summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2016-04-17 17:48:51 -0400
committerRobert Speicher <rspeicher@gmail.com>2016-04-17 18:42:49 -0400
commit7cc239528ea7f4905e6d773771006ec661d628d6 (patch)
tree8b718249cae653d938b00c36213c2d4943cf29ec
parent1c93b33587a5e0a0596b43772ee9e709e9962368 (diff)
downloadgitlab-ce-7cc239528ea7f4905e6d773771006ec661d628d6.tar.gz
Remove persistent XSS vulnerability in `commit_person_link` helper
Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126
-rw-r--r--app/helpers/commits_helper.rb2
-rw-r--r--features/steps/project/commits/user_lookup.rb3
-rw-r--r--spec/helpers/commits_helper_spec.rb29
3 files changed, 32 insertions, 2 deletions
diff --git a/app/helpers/commits_helper.rb b/app/helpers/commits_helper.rb
index 35ba543cef1..5394347bd15 100644
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -183,7 +183,7 @@ module CommitsHelper
options = {
class: "commit-#{options[:source]}-link has-tooltip",
- data: { 'original-title'.to_sym => sanitize(source_email) }
+ title: source_email
}
if user.nil?
diff --git a/features/steps/project/commits/user_lookup.rb b/features/steps/project/commits/user_lookup.rb
index 40cada6da45..2d43be5a386 100644
--- a/features/steps/project/commits/user_lookup.rb
+++ b/features/steps/project/commits/user_lookup.rb
@@ -29,8 +29,9 @@ class Spinach::Features::ProjectCommitsUserLookup < Spinach::FeatureSteps
def check_author_link(email, user)
author_link = find('.commit-author-link')
+
expect(author_link['href']).to eq user_path(user)
- expect(author_link['data-original-title']).to eq email
+ expect(author_link['title']).to eq email
expect(find('.commit-author-name').text).to eq user.name
end
diff --git a/spec/helpers/commits_helper_spec.rb b/spec/helpers/commits_helper_spec.rb
new file mode 100644
index 00000000000..727c25ff529
--- /dev/null
+++ b/spec/helpers/commits_helper_spec.rb
@@ -0,0 +1,29 @@
+require 'rails_helper'
+
+describe CommitsHelper do
+ describe 'commit_author_link' do
+ it 'escapes the author email' do
+ commit = double(
+ author: nil,
+ author_name: 'Persistent XSS',
+ author_email: 'my@email.com" onmouseover="alert(1)'
+ )
+
+ expect(helper.commit_author_link(commit)).
+ not_to include('onmouseover="alert(1)"')
+ end
+ end
+
+ describe 'commit_committer_link' do
+ it 'escapes the committer email' do
+ commit = double(
+ committer: nil,
+ committer_name: 'Persistent XSS',
+ committer_email: 'my@email.com" onmouseover="alert(1)'
+ )
+
+ expect(helper.commit_committer_link(commit)).
+ not_to include('onmouseover="alert(1)"')
+ end
+ end
+end