Merge branch 'security-package-json-xss' into 'master'

[master] Fix XSS vulnerability sourced from package.json's homepage Closes #2702 See merge request gitlab/gitlabhq!2496
author: Bob Van Landuyt <bob@gitlab.com> 2018-10-01 16:47:16 +0000
committer: Bob Van Landuyt <bob@gitlab.com> 2018-10-01 16:47:16 +0000
commit: 1735088e7c5bf62a8f896a2b0e384964de83d118 (patch)
tree: aba06cb9e7f8df96aed72dfddc2edd8750026e0c /app
parent: b93f1d3cf8d5325c9fc9283afacfca069ddc3d62 (diff)
parent: 3bd607f280b70bdc7c574a4c217168adb1a88ecd (diff)
download: gitlab-ce-1735088e7c5bf62a8f896a2b0e384964de83d118.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/app/models/blob_viewer/package_json.rb b/app/models/blob_viewer/package_json.rb
index d12dd93ce2e..7cae60a74d6 100644
--- a/app/models/blob_viewer/package_json.rb
+++ b/app/models/blob_viewer/package_json.rb
@@ -33,7 +33,8 @@ module BlobViewer
     end
 
     def homepage
-      json_data['homepage']
+      url = json_data['homepage']
+      url if Gitlab::UrlSanitizer.valid?(url)
     end
 
     def npm_url
author	Bob Van Landuyt <bob@gitlab.com>	2018-10-01 16:47:16 +0000
committer	Bob Van Landuyt <bob@gitlab.com>	2018-10-01 16:47:16 +0000
commit	1735088e7c5bf62a8f896a2b0e384964de83d118 (patch)
tree	aba06cb9e7f8df96aed72dfddc2edd8750026e0c /app
parent	b93f1d3cf8d5325c9fc9283afacfca069ddc3d62 (diff)
parent	3bd607f280b70bdc7c574a4c217168adb1a88ecd (diff)
download	gitlab-ce-1735088e7c5bf62a8f896a2b0e384964de83d118.tar.gz