Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee

4 files changed, 26 insertions, 6 deletions

diff --git a/app/assets/javascripts/users_select/index.js b/app/assets/javascripts/users_select/index.js
index 69b3c27173f..8ed92e6b948 100644
--- a/app/assets/javascripts/users_select/index.js
+++ b/app/assets/javascripts/users_select/index.js
@@ -842,7 +842,7 @@ UsersSelect.prototype.renderApprovalRules = function (elsClassName, approvalRule
   const [rule] = approvalRules;
   const countText = sprintf(__('(+%{count} rules)'), { count });
   const renderApprovalRulesCount = count > 1 ? `<span class="ml-1">${countText}</span>` : '';
-  const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : rule.name;
+  const ruleName = rule.rule_type === 'code_owner' ? __('Code Owner') : escape(rule.name);
 
   return `<div class="gl-display-flex gl-font-sm">
     <span class="gl-text-truncate" title="${ruleName}">${ruleName}</span>
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index d0987492d2d..b979276437c 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -34,13 +34,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   end
 
   def import
-    @projects = current_user.authorized_projects.order_id_desc
+    @projects = Project.visible_to_user_and_access_level(current_user, Gitlab::Access::MAINTAINER).order_id_desc
   end
 
   def apply_import
     source_project = Project.find(params[:source_project_id])
 
-    if can?(current_user, :read_project_member, source_project)
+    if can?(current_user, :admin_project_member, source_project)
       status = @project.team.import(source_project, current_user)
       notice = status ? "Successfully imported" : "Import failed"
     else
diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb
index be5c1f0d428..c352524ec14 100644
--- a/spec/controllers/projects/project_members_controller_spec.rb
+++ b/spec/controllers/projects/project_members_controller_spec.rb
@@ -624,9 +624,9 @@ RSpec.describe Projects::ProjectMembersController do
       end
     end
 
-    context 'when user can access source project members' do
+    context 'when user can admin source project members' do
       before do
-        another_project.add_guest(user)
+        another_project.add_maintainer(user)
       end
 
       include_context 'import applied'
@@ -640,7 +640,11 @@ RSpec.describe Projects::ProjectMembersController do
       end
     end
 
-    context 'when user is not member of a source project' do
+    context "when user can't admin source project members" do
+      before do
+        another_project.add_developer(user)
+      end
+
       include_context 'import applied'
 
       it 'does not import team members' do
diff --git a/spec/frontend/users_select/index_spec.js b/spec/frontend/users_select/index_spec.js
index 99caaf61c54..0d2aae78944 100644
--- a/spec/frontend/users_select/index_spec.js
+++ b/spec/frontend/users_select/index_spec.js
@@ -1,3 +1,5 @@
+import { escape } from 'lodash';
+import UsersSelect from '~/users_select/index';
 import {
   createInputsModelExpectation,
   createUnassignedExpectation,
@@ -91,5 +93,19 @@ describe('~/users_select/index', () => {
         expect(findDropdownItemsModel()).toEqual(expectation);
       });
     });
+
+    describe('renderApprovalRules', () => {
+      const ruleNames = ['simple-name', '"\'<>&', '"><script>alert(1)<script>'];
+
+      it.each(ruleNames)('escapes rule name correctly for %s', (name) => {
+        const escapedName = escape(name);
+
+        expect(
+          UsersSelect.prototype.renderApprovalRules('reviewer', [{ name }]),
+        ).toMatchInterpolatedText(
+          `<div class="gl-display-flex gl-font-sm"> <span class="gl-text-truncate" title="${escapedName}">${escapedName}</span> </div>`,
+        );
+      });
+    });
   });
 });