Commit 282a5b4c authored by Steve Azzopardi's avatar Steve Azzopardi

Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

parents a0c86637 e35eeaf8
...@@ -2,6 +2,13 @@ ...@@ -2,6 +2,13 @@
documentation](doc/development/changelog.md) for instructions on adding your own documentation](doc/development/changelog.md) for instructions on adding your own
entry. entry.
## 11.4.6 (2018-11-18)
### Security (1 change)
- Escape user fullname while rendering autocomplete template to prevent XSS.
## 11.4.5 (2018-11-04) ## 11.4.5 (2018-11-04)
### Fixed (4 changes, 1 of them is from the community) ### Fixed (4 changes, 1 of them is from the community)
...@@ -271,6 +278,13 @@ entry. ...@@ -271,6 +278,13 @@ entry.
- Check frozen string in style builds. (gfyoung) - Check frozen string in style builds. (gfyoung)
## 11.3.10 (2018-11-18)
### Security (1 change)
- Escape user fullname while rendering autocomplete template to prevent XSS.
## 11.3.9 (2018-10-31) ## 11.3.9 (2018-10-31)
### Security (1 change) ### Security (1 change)
......
...@@ -151,10 +151,16 @@ class GfmAutoComplete { ...@@ -151,10 +151,16 @@ class GfmAutoComplete {
// Team Members // Team Members
$input.atwho({ $input.atwho({
at: '@', at: '@',
alias: 'users',
displayTpl(value) { displayTpl(value) {
let tmpl = GfmAutoComplete.Loading.template; let tmpl = GfmAutoComplete.Loading.template;
if (value.username != null) { const { avatarTag, username, title } = value;
tmpl = GfmAutoComplete.Members.template; if (username != null) {
tmpl = GfmAutoComplete.Members.templateFunction({
avatarTag,
username,
title,
});
} }
return tmpl; return tmpl;
}, },
...@@ -565,8 +571,9 @@ GfmAutoComplete.Emoji = { ...@@ -565,8 +571,9 @@ GfmAutoComplete.Emoji = {
}; };
// Team Members // Team Members
GfmAutoComplete.Members = { GfmAutoComplete.Members = {
// eslint-disable-next-line no-template-curly-in-string templateFunction({ avatarTag, username, title }) {
template: '<li>${avatarTag} ${username} <small>${title}</small></li>', return `<li>${avatarTag} ${username} <small>${_.escape(title)}</small></li>`;
},
}; };
GfmAutoComplete.Labels = { GfmAutoComplete.Labels = {
template: template:
......
---
title: Escape user fullname while rendering autocomplete template to prevent XSS
merge_request:
author:
type: security
---
title: Prevent templated services from being imported
merge_request:
author:
type: security
...@@ -154,6 +154,8 @@ excluded_attributes: ...@@ -154,6 +154,8 @@ excluded_attributes:
- :encrypted_token_iv - :encrypted_token_iv
- :encrypted_url - :encrypted_url
- :encrypted_url_iv - :encrypted_url_iv
services:
- :template
methods: methods:
labels: labels:
......
require 'rails_helper' require 'rails_helper'
describe 'GFM autocomplete', :js do describe 'GFM autocomplete', :js do
let(:issue_xss_title) { 'This will execute alert<img src=x onerror=alert(2)&lt;img src=x onerror=alert(1)&gt;' }
let(:user_xss_title) { 'eve <img src=x onerror=alert(2)&lt;img src=x onerror=alert(1)&gt;' }
let(:user_xss) { create(:user, name: user_xss_title, username: 'xss.user') }
let(:user) { create(:user, name: '💃speciąl someone💃', username: 'someone.special') } let(:user) { create(:user, name: '💃speciąl someone💃', username: 'someone.special') }
let(:project) { create(:project) } let(:project) { create(:project) }
let(:label) { create(:label, project: project, title: 'special+') } let(:label) { create(:label, project: project, title: 'special+') }
...@@ -9,6 +13,8 @@ describe 'GFM autocomplete', :js do ...@@ -9,6 +13,8 @@ describe 'GFM autocomplete', :js do
before do before do
project.add_maintainer(user) project.add_maintainer(user)
project.add_maintainer(user_xss)
sign_in(user) sign_in(user)
visit project_issue_path(project, issue) visit project_issue_path(project, issue)
...@@ -35,9 +41,8 @@ describe 'GFM autocomplete', :js do ...@@ -35,9 +41,8 @@ describe 'GFM autocomplete', :js do
expect(page).to have_selector('.atwho-container') expect(page).to have_selector('.atwho-container')
end end
it 'opens autocomplete menu when field starts with text with item escaping HTML characters' do it 'opens autocomplete menu for Issues when field starts with text with item escaping HTML characters' do
alert_title = 'This will execute alert<img src=x onerror=alert(2)&lt;img src=x onerror=alert(1)&gt;' create(:issue, project: project, title: issue_xss_title)
create(:issue, project: project, title: alert_title)
page.within '.timeline-content-form' do page.within '.timeline-content-form' do
find('#note-body').native.send_keys('#') find('#note-body').native.send_keys('#')
...@@ -46,7 +51,19 @@ describe 'GFM autocomplete', :js do ...@@ -46,7 +51,19 @@ describe 'GFM autocomplete', :js do
expect(page).to have_selector('.atwho-container') expect(page).to have_selector('.atwho-container')
page.within '.atwho-container #at-view-issues' do page.within '.atwho-container #at-view-issues' do
expect(page.all('li').first.text).to include(alert_title) expect(page.all('li').first.text).to include(issue_xss_title)
end
end
it 'opens autocomplete menu for Username when field starts with text with item escaping HTML characters' do
page.within '.timeline-content-form' do
find('#note-body').native.send_keys('@ev')
end
expect(page).to have_selector('.atwho-container')
page.within '.atwho-container #at-view-users' do
expect(find('li').text).to have_content(user_xss.username)
end end
end end
...@@ -107,7 +124,7 @@ describe 'GFM autocomplete', :js do ...@@ -107,7 +124,7 @@ describe 'GFM autocomplete', :js do
wait_for_requests wait_for_requests
expect(find('#at-view-64')).to have_selector('.cur:first-of-type') expect(find('#at-view-users')).to have_selector('.cur:first-of-type')
end end
it 'includes items for assignee dropdowns with non-ASCII characters in name' do it 'includes items for assignee dropdowns with non-ASCII characters in name' do
...@@ -120,7 +137,7 @@ describe 'GFM autocomplete', :js do ...@@ -120,7 +137,7 @@ describe 'GFM autocomplete', :js do
wait_for_requests wait_for_requests
expect(find('#at-view-64')).to have_content(user.name) expect(find('#at-view-users')).to have_content(user.name)
end end
it 'selects the first item for non-assignee dropdowns if a query is entered' do it 'selects the first item for non-assignee dropdowns if a query is entered' do
......
...@@ -101,6 +101,28 @@ ...@@ -101,6 +101,28 @@
] ]
} }
], ],
"services": [
{
"id": 100,
"title": "JetBrains TeamCity CI",
"project_id": 5,
"created_at": "2016-06-14T15:01:51.315Z",
"updated_at": "2016-06-14T15:01:51.315Z",
"active": false,
"properties": {},
"template": true,
"push_events": true,
"issues_events": true,
"merge_requests_events": true,
"tag_push_events": true,
"note_events": true,
"job_events": true,
"type": "TeamcityService",
"category": "ci",
"default": false,
"wiki_page_events": true
}
],
"snippets": [], "snippets": [],
"hooks": [] "hooks": []
} }
...@@ -297,7 +297,8 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do ...@@ -297,7 +297,8 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
issues: 1, issues: 1,
labels: 1, labels: 1,
milestones: 1, milestones: 1,
first_issue_labels: 1 first_issue_labels: 1,
services: 1
context 'project.json file access check' do context 'project.json file access check' do
it 'does not read a symlink' do it 'does not read a symlink' do
...@@ -382,6 +383,12 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do ...@@ -382,6 +383,12 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
project_tree_restorer.instance_variable_set(:@path, "spec/lib/gitlab/import_export/project.light.json") project_tree_restorer.instance_variable_set(:@path, "spec/lib/gitlab/import_export/project.light.json")
end end
it 'does not import any templated services' do
restored_project_json
expect(project.services.where(template: true).count).to eq(0)
end
it 'imports labels' do it 'imports labels' do
create(:group_label, name: 'Another label', group: project.group) create(:group_label, name: 'Another label', group: project.group)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment