Commit ac9a8518 authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee

parent d455bcf1
...@@ -138,7 +138,7 @@ ...@@ -138,7 +138,7 @@
= clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport') = clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport')
.sidebar-mr-source-branch.hide-collapsed .sidebar-mr-source-branch.hide-collapsed
%span %span
= _('Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}').html_safe % { source_branch_open: "<cite class='ref-name' title='#{source_branch}'>".html_safe, source_branch_close: "</cite>".html_safe, source_branch: source_branch } = _('Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}').html_safe % { source_branch_open: "<cite class='ref-name' title='#{html_escape(source_branch)}'>".html_safe, source_branch_close: "</cite>".html_safe, source_branch: html_escape(source_branch) }
= clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport') = clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport')
- if show_forwarding_email - if show_forwarding_email
......
---
title: Fixed XSS in merge requests sidebar
merge_request:
author:
type: security
---
title: Disable arbitrary URI and file reads in JSON validator
merge_request:
author:
type: security
# frozen_string_literal: true
# This patches https://github.com/ruby-json-schema/json-schema/blob/765e6d8fdbfdaca1a42fa743f4621e757f9f6a03/lib/json-schema/validator.rb
# to address https://github.com/ruby-json-schema/json-schema/issues/148.
require 'json-schema'
module JSON
class Validator
def initialize_data(data)
if @options[:parse_data]
if @options[:json]
data = self.class.parse(data)
elsif @options[:uri]
json_uri = Util::URI.normalized_uri(data)
data = self.class.parse(custom_open(json_uri))
elsif data.is_a?(String)
begin
data = self.class.parse(data)
rescue JSON::Schema::JsonParseError
# Silently discard the error - use the data as-is
end
end
end
JSON::Schema.stringify(data)
end
end
end
...@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do ...@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
end end
end end
end end
context 'XSS source branch' do
let(:project) { create(:project, :public, :repository) }
let(:source_branch) { "&#39;&gt;&lt;iframe/srcdoc=&#39;&#39;&gt;&lt;/iframe&gt;" }
before do
project.repository.create_branch(source_branch, "master")
mr = create(:merge_request, source_project: project, target_project: project, source_branch: source_branch)
visit(merge_request_path(mr))
end
it 'encodes branch name' do
expect(find('cite.ref-name')[:title]).to eq(source_branch)
end
end
end end
# frozen_string_literal: true
require 'spec_helper'
require 'rspec-parameterized'
RSpec.describe 'JSON validator patch' do
using RSpec::Parameterized::TableSyntax
let(:schema) { '{"format": "string"}' }
subject { JSON::Validator.validate(schema, data) }
context 'with invalid JSON' do
where(:data) do
[
'https://example.com',
'/tmp/test.txt'
]
end
with_them do
it 'does not attempt to open a file or URI' do
allow(File).to receive(:read).and_call_original
allow(URI).to receive(:open).and_call_original
expect(File).not_to receive(:read).with(data)
expect(URI).not_to receive(:open).with(data)
expect(subject).to be true
end
end
end
context 'with valid JSON' do
let(:data) { %({ 'somekey': 'value' }) }
it 'validates successfully' do
expect(subject).to be true
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment