%29%2Fthing__blah%20%28master%29%20pact" }
115
115
 
116
116
  it "creates a badge with the consumer and provider names, not initials" do
117
117
  subject
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pact_broker
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.58.2
4
+ version: 2.58.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Bethany Skurrie
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-07-19 00:00:00.000000000 Z
13
+ date: 2020-07-24 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: httparty