Commit b5ca4ea1 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'security-51527-xss-in-mr-source-branch' into 'master'

[master] Fix XSS in MR source branch name

See merge request gitlab/gitlabhq!2544
parents 107351e0 2f4afe45
......@@ -108,16 +108,10 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
namespace = source_project_namespace
branch = source_branch
if source_branch_exists?
namespace = link_to(namespace, project_path(source_project))
branch = link_to(branch, project_tree_path(source_project, source_branch))
end
namespace_link = source_branch_exists? ? link_to(namespace, project_path(source_project)) : ERB::Util.html_escape(namespace)
branch_link = source_branch_exists? ? link_to(branch, project_tree_path(source_project, source_branch)) : ERB::Util.html_escape(branch)
if for_fork?
namespace + ":" + branch
else
branch
end
for_fork? ? "#{namespace_link}:#{branch_link}" : branch_link
end
def closing_issues_links
......
---
title: Fix XSS in merge request source branch name
merge_request:
author:
type: security
......@@ -403,6 +403,15 @@ describe MergeRequestPresenter do
is_expected
.to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>")
end
it 'escapes html, when source_branch does not exist' do
xss_attempt = "<img src='x' onerror=alert('bad stuff') />"
allow(resource).to receive(:source_branch) { xss_attempt }
allow(resource).to receive(:source_branch_exists?) { false }
is_expected.to eq(ERB::Util.html_escape(xss_attempt))
end
end
describe '#rebase_path' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment