Add unit tests the verify correct dataType in jQuery.ajax request…

… when loading Console app state.

src/core_plugins/console/public/src/__tests__/app.js

@@ -0,0 +1,84 @@
+import sinon from 'sinon';
+import $ from 'jquery';
+
+import history from '../history';
+import mappings from '../mappings';
+import init from '../app';
+
+describe('app initialization', () => {
+  const sandbox = sinon.sandbox.create();
+
+  let inputMock, outputMock;
+  let ajaxDoneStub;
+  beforeEach(() => {
+    ajaxDoneStub = sinon.stub();
+    sandbox.stub($, 'ajax').returns({ done: ajaxDoneStub });
+    sandbox.stub(history, 'getSavedEditorState');
+    sandbox.stub(mappings, 'startRetrievingAutoCompleteInfo');
+
+    inputMock = {
+      update: sinon.stub(),
+      moveToNextRequestEdge: sinon.stub(),
+      highlightCurrentRequestsAndUpdateActionBar: sinon.stub(),
+      updateActionsBar: sinon.stub(),
+      getSession: sinon.stub().returns({ on() {} })
+    };
+
+    outputMock = {
+      update: sinon.stub()
+    };
+  });
+
+  afterEach(() => {
+    sandbox.restore();
+  });
+
+  it('correctly loads state from any external HTTPS links.', () => {
+    const mockContent = {};
+    ajaxDoneStub.yields(mockContent);
+
+    init(inputMock, outputMock, 'https://state.link.com/content');
+
+    sinon.assert.calledOnce($.ajax);
+    sinon.assert.calledWithExactly($.ajax, {
+      url: 'https://state.link.com/content',
+      dataType: 'text',
+      kbnXsrfToken: false
+    });
+
+    sinon.assert.calledTwice(inputMock.moveToNextRequestEdge);
+    sinon.assert.calledWithExactly(inputMock.moveToNextRequestEdge, true);
+    sinon.assert.calledOnce(inputMock.highlightCurrentRequestsAndUpdateActionBar);
+    sinon.assert.calledOnce(inputMock.updateActionsBar);
+    sinon.assert.calledOnce(inputMock.update);
+    sinon.assert.calledWithExactly(inputMock.update, sinon.match.same(mockContent));
+
+    sinon.assert.calledOnce(outputMock.update);
+    sinon.assert.calledWithExactly(outputMock.update, '');
+  });
+
+  it('correctly loads state from GitHub API HTTPS links.', () => {
+    const mockContent = {};
+    ajaxDoneStub.yields(mockContent);
+
+    init(inputMock, outputMock, 'https://api.github.com/content');
+
+    sinon.assert.calledOnce($.ajax);
+    sinon.assert.calledWithExactly($.ajax, {
+      url: 'https://api.github.com/content',
+      dataType: 'text',
+      kbnXsrfToken: false,
+      headers: { Accept: "application/vnd.github.v3.raw" }
+    });
+
+    sinon.assert.calledTwice(inputMock.moveToNextRequestEdge);
+    sinon.assert.calledWithExactly(inputMock.moveToNextRequestEdge, true);
+    sinon.assert.calledOnce(inputMock.highlightCurrentRequestsAndUpdateActionBar);
+    sinon.assert.calledOnce(inputMock.updateActionsBar);
+    sinon.assert.calledOnce(inputMock.update);
+    sinon.assert.calledWithExactly(inputMock.update, sinon.match.same(mockContent));
+
+    sinon.assert.calledOnce(outputMock.update);
+    sinon.assert.calledWithExactly(outputMock.update, '');
+  });
+});

src/core_plugins/console/public/src/app.js

@@ -27,11 +27,19 @@ export default function init(input, output, sourceLocation = 'stored') {
       }
     }
     else if (/^https?:\/\//.test(sourceLocation)) {
-      var loadFrom = { url: sourceLocation, dataType: "text", kbnXsrfToken: false };
+      const loadFrom = {
+        url: sourceLocation,
+        // Having dataType here is required as it doesn't allow jQuery to `eval` content
+        // coming from the external source thereby preventing XSS attack.
+        dataType: 'text',
+        kbnXsrfToken: false
+      };
+
       if (/https?:\/\/api.github.com/.test(sourceLocation)) {
-        loadFrom.headers = { Accept: "application/vnd.github.v3.raw" };
+        loadFrom.headers = { Accept: 'application/vnd.github.v3.raw' };
       }
-      $.ajax(loadFrom).done(function (data) {
+
+      $.ajax(loadFrom).done((data) => {
         resetToValues(data);
         input.moveToNextRequestEdge(true);
         input.highlightCurrentRequestsAndUpdateActionBar();