Commit 2f4afe45 authored by Paul Slaughter's avatar Paul Slaughter

Fix XSS in MR source branch name

parent 1103f589
...@@ -108,16 +108,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated ...@@ -108,16 +108,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
namespace = source_project_namespace namespace = source_project_namespace
branch = source_branch branch = source_branch
if source_branch_exists? namespace_link = source_branch_exists? ? link_to(namespace, project_path(source_project)) : ERB::Util.html_escape(namespace)
namespace = link_to(namespace, project_path(source_project)) branch_link = source_branch_exists? ? link_to(branch, project_tree_path(source_project, source_branch)) : ERB::Util.html_escape(branch)
branch = link_to(branch, project_tree_path(source_project, source_branch))
end
if for_fork? for_fork? ? "#{namespace_link}:#{branch_link}" : branch_link
namespace + ":" + branch
else
branch
end
end end
def closing_issues_links def closing_issues_links
......
---
title: Fix XSS in merge request source branch name
merge_request:
author:
type: security
...@@ -403,6 +403,15 @@ describe MergeRequestPresenter do ...@@ -403,6 +403,15 @@ describe MergeRequestPresenter do
is_expected is_expected
.to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>") .to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>")
end end
it 'escapes html, when source_branch does not exist' do
xss_attempt = "<img src='x' onerror=alert('bad stuff') />"
allow(resource).to receive(:source_branch) { xss_attempt }
allow(resource).to receive(:source_branch_exists?) { false }
is_expected.to eq(ERB::Util.html_escape(xss_attempt))
end
end end
describe '#rebase_path' do describe '#rebase_path' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment