Commit c4bb0a11 authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-mermaid-xss' into 'master'

[master] Fix XSS in mermaid diagrams

See merge request gitlab/gitlabhq!2597
parent e3a5ce58
...@@ -26,6 +26,9 @@ export default function renderMermaid($els) { ...@@ -26,6 +26,9 @@ export default function renderMermaid($els) {
}, },
// mermaidAPI options // mermaidAPI options
theme: 'neutral', theme: 'neutral',
flowchart: {
htmlLabels: false,
},
}); });
$els.each((i, el) => { $els.each((i, el) => {
......
---
title: Configure mermaid to not render HTML content in diagrams
merge_request:
author:
type: security
...@@ -40,6 +40,18 @@ describe "User comments on issue", :js do ...@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
expect(page.find('pre code').text).to eq code_block_content expect(page.find('pre code').text).to eq code_block_content
end end
it "does not render html content in mermaid" do
html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
mermaid_content = "graph LR\n B-->D(#{html_content});"
comment = "```mermaid\n#{mermaid_content}\n```"
add_note(comment)
wait_for_requests
expect(page.find('svg.mermaid')).to have_content html_content
end
end end
context "when editing comments" do context "when editing comments" do
......
...@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do ...@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
visit project_issue_path(project, issue) visit project_issue_path(project, issue)
%w[A B C D].each do |label| %w[A B C D].each do |label|
expect(page).to have_selector('svg foreignObject', text: label) expect(page).to have_selector('svg text', text: label)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment