Merge branch 'fix-escape-commit-block' into 'security-9-5'

[9.5] Prevent a persistent XSS in the commit author block

See merge request gitlab/gitlabhq!2180

1 files changed, 22 insertions, 0 deletions

diff --git a/spec/helpers/commits_helper_spec.rb b/spec/helpers/commits_helper_spec.rb
index 7179185285c..4b6c7c33e5b 100644
--- a/spec/helpers/commits_helper_spec.rb
+++ b/spec/helpers/commits_helper_spec.rb
@@ -12,6 +12,17 @@ describe CommitsHelper do
       expect(helper.commit_author_link(commit))
         .not_to include('onmouseover="alert(1)"')
     end
+
+    it 'escapes the author name' do
+      user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
+
+      commit = double(author: user, author_name: '', author_email: '')
+
+      expect(helper.commit_author_link(commit))
+        .to include('Foo &lt;script&gt;')
+      expect(helper.commit_author_link(commit, avatar: true))
+        .to include('commit-author-name', 'Foo &lt;script&gt;')
+    end
   end
 
   describe 'commit_committer_link' do
@@ -25,6 +36,17 @@ describe CommitsHelper do
       expect(helper.commit_committer_link(commit))
         .not_to include('onmouseover="alert(1)"')
     end
+
+    it 'escapes the commiter name' do
+      user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
+
+      commit = double(committer: user, committer_name: '', committer_email: '')
+
+      expect(helper.commit_committer_link(commit))
+        .to include('Foo &lt;script&gt;')
+      expect(helper.commit_committer_link(commit, avatar: true))
+        .to include('commit-committer-name', 'Foo &lt;script&gt;')
+    end
   end
 
   describe '#view_on_environment_button' do