Merge branch 'security-fix-xss-in-label-namespace-12-3' into '12-3-stable'

Escape namespace in label references See merge request gitlab/gitlabhq!3552
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 12:01:00 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-11-26 12:01:00 +0000
commit: e598e93200611c5685cb7441ebe914155c24ce23 (patch)
tree: 797c602e4e528484b0df7a918a11d179fff7553a
parent: f69e5e054bae573dcca2e02c13ffd910f7a11651 (diff)
parent: d6d5b2fecad291fe30454334cf523699b56b8062 (diff)
download: gitlab-ce-e598e93200611c5685cb7441ebe914155c24ce23.tar.gz
3 files changed, 15 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
new file mode 100644
index 00000000000..342cf3e68cb
--- /dev/null
+++ b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
@@ -0,0 +1,5 @@
+---
+title: Escape namespace in label references to prevent XSS
+merge_request:
+author:
+type: security
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index db620c65237..609ea8fb5ca 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
           parent_from_ref = from_ref_cached(project_path)
           reference       = parent_from_ref.to_human_reference(parent)
 
-          label_suffix = " <i>in #{reference}</i>" if reference.present?
+          label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
         end
 
         presenter = object.present(issuable_subject: parent)
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb
index 35e99d2586e..66af26bc51c 100644
--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
 
       expect(reference_filter(act).to_html).to eq exp
     end
+
+    context 'when group name has HTML entities' do
+      let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
+
+      it 'escapes the HTML entities' do
+        expect(result.text)
+          .to eq "See #{group_label.name} in #{another_project.full_name}"
+      end
+    end
   end
 
   describe 'cross-project / same-group_label complete reference' do
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 12:01:00 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-11-26 12:01:00 +0000
commit	e598e93200611c5685cb7441ebe914155c24ce23 (patch)
tree	797c602e4e528484b0df7a918a11d179fff7553a
parent	f69e5e054bae573dcca2e02c13ffd910f7a11651 (diff)
parent	d6d5b2fecad291fe30454334cf523699b56b8062 (diff)
download	gitlab-ce-e598e93200611c5685cb7441ebe914155c24ce23.tar.gz