Commit 1735088e authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'security-package-json-xss' into 'master'

[master] Fix XSS vulnerability sourced from package.json's homepage

Closes #2702

See merge request gitlab/gitlabhq!2496
parents b93f1d3c 3bd607f2
......@@ -33,7 +33,8 @@ module BlobViewer
end
def homepage
json_data['homepage']
url = json_data['homepage']
url if Gitlab::UrlSanitizer.valid?(url)
end
def npm_url
......
---
title: Fix xss vulnerability sourced from package.json
merge_request:
author:
type: security
......@@ -40,13 +40,14 @@ describe BlobViewer::PackageJson do
end
context 'when package.json has "private": true' do
let(:homepage) { 'http://example.com' }
let(:data) do
<<-SPEC.strip_heredoc
{
"name": "module-name",
"version": "10.3.1",
"private": true,
"homepage": "myawesomepackage.com"
"homepage": #{homepage.to_json}
}
SPEC
end
......@@ -54,10 +55,22 @@ describe BlobViewer::PackageJson do
subject { described_class.new(blob) }
describe '#package_url' do
it 'returns homepage if any' do
expect(subject).to receive(:prepare!)
context 'when the homepage has a valid URL' do
it 'returns homepage URL' do
expect(subject).to receive(:prepare!)
expect(subject.package_url).to eq(homepage)
end
end
context 'when the homepage has an invalid URL' do
let(:homepage) { 'javascript:alert()' }
it 'returns nil' do
expect(subject).to receive(:prepare!)
expect(subject.package_url).to eq('myawesomepackage.com')
expect(subject.package_url).to be_nil
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment