Merge branch 'sh-backport-10-3-4-security-fixes' into 'master'

Backport 10.3.4 security fixes into master See merge request gitlab-org/gitlab-ce!16509
author: Oswaldo Ferreira <oswaldo@gitlab.com> 2018-01-17 20:26:59 +0000
committer: Oswaldo Ferreira <oswaldo@gitlab.com> 2018-01-17 20:26:59 +0000
commit: f351cc28c2c878bf491bb0886be65bf35b58b261 (patch)
tree: 987d0a33d93dce35b4b25c401ae2c772760299d6 /app/assets
parent: 3b13159d9c83e8ce679663ce264854ea94bee8a2 (diff)
parent: d1eb3ff594b42d6e9625724119f52d3356045870 (diff)
download: gitlab-ce-f351cc28c2c878bf491bb0886be65bf35b58b261.tar.gz
4 files changed, 41 insertions, 13 deletions
diff --git a/app/assets/javascripts/deploy_keys/components/key.vue b/app/assets/javascripts/deploy_keys/components/key.vue
index a9e819b8a3c..843564ce016 100644
--- a/app/assets/javascripts/deploy_keys/components/key.vue
+++ b/app/assets/javascripts/deploy_keys/components/key.vue
@@ -1,11 +1,15 @@
 <script>
   import actionBtn from './action_btn.vue';
   import { getTimeago } from '../../lib/utils/datetime_utility';
+  import tooltip from '../../vue_shared/directives/tooltip';
 
   export default {
     components: {
       actionBtn,
     },
+    directives: {
+      tooltip,
+    },
     props: {
       deployKey: {
         type: Object,
@@ -32,6 +36,9 @@
       isEnabled(id) {
         return this.store.findEnabledKey(id) !== undefined;
       },
+      tooltipTitle(project) {
+        return project.can_push ? 'Write access allowed' : 'Read access only';
+      },
     },
   };
 </script>
@@ -52,21 +59,23 @@
       <div class="description">
         {{ deployKey.fingerprint }}
       </div>
-      <div
-        v-if="deployKey.can_push"
-        class="write-access-allowed"
-      >
-        Write access allowed
-      </div>
     </div>
     <div class="deploy-key-content prepend-left-default deploy-key-projects">
       <a
-        v-for="(project, i) in deployKey.projects"
-        class="label deploy-project-label"
-        :href="project.full_path"
+        v-for="(deployKeysProject, i) in deployKey.deploy_keys_projects"
         :key="i"
+        class="label deploy-project-label"
+        :href="deployKeysProject.project.full_path"
+        :title="tooltipTitle(deployKeysProject)"
+        v-tooltip
       >
-        {{ project.full_name }}
+        {{ deployKeysProject.project.full_name }}
+        <i
+          v-if="!deployKeysProject.can_push"
+          aria-hidden="true"
+          class="fa fa-lock"
+        >
+        </i>
       </a>
     </div>
     <div class="deploy-key-content">
diff --git a/app/assets/javascripts/labels_select.js b/app/assets/javascripts/labels_select.js
index f7a1c9f1e40..664e793fc8e 100644
--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -231,7 +231,7 @@ export default class LabelsSelect {
             selectedClass.push('label-item');
             $a.attr('data-label-id', label.id);
           }
-          $a.addClass(selectedClass.join(' ')).html(colorEl + " " + label.title);
+          $a.addClass(selectedClass.join(' ')).html(`${colorEl} ${_.escape(label.title)}`);
           // Return generated html
           return $li.html($a).prop('outerHTML');
         },
diff --git a/app/assets/javascripts/notebook/cells/markdown.vue b/app/assets/javascripts/notebook/cells/markdown.vue
index d0ec70f1fcf..3d09d24b6ab 100644
--- a/app/assets/javascripts/notebook/cells/markdown.vue
+++ b/app/assets/javascripts/notebook/cells/markdown.vue
@@ -1,6 +1,7 @@
 <script>
   /* global katex */
   import marked from 'marked';
+  import sanitize from 'sanitize-html';
   import Prompt from './prompt.vue';
 
   const renderer = new marked.Renderer();
@@ -82,7 +83,12 @@
     },
     computed: {
       markdown() {
-        return marked(this.cell.source.join('').replace(/\\/g, '\\\\'));
+        return sanitize(marked(this.cell.source.join('').replace(/\\/g, '\\\\')), {
+          allowedTags: false,
+          allowedAttributes: {
+            '*': ['class'],
+          },
+        });
       },
     },
   };
diff --git a/app/assets/javascripts/notebook/cells/output/html.vue b/app/assets/javascripts/notebook/cells/output/html.vue
index ebba5954de9..0535ee7afa8 100644
--- a/app/assets/javascripts/notebook/cells/output/html.vue
+++ b/app/assets/javascripts/notebook/cells/output/html.vue
@@ -1,4 +1,5 @@
 <script>
+  import sanitize from 'sanitize-html';
   import Prompt from '../prompt.vue';
 
   export default {
@@ -11,12 +12,24 @@
         required: true,
       },
     },
+    computed: {
+      sanitizedOutput() {
+        return sanitize(this.rawCode, {
+          allowedTags: sanitize.defaults.allowedTags.concat([
+            'img', 'svg',
+          ]),
+          allowedAttributes: {
+            img: ['src'],
+          },
+        });
+      },
+    },
   };
 </script>
 
 <template>
   <div class="output">
     <prompt />
-    <div v-html="rawCode"></div>
+    <div v-html="sanitizedOutput"></div>
   </div>
 </template>
author	Oswaldo Ferreira <oswaldo@gitlab.com>	2018-01-17 20:26:59 +0000
committer	Oswaldo Ferreira <oswaldo@gitlab.com>	2018-01-17 20:26:59 +0000
commit	f351cc28c2c878bf491bb0886be65bf35b58b261 (patch)
tree	987d0a33d93dce35b4b25c401ae2c772760299d6 /app/assets
parent	3b13159d9c83e8ce679663ce264854ea94bee8a2 (diff)
parent	d1eb3ff594b42d6e9625724119f52d3356045870 (diff)
download	gitlab-ce-f351cc28c2c878bf491bb0886be65bf35b58b261.tar.gz