diff options
author | Patrick Derichs <pderichs@gitlab.com> | 2019-08-01 09:18:12 +0200 |
---|---|---|
committer | Patrick Derichs <pderichs@gitlab.com> | 2019-08-05 16:27:37 +0200 |
commit | 5bfd913736eb7603630cd7af79adf2214ab50109 (patch) | |
tree | 3fd9af7edd518a9ca741c32fd0023882200b71b7 | |
parent | 6ccbccc2010dc1197d7b721c76cdb176050e43d8 (diff) | |
download | gitlab-ce-5bfd913736eb7603630cd7af79adf2214ab50109.tar.gz |
Fix HTML injection for label description
-rw-r--r-- | app/helpers/labels_helper.rb | 2 | ||||
-rw-r--r-- | app/models/label.rb | 8 | ||||
-rw-r--r-- | changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml | 5 | ||||
-rw-r--r-- | spec/helpers/labels_helper_spec.rb | 10 | ||||
-rw-r--r-- | spec/models/label_spec.rb | 7 |
5 files changed, 29 insertions, 3 deletions
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb index db4f29cd996..bed6eb90209 100644 --- a/app/helpers/labels_helper.rb +++ b/app/helpers/labels_helper.rb @@ -72,7 +72,7 @@ module LabelsHelper end def label_tooltip_title(label) - label.description + Sanitize.clean(label.description) end def suggested_colors diff --git a/app/models/label.rb b/app/models/label.rb index b83e0862bab..b86d4aa84ff 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -193,7 +193,11 @@ class Label < ApplicationRecord end def title=(value) - write_attribute(:title, sanitize_title(value)) if value.present? + write_attribute(:title, sanitize_value(value)) if value.present? + end + + def description=(value) + write_attribute(:description, sanitize_value(value)) if value.present? end ## @@ -254,7 +258,7 @@ class Label < ApplicationRecord end end - def sanitize_title(value) + def sanitize_value(value) CGI.unescapeHTML(Sanitize.clean(value.to_s)) end diff --git a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml new file mode 100644 index 00000000000..07124ac399b --- /dev/null +++ b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml @@ -0,0 +1,5 @@ +--- +title: Fix HTML injection for label description +merge_request: +author: +type: security diff --git a/spec/helpers/labels_helper_spec.rb b/spec/helpers/labels_helper_spec.rb index 314305d7a8e..5892113c4d8 100644 --- a/spec/helpers/labels_helper_spec.rb +++ b/spec/helpers/labels_helper_spec.rb @@ -296,4 +296,14 @@ describe LabelsHelper do it { is_expected.to eq('Subscribe at group level') } end end + + describe '#label_tooltip_title' do + let(:html) { '<img src="example.png">This is an image</img>' } + let(:label_with_html_content) { create(:label, title: 'test', description: html) } + + it 'removes HTML' do + tooltip = label_tooltip_title(label_with_html_content) + expect(tooltip).to eq('This is an image') + end + end end diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb index 5174c590a10..c182e693ca7 100644 --- a/spec/models/label_spec.rb +++ b/spec/models/label_spec.rb @@ -84,6 +84,13 @@ describe Label do end end + describe '#description' do + it 'sanitizes description' do + label = described_class.new(description: '<b>foo & bar?</b>') + expect(label.description).to eq('foo & bar?') + end + end + describe 'priorization' do subject(:label) { create(:label) } |