Merge branch 'security-51527-xss-in-mr-source-branch' into 'master'

[master] Fix XSS in MR source branch name

See merge request gitlab/gitlabhq!2544

app/presenters/merge_request_presenter.rb

@@ -108,16 +108,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
     namespace = source_project_namespace
     branch = source_branch
 
-    if source_branch_exists?
-      namespace = link_to(namespace, project_path(source_project))
-      branch = link_to(branch, project_tree_path(source_project, source_branch))
-    end
+    namespace_link = source_branch_exists? ? link_to(namespace, project_path(source_project)) : ERB::Util.html_escape(namespace)
+    branch_link = source_branch_exists? ? link_to(branch, project_tree_path(source_project, source_branch)) : ERB::Util.html_escape(branch)
 
-    if for_fork?
-      namespace + ":" + branch
-    else
-      branch
-    end
+    for_fork? ? "#{namespace_link}:#{branch_link}" : branch_link
   end
 
   def closing_issues_links

changelogs/unreleased/51527-xss-in-mr-source-branch.yml

+---
+title: Fix XSS in merge request source branch name
+merge_request:
+author:
+type: security

spec/presenters/merge_request_presenter_spec.rb

@@ -403,6 +403,15 @@ describe MergeRequestPresenter do
       is_expected
         .to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>")
     end
+
+    it 'escapes html, when source_branch does not exist' do
+      xss_attempt = "<img src='x' onerror=alert('bad stuff') />"
+
+      allow(resource).to receive(:source_branch) { xss_attempt }
+      allow(resource).to receive(:source_branch_exists?) { false }
+
+      is_expected.to eq(ERB::Util.html_escape(xss_attempt))
+    end
   end
 
   describe '#rebase_path' do