Commit 1735088e authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'security-package-json-xss' into 'master'

[master] Fix XSS vulnerability sourced from package.json's homepage

Closes #2702

See merge request gitlab/gitlabhq!2496
parents b93f1d3c 3bd607f2
...@@ -33,7 +33,8 @@ module BlobViewer ...@@ -33,7 +33,8 @@ module BlobViewer
end end
def homepage def homepage
json_data['homepage'] url = json_data['homepage']
url if Gitlab::UrlSanitizer.valid?(url)
end end
def npm_url def npm_url
......
---
title: Fix xss vulnerability sourced from package.json
merge_request:
author:
type: security
...@@ -40,13 +40,14 @@ describe BlobViewer::PackageJson do ...@@ -40,13 +40,14 @@ describe BlobViewer::PackageJson do
end end
context 'when package.json has "private": true' do context 'when package.json has "private": true' do
let(:homepage) { 'http://example.com' }
let(:data) do let(:data) do
<<-SPEC.strip_heredoc <<-SPEC.strip_heredoc
{ {
"name": "module-name", "name": "module-name",
"version": "10.3.1", "version": "10.3.1",
"private": true, "private": true,
"homepage": "myawesomepackage.com" "homepage": #{homepage.to_json}
} }
SPEC SPEC
end end
...@@ -54,10 +55,22 @@ describe BlobViewer::PackageJson do ...@@ -54,10 +55,22 @@ describe BlobViewer::PackageJson do
subject { described_class.new(blob) } subject { described_class.new(blob) }
describe '#package_url' do describe '#package_url' do
it 'returns homepage if any' do context 'when the homepage has a valid URL' do
expect(subject).to receive(:prepare!) it 'returns homepage URL' do
expect(subject).to receive(:prepare!)
expect(subject.package_url).to eq(homepage)
end
end
context 'when the homepage has an invalid URL' do
let(:homepage) { 'javascript:alert()' }
it 'returns nil' do
expect(subject).to receive(:prepare!)
expect(subject.package_url).to eq('myawesomepackage.com') expect(subject.package_url).to be_nil
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment