Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee

4 files changed, 53 insertions, 11 deletions

diff --git a/app/assets/javascripts/blob/openapi/index.js b/app/assets/javascripts/blob/openapi/index.js
index b19cc19cb8c..a04da98ff77 100644
--- a/app/assets/javascripts/blob/openapi/index.js
+++ b/app/assets/javascripts/blob/openapi/index.js
@@ -1,6 +1,5 @@
 import { SwaggerUIBundle } from 'swagger-ui-dist';
 import createFlash from '~/flash';
-import { removeParams, updateHistory } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 
 export default () => {
@@ -8,14 +7,10 @@ export default () => {
 
   Promise.all([import(/* webpackChunkName: 'openapi' */ 'swagger-ui-dist/swagger-ui.css')])
     .then(() => {
-      // Temporary fix to prevent an XSS attack due to "useUnsafeMarkdown"
-      // Once we upgrade Swagger to "4.0.0", we can safely remove this as it will be deprecated
-      // Follow-up issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339696
-      updateHistory({ url: removeParams(['useUnsafeMarkdown']), replace: true });
       SwaggerUIBundle({
         url: el.dataset.endpoint,
         dom_id: '#js-openapi-viewer',
-        useUnsafeMarkdown: false,
+        deepLinking: true,
       });
     })
     .catch((error) => {
diff --git a/package.json b/package.json
index ddaf4f60af7..5d27914c5cb 100644
--- a/package.json
+++ b/package.json
@@ -171,7 +171,7 @@
     "sql.js": "^0.4.0",
     "string-hash": "1.1.3",
     "style-loader": "^2.0.0",
-    "swagger-ui-dist": "^3.52.3",
+    "swagger-ui-dist": "4.8.0",
     "three": "^0.84.0",
     "three-orbit-controls": "^82.1.0",
     "three-stl-loader": "^1.0.4",
diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb
index 77194fd6ca1..d4cb9188fc1 100644
--- a/spec/features/projects/blobs/blob_show_spec.rb
+++ b/spec/features/projects/blobs/blob_show_spec.rb
@@ -948,6 +948,53 @@ RSpec.describe 'File blob', :js do
           end
         end
       end
+
+      context 'openapi.yml' do
+        before do
+          file_name = 'openapi.yml'
+
+          create_file(file_name, '
+              swagger: \'2.0\'
+              info:
+                title: Classic API Resource Documentation
+                description: |
+                        <div class="foo-bar" style="background-color: red;" data-foo-bar="baz">
+                          <h1>Swagger API documentation</h1>
+                        </div>
+                version: production
+              basePath: /JSSResource/
+              produces:
+                - application/xml
+                - application/json
+              consumes:
+                - application/xml
+                - application/json
+              security:
+                - basicAuth: []
+              paths:
+                /accounts:
+                  get:
+                    responses:
+                      \'200\':
+                        description: No response was specified
+                    tags:
+                      - accounts
+                    operationId: findAccounts
+                    summary: Finds all accounts
+            ')
+          visit_blob(file_name, useUnsafeMarkdown: '1')
+          click_button('Display rendered file')
+
+          wait_for_requests
+        end
+
+        it 'removes `style`, `class`, and `data-*`` attributes from HTML' do
+          expect(page).to have_css('h1', text: 'Swagger API documentation')
+          expect(page).not_to have_css('.foo-bar')
+          expect(page).not_to have_css('[style="background-color: red;"]')
+          expect(page).not_to have_css('[data-foo-bar="baz"]')
+        end
+      end
     end
 
     context 'realtime pipelines' do
diff --git a/yarn.lock b/yarn.lock
index b05b46afdc5..12bfe1dd4bf 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11169,10 +11169,10 @@ svg-tags@^1.0.0:
   resolved "https://registry.yarnpkg.com/svg-tags/-/svg-tags-1.0.0.tgz#58f71cee3bd519b59d4b2a843b6c7de64ac04764"
   integrity sha1-WPcc7jvVGbWdSyqEO2x95krAR2Q=
 
-swagger-ui-dist@^3.52.3:
-  version "3.52.3"
-  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-3.52.3.tgz#a09b5cdccac69e3f5f1cbd258654a110119a7f0e"
-  integrity sha512-7QSY4milmYx5O8dbzU5tTftiaoZt+4JGxahTTBiLAnbTvhTyzum9rsjDIJjC+xeT8Tt1KfB38UuQQjmrh2THDQ==
+swagger-ui-dist@4.8.0:
+  version "4.8.0"
+  resolved "https://registry.yarnpkg.com/swagger-ui-dist/-/swagger-ui-dist-4.8.0.tgz#5f39a038a02ffbd5defb8e1921a9ac1620d779ae"
+  integrity sha512-jdcO4XcbwkAtrwvHp90Usjx3d4JZMjaiS02CxBFfuSxr6G8DBXPcK471+N6BcBkwZK7VTgpUBFAyyarsAvKYFQ==
 
 symbol-observable@^1.0.4:
   version "1.2.0"