diff options
| author | John Jarvis <jarv@gitlab.com> | 2019-01-02 09:34:13 +0000 |
|---|---|---|
| committer | John Jarvis <jarv@gitlab.com> | 2019-01-02 09:34:13 +0000 |
| commit | 90e1f10f074607e1ae061e7bc3594a9dfe7873f8 (patch) | |
| tree | 4843899683beba31bf6549f1070a61aff1375c27 | |
| parent | a74700178db77aaba47f3773abe2b7e3c9cf6732 (diff) | |
| parent | a1d69ab6b86b93e600bdd90190f0a7d574992e91 (diff) | |
| download | gitlab-ce-90e1f10f074607e1ae061e7bc3594a9dfe7873f8.tar.gz | |
Merge branch 'security-label-xss' into 'master'
[master] Escape html entities when no label found
See merge request gitlab/gitlabhq!2706
| -rw-r--r-- | changelogs/unreleased/54427-label-xss.yml | 5 | ||||
| -rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 6 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/label_reference_filter_spec.rb | 18 |
3 files changed, 28 insertions, 1 deletions
diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml new file mode 100644 index 00000000000..090d1832af2 --- /dev/null +++ b/changelogs/unreleased/54427-label-xss.yml @@ -0,0 +1,5 @@ +--- +title: Escape html entities in LabelReferenceFilter when no label found +merge_request: +author: +type: security diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index 04ec38209c7..f90a35952e5 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -29,7 +29,7 @@ module Banzai if label yield match, label.id, project, namespace, $~ else - match + escape_html_entities(match) end end end @@ -102,6 +102,10 @@ module Banzai CGI.unescapeHTML(text.to_s) end + def escape_html_entities(text) + CGI.escapeHTML(text.to_s) + end + def object_link_title(object, matches) # use title of wrapped element instead nil diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 00257ed7904..9cfdb9e53a2 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -236,6 +236,24 @@ describe Banzai::Filter::LabelReferenceFilter do end end + context 'References with html entities' do + let!(:label) { create(:label, name: '<html>', project: project) } + + it 'links to a valid reference' do + doc = reference_filter('See ~"<html>"') + + expect(doc.css('a').first.attr('href')).to eq urls + .project_issues_url(project, label_name: label.name) + expect(doc.text).to eq 'See <html>' + end + + it 'ignores invalid label names and escapes entities' do + act = %(Label #{Label.reference_prefix}"<non valid>") + + expect(reference_filter(act).to_html).to eq act + end + end + describe 'consecutive references' do let(:bug) { create(:label, name: 'bug', project: project) } let(:feature_proposal) { create(:label, name: 'feature proposal', project: project) } |