diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 15:18:47 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-30 15:18:47 +0000 |
| commit | b5e7de21d8f1d479f24826198e6e54920cc29598 (patch) | |
| tree | 1b09b2058baaebc370bf3f618185dca16fef2bb9 | |
| parent | fa2fec1d18330e4cd9803ff164db19e7367e3838 (diff) | |
| download | gitlab-ce-b5e7de21d8f1d479f24826198e6e54920cc29598.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee
| -rw-r--r-- | app/assets/javascripts/jobs/components/job_app.vue | 8 | ||||
| -rw-r--r-- | app/serializers/build_details_entity.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-stored-xss-build-dependencies.yml | 5 |
3 files changed, 11 insertions, 4 deletions
diff --git a/app/assets/javascripts/jobs/components/job_app.vue b/app/assets/javascripts/jobs/components/job_app.vue index 00ff3fb939d..c6adf2f231f 100644 --- a/app/assets/javascripts/jobs/components/job_app.vue +++ b/app/assets/javascripts/jobs/components/job_app.vue @@ -1,8 +1,7 @@ <script> -/* eslint-disable vue/no-v-html */ import { throttle, isEmpty } from 'lodash'; import { mapGetters, mapState, mapActions } from 'vuex'; -import { GlLoadingIcon, GlIcon } from '@gitlab/ui'; +import { GlLoadingIcon, GlIcon, GlSafeHtmlDirective as SafeHtml } from '@gitlab/ui'; import { GlBreakpointInstance as bp } from '@gitlab/ui/dist/utils'; import { isScrolledToBottom } from '~/lib/utils/scroll_utils'; import { polyfillSticky } from '~/lib/utils/sticky'; @@ -36,6 +35,9 @@ export default { GlLoadingIcon, SharedRunner: () => import('ee_component/jobs/components/shared_runner_limit_block.vue'), }, + directives: { + SafeHtml, + }, mixins: [delayedJobMixin], props: { artifactHelpUrl: { @@ -223,7 +225,7 @@ export default { </div> <callout v-if="shouldRenderHeaderCallout"> - <div v-html="job.callout_message"></div> + <div v-safe-html="job.callout_message"></div> </callout> </header> <!-- EO Header Section --> diff --git a/app/serializers/build_details_entity.rb b/app/serializers/build_details_entity.rb index 109213ab729..917c416ce33 100644 --- a/app/serializers/build_details_entity.rb +++ b/app/serializers/build_details_entity.rb @@ -136,7 +136,7 @@ class BuildDetailsEntity < JobEntity docs_url = "https://docs.gitlab.com/ee/ci/yaml/README.html#dependencies" [ - failure_message.html_safe, + failure_message, help_message(docs_url).html_safe ].join("<br />") end diff --git a/changelogs/unreleased/security-stored-xss-build-dependencies.yml b/changelogs/unreleased/security-stored-xss-build-dependencies.yml new file mode 100644 index 00000000000..a5ce2bd0158 --- /dev/null +++ b/changelogs/unreleased/security-stored-xss-build-dependencies.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS vulnerability for job build dependencies +merge_request: +author: +type: security |