Merge branch 'security-674-fix-jira-content-injection-14-10' into '14-10-stable-ee'

Fix content injection in Jira issue title See merge request gitlab-org/security/gitlab!2464

Merge branch 'security-674-fix-jira-content-injection-14-10' into '14-10-stable-ee'
Fix content injection in Jira issue title See merge request gitlab-org/security/gitlab!2464
ee2ad681 · GitLab Release Tools Bot · 7d3860c3 · b8f82ec8 · ee2ad681 · ee2ad681
Commit ee2ad681 authored Jun 01, 2022 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/serializers/integrations/jira_serializers/issue_entity.rb
+++ b/ee/app/serializers/integrations/jira_serializers/issue_entity.rb
@@ -13,6 +13,10 @@ module Integrations
        jira_issue.summary
      end
+      expose :title_html do |jira_issue|
+        html_escape jira_issue.summary
+      end
      expose :created_at do |jira_issue|
        jira_issue.created.to_datetime.utc
      end

--- a/ee/spec/features/projects/integrations/jira_issues_list_spec.rb
+++ b/ee/spec/features/projects/integrations/jira_issues_list_spec.rb
@@ -79,6 +79,43 @@ RSpec.describe 'Jira issues list', :js do
    end
  end
+  context 'when title or description contains HTML characters' do
+    let(:html) { '<script>foobar</script>' }
+    let(:escaped_html) { ERB::Util.html_escape(html) }
+    let(:issue) { build_issue(1).deep_merge(fields: { summary: html }) }
+    before do
+      stub_licensed_features(jira_issues_integration: true)
+    end
+    it 'escapes the HTML on issues#index' do
+      stub_issues([issue])
+      visit project_integrations_jira_issues_path(project)
+      expect(page).to have_text(html)
+      expect(page).not_to have_css('script', text: 'foobar')
+      expect(page.source).to include(escaped_html)
+    end
+    it 'escapes the HTML on issues#show' do
+      issue.deep_merge!(
+        fields: { comment: { comments: [] } },
+        renderedFields: { description: html },
+        duedate: Time.zone.now.to_s
+      )
+      stub_request(:get, /\A#{public_url}/)
+        .to_return(headers: { 'Content-Type' => 'application/json' }, body: issue.to_json)
+      visit project_integrations_jira_issue_path(project, 1)
+      expect(page).to have_text(html)
+      expect(page).not_to have_css('script', text: 'foobar')
+      expect(page.source).to include(escaped_html)
+    end
+  end
  private
  def all_pages

--- a/ee/spec/serializers/integrations/jira_serializers/issue_entity_spec.rb
+++ b/ee/spec/serializers/integrations/jira_serializers/issue_entity_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Integrations::JiraSerializers::IssueEntity do
  let(:jira_issue) do
    double(
-      summary: 'Title',
+      summary: 'Title with <h1>HTML</h1>',
      created: '2020-06-25T15:39:30.000+0000',
      updated: '2020-06-26T15:38:32.000+0000',
      resolutiondate: '2020-06-27T13:23:51.000+0000',
@@ -46,7 +46,8 @@ RSpec.describe Integrations::JiraSerializers::IssueEntity do
  it 'returns the Jira issues attributes' do
    expect(subject).to include(
      project_id: project.id,
-      title: 'Title',
+      title: 'Title with <h1>HTML</h1>',
+      title_html: 'Title with &lt;h1&gt;HTML&lt;/h1&gt;',
      created_at: '2020-06-25T15:39:30.000+0000'.to_datetime.utc,
      updated_at: '2020-06-26T15:38:32.000+0000'.to_datetime.utc,
      closed_at: '2020-06-27T13:23:51.000+0000'.to_datetime.utc,