diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-03-26 15:29:09 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-03-26 15:29:09 +0000 |
commit | 76053b10a27a444de4168fcdc5c02aa32d3c5d4c (patch) | |
tree | 5abdfddb7b07bca5b0581989e4b234958d554514 | |
parent | 34ee2590d3d3268a9e0917c72446fe5444826a87 (diff) | |
parent | a0eceee813e4d19e2dfe32a716694d3ebefaf140 (diff) | |
download | gitlab-ce-11-6-stable-patch-11.tar.gz |
Merge branch 'security-2819-xss-resolve-conflicts-branch-name-11-6' into '11-6-stable'11-6-stable-patch-11
Fix XSS in resolve conflicts form
See merge request gitlab/gitlabhq!2989
3 files changed, 21 insertions, 1 deletions
diff --git a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml index 8181267184a..55c89f137c5 100644 --- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml +++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml @@ -6,7 +6,7 @@ .form-group.row .col-md-4 %h4= _('Resolve conflicts on source branch') - .resolve-info + .resolve-info{ "v-pre": true } = translation.html_safe .col-md-8 %label.label-bold{ "for" => "commit-message" } diff --git a/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml new file mode 100644 index 00000000000..f92d2c0dcb1 --- /dev/null +++ b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS in resolve conflicts form +merge_request: +author: +type: security diff --git a/spec/features/merge_request/user_resolves_conflicts_spec.rb b/spec/features/merge_request/user_resolves_conflicts_spec.rb index 50c723776a3..05f258bd797 100644 --- a/spec/features/merge_request/user_resolves_conflicts_spec.rb +++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb @@ -162,6 +162,21 @@ describe 'Merge request > User resolves conflicts', :js do expect(page).to have_content('Gregor Samsa woke from troubled dreams') end end + + context "with malicious branch name" do + let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" } + let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') } + let(:merge_request) { create_merge_request(branch.name) } + + before do + visit project_merge_request_path(project, merge_request) + click_link('conflicts', href: %r{/conflicts\Z}) + end + + it "renders bad name without xss issues" do + expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name) + end + end end UNRESOLVABLE_CONFLICTS = { |