Sanitize default branch name in repo settings

Add defense-in-depth security improvement by sanitizing initial default branch name values to prevent any XSS vulnerabilities Changelog: security

Sanitize default branch name in repo settings
Add defense-in-depth security improvement by sanitizing initial default branch name values to prevent any XSS vulnerabilities Changelog: security
38401468 · Dheeraj Joshi · 0842aff3 · 38401468 · 38401468 · 38401468
Commit 38401468 authored Aug 05, 2021 by Dheeraj Joshi
4 changed files
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -573,6 +573,7 @@ class ApplicationSetting < ApplicationRecord

  before_validation :ensure_uuid!
  before_validation :coerce_repository_storages_weighted, if: :repository_storages_weighted_changed?
+  before_validation :sanitize_default_branch_name

  before_save :ensure_runners_registration_token
  before_save :ensure_health_check_access_token
@@ -602,6 +603,14 @@ class ApplicationSetting < ApplicationRecord
    !!(sourcegraph_url =~ %r{\Ahttps://(www\.)?sourcegraph\.com})
  end

+  def sanitize_default_branch_name
+    self.default_branch_name = if default_branch_name.blank?
+                                 nil
+                               else
+                                 Sanitize.fragment(self.default_branch_name)
+                               end
+  end
+
  def instance_review_permitted?
    users_count = Rails.cache.fetch('limited_users_count', expires_in: 1.day) do
      ::User.limit(INSTANCE_REVIEW_MIN_USERS + 1).count(:all)

--- a/app/models/namespace_setting.rb
+++ b/app/models/namespace_setting.rb
@@ -22,7 +22,11 @@ class NamespaceSetting < ApplicationRecord
  private

  def normalize_default_branch_name
-    self.default_branch_name = nil if default_branch_name.blank?
+    self.default_branch_name = if default_branch_name.blank?
+                                 nil
+                               else
+                                 Sanitize.fragment(self.default_branch_name)
+                               end
  end

  def default_branch_name_content

--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -218,6 +218,16 @@ RSpec.describe ApplicationSetting do
      end
    end

+    describe 'default_branch_name validaitions' do
+      context "when javascript tags get sanitized properly" do
+        it "gets sanitized properly" do
+          setting.update!(default_branch_name: "hello<script>alert(1)</script>")
+
+          expect(setting.default_branch_name).to eq('hello')
+        end
+      end
+    end
+
    describe 'spam_check_endpoint' do
      context 'when spam_check_endpoint is enabled' do
        before do

--- a/spec/models/namespace_setting_spec.rb
+++ b/spec/models/namespace_setting_spec.rb
@@ -41,6 +41,14 @@ RSpec.describe NamespaceSetting, type: :model do

        it_behaves_like "doesn't return an error"
      end
+
+      context "when it contains javascript tags" do
+        it "gets sanitized properly" do
+          namespace_settings.update!(default_branch_name: "hello<script>alert(1)</script>")
+
+          expect(namespace_settings.default_branch_name).to eq('hello')
+        end
+      end
    end

    describe '#allow_mfa_for_group' do