Merge branch 'security-escape-deploy-key-title-14-10' into '14-10-stable-ee'

Escape deploy key title to prevent XSS See merge request gitlab-org/security/gitlab!2494

Merge branch 'security-escape-deploy-key-title-14-10' into '14-10-stable-ee'
Escape deploy key title to prevent XSS See merge request gitlab-org/security/gitlab!2494
57795bd6 · GitLab Release Tools Bot · 3c82fbc7 · 153a7c44 · 57795bd6 · 57795bd6
Commit 57795bd6 authored Jun 29, 2022 by GitLab Release Tools Bot
2 changed files
--- a/app/assets/javascripts/projects/settings/access_dropdown.js
+++ b/app/assets/javascripts/projects/settings/access_dropdown.js
@@ -537,7 +537,7 @@ export default class AccessDropdown {
    return `
      <li>
        <a href="#" class="${isActiveClass}">
-          <strong>${key.title}</strong>
+          <strong>${escape(key.title)}</strong>
          <p>
            ${sprintf(
              __('Owned by %{image_tag}'),

--- a/spec/frontend/projects/settings/access_dropdown_spec.js
+++ b/spec/frontend/projects/settings/access_dropdown_spec.js
@@ -154,4 +154,21 @@ describe('AccessDropdown', () => {
      expect(template).not.toContain(user.name);
    });
  });
+
+  describe('deployKeyRowHtml', () => {
+    const deployKey = {
+      id: 1,
+      title: 'title <script>alert(document.domain)</script>',
+      fullname: 'fullname <script>alert(document.domain)</script>',
+      avatar_url: '',
+      username: '',
+    };
+
+    it('escapes deploy key title and fullname', () => {
+      const template = dropdown.deployKeyRowHtml(deployKey);
+
+      expect(template).not.toContain(deployKey.title);
+      expect(template).not.toContain(deployKey.fullname);
+    });
+  });
 });