diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 13:16:09 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 13:16:09 +0000 |
| commit | 187541667f7b7531e528e8f31e36a7d0a9e061c9 (patch) | |
| tree | fe4542a1305353334312d79f6ffbdfa924751706 | |
| parent | bfbbc52faaae2a1a06e065511a1a8661203e868a (diff) | |
| download | gitlab-ce-187541667f7b7531e528e8f31e36a7d0a9e061c9.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee
4 files changed, 11 insertions, 9 deletions
diff --git a/app/assets/javascripts/jobs/components/job_app.vue b/app/assets/javascripts/jobs/components/job_app.vue index 00ff3fb939d..c6adf2f231f 100644 --- a/app/assets/javascripts/jobs/components/job_app.vue +++ b/app/assets/javascripts/jobs/components/job_app.vue @@ -1,8 +1,7 @@ <script> -/* eslint-disable vue/no-v-html */ import { throttle, isEmpty } from 'lodash'; import { mapGetters, mapState, mapActions } from 'vuex'; -import { GlLoadingIcon, GlIcon } from '@gitlab/ui'; +import { GlLoadingIcon, GlIcon, GlSafeHtmlDirective as SafeHtml } from '@gitlab/ui'; import { GlBreakpointInstance as bp } from '@gitlab/ui/dist/utils'; import { isScrolledToBottom } from '~/lib/utils/scroll_utils'; import { polyfillSticky } from '~/lib/utils/sticky'; @@ -36,6 +35,9 @@ export default { GlLoadingIcon, SharedRunner: () => import('ee_component/jobs/components/shared_runner_limit_block.vue'), }, + directives: { + SafeHtml, + }, mixins: [delayedJobMixin], props: { artifactHelpUrl: { @@ -223,7 +225,7 @@ export default { </div> <callout v-if="shouldRenderHeaderCallout"> - <div v-html="job.callout_message"></div> + <div v-safe-html="job.callout_message"></div> </callout> </header> <!-- EO Header Section --> diff --git a/app/serializers/build_details_entity.rb b/app/serializers/build_details_entity.rb index 2b8522539b4..49255fa6d0b 100644 --- a/app/serializers/build_details_entity.rb +++ b/app/serializers/build_details_entity.rb @@ -136,7 +136,7 @@ class BuildDetailsEntity < JobEntity docs_url = "https://docs.gitlab.com/ce/ci/yaml/README.html#dependencies" [ - failure_message.html_safe, + failure_message, help_message(docs_url).html_safe ].join("<br />") end diff --git a/changelogs/unreleased/revert-42465-and-42343.yml b/changelogs/unreleased/revert-42465-and-42343.yml deleted file mode 100644 index 4c7342c9d0d..00000000000 --- a/changelogs/unreleased/revert-42465-and-42343.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: 'Revert 42465 and 42343: Expanded collapsed diff files' -merge_request: 43361 -author: -type: other diff --git a/changelogs/unreleased/security-stored-xss-build-dependencies.yml b/changelogs/unreleased/security-stored-xss-build-dependencies.yml new file mode 100644 index 00000000000..a5ce2bd0158 --- /dev/null +++ b/changelogs/unreleased/security-stored-xss-build-dependencies.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS vulnerability for job build dependencies +merge_request: +author: +type: security |