diff options
author | Robert Speicher <robert@gitlab.com> | 2016-09-28 15:02:12 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-28 18:27:57 +0200 |
commit | afc5a5162c7e87d1bbad0c1721eb047b02762592 (patch) | |
tree | 593d18266e907798e889e46ad20c80349a8f3249 | |
parent | b7a6ad82cbadb6b3d9cb842be8b269ef5a8a05e2 (diff) | |
download | gitlab-ce-afc5a5162c7e87d1bbad0c1721eb047b02762592.tar.gz |
Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'
Escape HTML nodes in builds commands in ci linter
This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.
Closes #22541
See merge request !2001
Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | app/views/ci/lints/_create.html.haml | 3 | ||||
-rw-r--r-- | spec/views/ci/lints/show.html.haml_spec.rb | 35 |
3 files changed, 37 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index c0b3afa8fb5..9402018cb19 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,6 +4,7 @@ v 8.10.11 - Respect the fork_project permission when forking projects - Set a restrictive CORS policy on the API for credentialed requests - API: disable rails session auth for non-GET/HEAD requests + - Escape HTML nodes in builds commands in CI linter v 8.10.10 - Allow the Rails cookie to be used for API authentication. diff --git a/app/views/ci/lints/_create.html.haml b/app/views/ci/lints/_create.html.haml index f7875e68b7e..1545c00af45 100644 --- a/app/views/ci/lints/_create.html.haml +++ b/app/views/ci/lints/_create.html.haml @@ -16,8 +16,7 @@ %tr %td #{stage.capitalize} Job - #{build[:name]} %td - %pre - = simple_format build[:commands] + %pre= build[:commands] %br %b Tag list: diff --git a/spec/views/ci/lints/show.html.haml_spec.rb b/spec/views/ci/lints/show.html.haml_spec.rb new file mode 100644 index 00000000000..3a65a86cd88 --- /dev/null +++ b/spec/views/ci/lints/show.html.haml_spec.rb @@ -0,0 +1,35 @@ +require 'spec_helper' + +describe 'ci/lints/show' do + include Devise::TestHelpers + + before do + assign(:status, true) + assign(:stages, %w[test]) + assign(:builds, builds) + end + + context 'when builds attrbiutes contain HTML nodes' do + let(:builds) do + [ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ] + end + + it 'does not render HTML elements' do + render + + expect(rendered).not_to have_css('h1', text: 'rspec') + end + end + + context 'when builds attributes do not contain HTML nodes' do + let(:builds) do + [ { name: 'rspec', stage: 'test', commands: 'rspec' } ] + end + + it 'shows configuration in the table' do + render + + expect(rendered).to have_css('td pre', text: 'rspec') + end + end +end |