Commit ad48a55c authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Escape namespace in label references

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.
parent 4c442bdd
---
title: Escape namespace in label references to prevent XSS
merge_request:
author:
type: security
...@@ -89,7 +89,7 @@ module Banzai ...@@ -89,7 +89,7 @@ module Banzai
parent_from_ref = from_ref_cached(project_path) parent_from_ref = from_ref_cached(project_path)
reference = parent_from_ref.to_human_reference(parent) reference = parent_from_ref.to_human_reference(parent)
label_suffix = " <i>in #{reference}</i>" if reference.present? label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
end end
presenter = object.present(issuable_subject: parent) presenter = object.present(issuable_subject: parent)
......
...@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do ...@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
expect(reference_filter(act).to_html).to eq exp expect(reference_filter(act).to_html).to eq exp
end end
context 'when group name has HTML entities' do
let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
it 'escapes the HTML entities' do
expect(result.text)
.to eq "See #{group_label.name} in #{another_project.full_name}"
end
end
end end
describe 'cross-project / same-group_label complete reference' do describe 'cross-project / same-group_label complete reference' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment