diff options
author | Paul Slaughter <pslaughter@gitlab.com> | 2019-02-26 08:43:43 -0600 |
---|---|---|
committer | Paul Slaughter <pslaughter@gitlab.com> | 2019-03-07 01:54:16 -0600 |
commit | e6e9c10ee1be86301db02cbf7d0e833b2ef6e073 (patch) | |
tree | ded9edefeb95c1b8f6209d0c500f9576d452d943 /spec/features/merge_request/user_resolves_conflicts_spec.rb | |
parent | f944971b0bad25014a846d296057b2e89a6a340c (diff) | |
download | gitlab-ce-e6e9c10ee1be86301db02cbf7d0e833b2ef6e073.tar.gz |
Fix XSS in resolve conflicts form
The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
Diffstat (limited to 'spec/features/merge_request/user_resolves_conflicts_spec.rb')
-rw-r--r-- | spec/features/merge_request/user_resolves_conflicts_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_resolves_conflicts_spec.rb b/spec/features/merge_request/user_resolves_conflicts_spec.rb index 16c058ab6bd..8fd44b87e5a 100644 --- a/spec/features/merge_request/user_resolves_conflicts_spec.rb +++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb @@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do expect(page).to have_content('Gregor Samsa woke from troubled dreams') end end + + context "with malicious branch name" do + let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" } + let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') } + let(:merge_request) { create_merge_request(branch.name) } + + before do + visit project_merge_request_path(project, merge_request) + click_link('conflicts', href: %r{/conflicts\Z}) + end + + it "renders bad name without xss issues" do + expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name) + end + end end UNRESOLVABLE_CONFLICTS = { |