Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-02-01 09:04:30 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-02-01 09:04:59 +0000
commit: b2e1abee084bfd9f96da4bcb3fa26865d7fe6b6d (patch)
tree: 4f978a0fa2167d23e671b5973ae14a5113131ac8
parent: 23330db102f66781cc9a22cd006433cfcbd13863 (diff)
download: gitlab-ce-b2e1abee084bfd9f96da4bcb3fa26865d7fe6b6d.tar.gz
3 files changed, 19 insertions, 1 deletions
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
index dffe3cab904..99b55c0f9ee 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
@@ -1,5 +1,6 @@
 <script>
 import { isNumber } from 'lodash';
+import { sanitize } from '~/lib/dompurify';
 import ArtifactsApp from './artifacts_list_app.vue';
 import MrWidgetContainer from './mr_widget_container.vue';
 import MrWidgetPipeline from './mr_widget_pipeline.vue';
@@ -40,7 +41,7 @@ export default {
       return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranch;
     },
     branchLink() {
-      return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranchLink;
+      return this.isPostMerge ? sanitize(this.mr.targetBranch) : this.mr.sourceBranchLink;
     },
     deployments() {
       return this.isPostMerge ? this.mr.postMergeDeployments : this.mr.deployments;
diff --git a/changelogs/unreleased/security-sanitize-target-branch.yml b/changelogs/unreleased/security-sanitize-target-branch.yml
new file mode 100644
index 00000000000..9cf07fbfca4
--- /dev/null
+++ b/changelogs/unreleased/security-sanitize-target-branch.yml
@@ -0,0 +1,5 @@
+---
+title: Sanitize target branch on MR page
+merge_request:
+author:
+type: security
diff --git a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
index 85468c5b0db..7ff8d9678fe 100644
--- a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
+++ b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
       });
     });
 
+    it('sanitizes the targetBranch', () => {
+      factory({
+        isPostMerge: true,
+        mr: {
+          ...mockStore,
+          targetBranch: 'Foo<script>alert("XSS")</script>',
+        },
+      });
+
+      expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
+    });
+
     it('renders deployments', () => {
       const expectedProps = mockStore.postMergeDeployments.map((dep) =>
         expect.objectContaining({
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-02-01 09:04:30 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-02-01 09:04:59 +0000
commit	b2e1abee084bfd9f96da4bcb3fa26865d7fe6b6d (patch)
tree	4f978a0fa2167d23e671b5973ae14a5113131ac8
parent	23330db102f66781cc9a22cd006433cfcbd13863 (diff)
download	gitlab-ce-b2e1abee084bfd9f96da4bcb3fa26865d7fe6b6d.tar.gz