diff options
| author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-24 09:01:52 +0000 |
|---|---|---|
| committer | Thiago Presa <tpresa@gitlab.com> | 2018-10-24 22:01:31 -0300 |
| commit | 7c2086e2c7c8b91de5fcc67f52aa9b680559ac07 (patch) | |
| tree | e89b2ebdf1f9f795dd92ef4dafd964da573a524c | |
| parent | 6dcb2c78beced3336142a53d54e644ac543c3ead (diff) | |
| download | gitlab-ce-7c2086e2c7c8b91de5fcc67f52aa9b680559ac07.tar.gz | |
Merge branch 'security-11-2-2717-fix-issue-title-xss' into 'security-11-2'
[11.2] Escape issue title while template rendering to prevent XSS
See merge request gitlab/gitlabhq!2558
| -rw-r--r-- | app/assets/javascripts/gfm_auto_complete.js | 9 | ||||
| -rw-r--r-- | changelogs/unreleased/security-11-2-2717-fix-issue-title-xss.yml | 5 | ||||
| -rw-r--r-- | spec/features/issues/gfm_autocomplete_spec.rb | 15 |
3 files changed, 25 insertions, 4 deletions
diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js index 73b2cd0b2c7..03256ca2285 100644 --- a/app/assets/javascripts/gfm_auto_complete.js +++ b/app/assets/javascripts/gfm_auto_complete.js @@ -199,7 +199,7 @@ class GfmAutoComplete { displayTpl(value) { let tmpl = GfmAutoComplete.Loading.template; if (value.title != null) { - tmpl = GfmAutoComplete.Issues.template; + tmpl = GfmAutoComplete.Issues.templateFunction(value.id, value.title); } return tmpl; }, @@ -265,7 +265,7 @@ class GfmAutoComplete { displayTpl(value) { let tmpl = GfmAutoComplete.Loading.template; if (value.title != null) { - tmpl = GfmAutoComplete.Issues.template; + tmpl = GfmAutoComplete.Issues.templateFunction(value.id, value.title); } return tmpl; }, @@ -521,8 +521,9 @@ GfmAutoComplete.Labels = { }; // Issues and MergeRequests GfmAutoComplete.Issues = { - // eslint-disable-next-line no-template-curly-in-string - template: '<li><small>${id}</small> ${title}</li>', + templateFunction(id, title) { + return `<li><small>${id}</small> ${_.escape(title)}</li>`; + }, }; // Milestones GfmAutoComplete.Milestones = { diff --git a/changelogs/unreleased/security-11-2-2717-fix-issue-title-xss.yml b/changelogs/unreleased/security-11-2-2717-fix-issue-title-xss.yml new file mode 100644 index 00000000000..346f31956f4 --- /dev/null +++ b/changelogs/unreleased/security-11-2-2717-fix-issue-title-xss.yml @@ -0,0 +1,5 @@ +--- +title: Escape entity title while autocomplete template rendering to prevent XSS +merge_request: 2558 +author: +type: security diff --git a/spec/features/issues/gfm_autocomplete_spec.rb b/spec/features/issues/gfm_autocomplete_spec.rb index 98e37d8011a..8a43847d64d 100644 --- a/spec/features/issues/gfm_autocomplete_spec.rb +++ b/spec/features/issues/gfm_autocomplete_spec.rb @@ -34,6 +34,21 @@ describe 'GFM autocomplete', :js do expect(page).to have_selector('.atwho-container') end + it 'opens autocomplete menu when field starts with text with item escaping HTML characters' do + alert_title = 'This will execute alert<img src=x onerror=alert(2)<img src=x onerror=alert(1)>' + create(:issue, project: project, title: alert_title) + + page.within '.timeline-content-form' do + find('#note-body').native.send_keys('#') + end + + expect(page).to have_selector('.atwho-container') + + page.within '.atwho-container #at-view-issues' do + expect(page.all('li').first.text).to include(alert_title) + end + end + it 'doesnt open autocomplete menu character is prefixed with text' do page.within '.timeline-content-form' do find('#note-body').native.send_keys('testing') |