Fix xss vulnerability on build dependencies

6696d8dc · allison.browne · souldzin · ad750ebd · 6696d8dc · 6696d8dc
Commit 6696d8dc authored Sep 29, 2020 by allison.browne Committed by souldzin Oct 01, 2020
3 changed files
--- a/app/assets/javascripts/jobs/components/job_app.vue
+++ b/app/assets/javascripts/jobs/components/job_app.vue
 <script>
-/* eslint-disable vue/no-v-html */
 import { throttle, isEmpty } from 'lodash';
 import { mapGetters, mapState, mapActions } from 'vuex';
-import { GlLoadingIcon, GlIcon } from '@gitlab/ui';
+import { GlLoadingIcon, GlIcon, GlSafeHtmlDirective as SafeHtml } from '@gitlab/ui';
 import { GlBreakpointInstance as bp } from '@gitlab/ui/dist/utils';
 import { isScrolledToBottom } from '~/lib/utils/scroll_utils';
 import { polyfillSticky } from '~/lib/utils/sticky';
@@ -36,6 +35,9 @@ export default {
    GlLoadingIcon,
    SharedRunner: () => import('ee_component/jobs/components/shared_runner_limit_block.vue'),
  },
+  directives: {
+    SafeHtml,
+  },
  mixins: [delayedJobMixin],
  props: {
    artifactHelpUrl: {
@@ -223,7 +225,7 @@ export default {
          </div>

          <callout v-if="shouldRenderHeaderCallout">
-            <div v-html="job.callout_message"></div>
+            <div v-safe-html="job.callout_message"></div>
          </callout>
        </header>
        <!-- EO Header Section -->

--- a/app/serializers/build_details_entity.rb
+++ b/app/serializers/build_details_entity.rb
@@ -136,7 +136,7 @@ class BuildDetailsEntity < JobEntity
    docs_url = "https://docs.gitlab.com/ce/ci/yaml/README.html#dependencies"

    [
-      failure_message.html_safe,
+      failure_message,
      help_message(docs_url).html_safe
    ].join("<br />")
  end

--- a/changelogs/unreleased/security-stored-xss-build-dependencies.yml
+++ b/changelogs/unreleased/security-stored-xss-build-dependencies.yml
+---
+title: Fix XSS vulnerability for job build dependencies
+merge_request:
+author:
+type: security