Merge branch 'rs-issue-15126' into 'master'

Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch 'rs-issue-15126' into 'master'
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
2c9cd67f · Douwe Maan · Rémy Coutable · 93e923fc · 2c9cd67f · 2c9cd67f
Commit 2c9cd67f authored Apr 19, 2016 by Douwe Maan Committed by Rémy Coutable Apr 19, 2016
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.

 v 8.5.11
-  - No changes
+  - Fix persistent XSS vulnerability in `commit_person_link` helper

 v 8.5.10
  - Fix a 2FA authentication spoofing vulnerability.

--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@@ -183,7 +183,7 @@ module CommitsHelper

    options = {
      class: "commit-#{options[:source]}-link has_tooltip",
-      data: { 'original-title'.to_sym => sanitize(source_email) }
+      title: source_email
    }

    if user.nil?

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -46,7 +46,7 @@ module ProjectsHelper
      link_to(author_html, user_path(author), class: "author_link").html_safe
    else
      title = opts[:title].sub(":name", sanitize(author.name))
-      link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { 'original-title'.to_sym => title, container: 'body' } ).html_safe
+      link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
    end
  end


--- a/features/steps/project/commits/user_lookup.rb
+++ b/features/steps/project/commits/user_lookup.rb
@@ -29,8 +29,9 @@ class Spinach::Features::ProjectCommitsUserLookup < Spinach::FeatureSteps

  def check_author_link(email, user)
    author_link = find('.commit-author-link')
+
    expect(author_link['href']).to eq user_path(user)
-    expect(author_link['data-original-title']).to eq email
+    expect(author_link['title']).to eq email
    expect(find('.commit-author-name').text).to eq user.name
  end


--- a/spec/helpers/commits_helper_spec.rb
+++ b/spec/helpers/commits_helper_spec.rb
+require 'rails_helper'
+
+describe CommitsHelper do
+  describe 'commit_author_link' do
+    it 'escapes the author email' do
+      commit = double(
+        author: nil,
+        author_name: 'Persistent XSS',
+        author_email: 'my@email.com" onmouseover="alert(1)'
+      )
+
+      expect(helper.commit_author_link(commit)).
+        not_to include('onmouseover="alert(1)"')
+    end
+  end
+
+  describe 'commit_committer_link' do
+    it 'escapes the committer email' do
+      commit = double(
+        committer: nil,
+        committer_name: 'Persistent XSS',
+        committer_email: 'my@email.com" onmouseover="alert(1)'
+      )
+
+      expect(helper.commit_committer_link(commit)).
+        not_to include('onmouseover="alert(1)"')
+    end
+  end
+end