Merge branch 'evn-add-neg-tests' into 'master'

Test for what should not be there as well [ci skip] See merge request gitlab-org/gitlab-ce!14492

Merge branch 'evn-add-neg-tests' into 'master'
06daba75 · Robert Speicher · 576425f0 · e16878bb · 06daba75
Commit 06daba75 authored Sep 28, 2017 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

testing.md doc/development/testing.md +10 -0

No files found.
--- a/doc/development/testing.md
+++ b/doc/development/testing.md
@@ -150,6 +150,16 @@ always in-sync with the codebase.
 [GitLab QA]: https://gitlab.com/gitlab-org/gitlab-qa
 [part of GitLab Rails]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/qa

+## Test for what should not be there
+
+This is particularly important for permission calls and might be called a
+negative assertion: make sure only the bare minimum is returned and nothing else.
+
+See an issue about [leaking tokens] as an example of a vulnerability that is
+captured by such a test. 
+
+[leaking tokens]: https://gitlab.com/gitlab-org/gitlab-ce/issues/37948
+
 ## How to test at the correct level?

 As many things in life, deciding what to test at each level of testing is a