diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:56 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:56 +0000 |
commit | 5f9de1e04140d0a556cd2164ff644ca5fe5c02d2 (patch) | |
tree | a463261a4a5953e80e8533a1bd14bb423f5dc475 | |
parent | 70911c7c43f5bc804156c701b3a4ba9b992548b3 (diff) | |
parent | ad48a55cc22864e97f5a616a3aafc953e8c43ff2 (diff) | |
download | gitlab-ce-5f9de1e04140d0a556cd2164ff644ca5fe5c02d2.tar.gz |
Merge branch 'security-fix-xss-in-label-namespace-12-5' into '12-5-stable'
Escape namespace in label references
See merge request gitlab/gitlabhq!3550
-rw-r--r-- | changelogs/unreleased/security-fix-xss-in-label-namespace.yml | 5 | ||||
-rw-r--r-- | lib/banzai/filter/label_reference_filter.rb | 2 | ||||
-rw-r--r-- | spec/lib/banzai/filter/label_reference_filter_spec.rb | 9 |
3 files changed, 15 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml new file mode 100644 index 00000000000..342cf3e68cb --- /dev/null +++ b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml @@ -0,0 +1,5 @@ +--- +title: Escape namespace in label references to prevent XSS +merge_request: +author: +type: security diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb index db620c65237..609ea8fb5ca 100644 --- a/lib/banzai/filter/label_reference_filter.rb +++ b/lib/banzai/filter/label_reference_filter.rb @@ -89,7 +89,7 @@ module Banzai parent_from_ref = from_ref_cached(project_path) reference = parent_from_ref.to_human_reference(parent) - label_suffix = " <i>in #{reference}</i>" if reference.present? + label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present? end presenter = object.present(issuable_subject: parent) diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 35e99d2586e..66af26bc51c 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do expect(reference_filter(act).to_html).to eq exp end + + context 'when group name has HTML entities' do + let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') } + + it 'escapes the HTML entities' do + expect(result.text) + .to eq "See #{group_label.name} in #{another_project.full_name}" + end + end end describe 'cross-project / same-group_label complete reference' do |