Merge branch 'security-ide-branch-name-xss-11-1' into 'security-11-1'

[11.1] Fixed XSS in branch name in Web IDE See merge request gitlab/gitlabhq!2446

Merge branch 'security-ide-branch-name-xss-11-1' into 'security-11-1'
[11.1] Fixed XSS in branch name in Web IDE See merge request gitlab/gitlabhq!2446
ae8a7797 · Felipe Artur Cardozo · Felipe Artur · fb9cc47c · ae8a7797 · ae8a7797
Commit ae8a7797 authored Jul 24, 2018 by Felipe Artur Cardozo Committed by Felipe Artur Jul 24, 2018
3 changed files
--- a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
+++ b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
 <script>
+import _ from 'underscore';
 import { mapActions, mapState, mapGetters } from 'vuex';
 import { sprintf, __ } from '~/locale';
 import * as consts from '../../stores/modules/commit/constants';
@@ -14,7 +15,7 @@ export default {
    commitToCurrentBranchText() {
      return sprintf(
        __('Commit to %{branchName} branch'),
-        { branchName: `<strong class="monospace">${this.currentBranchId}</strong>` },
+        { branchName: `<strong class="monospace">${_.escape(this.currentBranchId)}</strong>` },
        false,
      );
    },

--- a/changelogs/unreleased/security-ide-branch-name-xss.yml
+++ b/changelogs/unreleased/security-ide-branch-name-xss.yml
+---
+title: Fixed XSS in branch name in Web IDE
+merge_request:
+author:
+type: security
--- a/spec/javascripts/ide/components/commit_sidebar/actions_spec.js
+++ b/spec/javascripts/ide/components/commit_sidebar/actions_spec.js
@@ -46,4 +46,12 @@ describe('IDE commit sidebar actions', () => {
      done();
    });
  });
+
+  describe('commitToCurrentBranchText', () => {
+    it('escapes current branch', () => {
+      vm.$store.state.currentBranchId = '<img src="x" />';
+
+      expect(vm.commitToCurrentBranchText).not.toContain('<img src="x" />');
+    });
+  });
 });