summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changelogs/unreleased/security-fix-xss-in-label-namespace.yml5
-rw-r--r--lib/banzai/filter/label_reference_filter.rb2
-rw-r--r--spec/lib/banzai/filter/label_reference_filter_spec.rb9
3 files changed, 15 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
new file mode 100644
index 00000000000..342cf3e68cb
--- /dev/null
+++ b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
@@ -0,0 +1,5 @@
+---
+title: Escape namespace in label references to prevent XSS
+merge_request:
+author:
+type: security
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index db620c65237..609ea8fb5ca 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
parent_from_ref = from_ref_cached(project_path)
reference = parent_from_ref.to_human_reference(parent)
- label_suffix = " <i>in #{reference}</i>" if reference.present?
+ label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
end
presenter = object.present(issuable_subject: parent)
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb
index 35e99d2586e..66af26bc51c 100644
--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
expect(reference_filter(act).to_html).to eq exp
end
+
+ context 'when group name has HTML entities' do
+ let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
+
+ it 'escapes the HTML entities' do
+ expect(result.text)
+ .to eq "See #{group_label.name} in #{another_project.full_name}"
+ end
+ end
end
describe 'cross-project / same-group_label complete reference' do