Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ac9a8518
Commit
ac9a8518
authored
Mar 30, 2021
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee
parent
d455bcf1
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
95 additions
and
1 deletion
+95
-1
app/views/shared/issuable/_sidebar.html.haml
app/views/shared/issuable/_sidebar.html.haml
+1
-1
changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml
changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml
+5
-0
changelogs/unreleased/security-sh-json-validator-open-uri-patch.yml
.../unreleased/security-sh-json-validator-open-uri-patch.yml
+5
-0
config/initializers/json_validator_patch.rb
config/initializers/json_validator_patch.rb
+28
-0
spec/features/merge_request/user_views_open_merge_request_spec.rb
...tures/merge_request/user_views_open_merge_request_spec.rb
+17
-0
spec/initializers/json_validator_patch_spec.rb
spec/initializers/json_validator_patch_spec.rb
+39
-0
No files found.
app/views/shared/issuable/_sidebar.html.haml
View file @
ac9a8518
...
...
@@ -138,7 +138,7 @@
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
.sidebar-mr-source-branch.hide-collapsed
%span
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<cite class='ref-name' title='
#{
source_branch
}
'>"
.
html_safe
,
source_branch_close:
"</cite>"
.
html_safe
,
source_branch:
source_branch
}
=
_
(
'Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}'
).
html_safe
%
{
source_branch_open:
"<cite class='ref-name' title='
#{
html_escape
(
source_branch
)
}
'>"
.
html_safe
,
source_branch_close:
"</cite>"
.
html_safe
,
source_branch:
html_escape
(
source_branch
)
}
=
clipboard_button
(
text:
source_branch
,
title:
_
(
'Copy branch name'
),
placement:
"left"
,
boundary:
'viewport'
)
-
if
show_forwarding_email
...
...
changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml
0 → 100644
View file @
ac9a8518
---
title
:
Fixed XSS in merge requests sidebar
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-sh-json-validator-open-uri-patch.yml
0 → 100644
View file @
ac9a8518
---
title
:
Disable arbitrary URI and file reads in JSON validator
merge_request
:
author
:
type
:
security
config/initializers/json_validator_patch.rb
0 → 100644
View file @
ac9a8518
# frozen_string_literal: true
# This patches https://github.com/ruby-json-schema/json-schema/blob/765e6d8fdbfdaca1a42fa743f4621e757f9f6a03/lib/json-schema/validator.rb
# to address https://github.com/ruby-json-schema/json-schema/issues/148.
require
'json-schema'
module
JSON
class
Validator
def
initialize_data
(
data
)
if
@options
[
:parse_data
]
if
@options
[
:json
]
data
=
self
.
class
.
parse
(
data
)
elsif
@options
[
:uri
]
json_uri
=
Util
::
URI
.
normalized_uri
(
data
)
data
=
self
.
class
.
parse
(
custom_open
(
json_uri
))
elsif
data
.
is_a?
(
String
)
begin
data
=
self
.
class
.
parse
(
data
)
rescue
JSON
::
Schema
::
JsonParseError
# Silently discard the error - use the data as-is
end
end
end
JSON
::
Schema
.
stringify
(
data
)
end
end
end
spec/features/merge_request/user_views_open_merge_request_spec.rb
View file @
ac9a8518
...
...
@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
end
end
end
context
'XSS source branch'
do
let
(
:project
)
{
create
(
:project
,
:public
,
:repository
)
}
let
(
:source_branch
)
{
"'><iframe/srcdoc=''></iframe>"
}
before
do
project
.
repository
.
create_branch
(
source_branch
,
"master"
)
mr
=
create
(
:merge_request
,
source_project:
project
,
target_project:
project
,
source_branch:
source_branch
)
visit
(
merge_request_path
(
mr
))
end
it
'encodes branch name'
do
expect
(
find
(
'cite.ref-name'
)[
:title
]).
to
eq
(
source_branch
)
end
end
end
spec/initializers/json_validator_patch_spec.rb
0 → 100644
View file @
ac9a8518
# frozen_string_literal: true
require
'spec_helper'
require
'rspec-parameterized'
RSpec
.
describe
'JSON validator patch'
do
using
RSpec
::
Parameterized
::
TableSyntax
let
(
:schema
)
{
'{"format": "string"}'
}
subject
{
JSON
::
Validator
.
validate
(
schema
,
data
)
}
context
'with invalid JSON'
do
where
(
:data
)
do
[
'https://example.com'
,
'/tmp/test.txt'
]
end
with_them
do
it
'does not attempt to open a file or URI'
do
allow
(
File
).
to
receive
(
:read
).
and_call_original
allow
(
URI
).
to
receive
(
:open
).
and_call_original
expect
(
File
).
not_to
receive
(
:read
).
with
(
data
)
expect
(
URI
).
not_to
receive
(
:open
).
with
(
data
)
expect
(
subject
).
to
be
true
end
end
end
context
'with valid JSON'
do
let
(
:data
)
{
%({ 'somekey': 'value' })
}
it
'validates successfully'
do
expect
(
subject
).
to
be
true
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment