Merge branch 'security-fix-xss-in-markdown-reference-tooltips' into 'master'

Only support HTML tooltips for scoped labels

Closes #181

See merge request gitlab-org/security/gitlab!685

changelogs/unreleased/security-fix-xss-in-markdown-reference-tooltips.yml

+---
+title: Fix XSS in Markdown reference tooltips
+merge_request:
+author:
+type: security

ee/lib/ee/banzai/filter/label_reference_filter.rb

+# frozen_string_literal: true
+
+module EE
+  module Banzai
+    module Filter
+      module LabelReferenceFilter
+        extend ::Gitlab::Utils::Override
+
+        override :data_attributes_for
+        def data_attributes_for(text, parent, object, link_content: false, link_reference: false)
+          return super unless object.scoped_label?
+
+          # Enabling HTML tooltips for scoped labels here but we do not need to do any additional
+          # escaping because the label's tooltips are already stripped of dangerous HTML
+          super.merge!(
+            html: true
+          )
+        end
+      end
+    end
+  end
+end

ee/spec/lib/banzai/filter/label_reference_filter_spec.rb

@@ -14,17 +14,29 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
       stub_licensed_features(scoped_labels: true)
     end
 
-    it 'renders scoped label with link to documentation' do
-      doc = reference_filter("See #{scoped_label.to_reference}")
+    context 'with a scoped label' do
+      let(:doc) { reference_filter("See #{scoped_label.to_reference}") }
 
+      it 'renders scoped label' do
         expect(doc.css('.gl-label-scoped .gl-label-text').map(&:text)).to eq([scoped_label.scoped_label_key, scoped_label.scoped_label_value])
       end
 
-    it 'renders common label' do
-      doc = reference_filter("See #{label.to_reference}")
+      it 'renders HTML tooltips' do
+        expect(doc.at_css('.gl-label-scoped a').attr('data-html')).to eq('true')
+      end
+    end
+
+    context 'with a common label' do
+      let(:doc) { reference_filter("See #{label.to_reference}") }
 
+      it 'renders common label' do
         expect(doc.css('.gl-label .gl-label-text').map(&:text)).to eq([label.name])
       end
+
+      it 'renders non-HTML tooltips' do
+        expect(doc.at_css('.gl-label a').attr('data-html')).to be_nil
+      end
+    end
   end
 
   context 'with scoped labels disabled' do

lib/banzai/filter/label_reference_filter.rb

@@ -125,3 +125,5 @@ module Banzai
     end
   end
 end
+
+Banzai::Filter::LabelReferenceFilter.prepend_if_ee('EE::Banzai::Filter::LabelReferenceFilter')

lib/banzai/filter/reference_filter.rb

@@ -55,7 +55,6 @@ module Banzai
         attributes[:reference_type] ||= self.class.reference_type
         attributes[:container] ||= 'body'
         attributes[:placement] ||= 'top'
-        attributes[:html] ||= 'true'
         attributes.delete(:original) if context[:no_original_data]
         attributes.map do |key, value|
           %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}")

lib/gitlab/markdown_cache.rb

@@ -3,7 +3,7 @@
 module Gitlab
   module MarkdownCache
     # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 23
+    CACHE_COMMONMARK_VERSION        = 24
     CACHE_COMMONMARK_VERSION_START  = 10
 
     BaseError = Class.new(StandardError)

spec/lib/banzai/filter/issue_reference_filter_spec.rb

@@ -75,6 +75,12 @@ RSpec.describe Banzai::Filter::IssueReferenceFilter do
       expect(doc.text).to eq "Issue #{reference}"
     end
 
+    it 'renders non-HTML tooltips' do
+      doc = reference_filter("Issue #{reference}")
+
+      expect(doc.at_css('a')).not_to have_attribute('data-html')
+    end
+
     it 'includes default classes' do
       doc = reference_filter("Issue #{reference}")
       expect(doc.css('a').first.attr('class')).to eq 'gfm gfm-issue has-tooltip'