Commit 11a72bc3 authored by Mario Celi's avatar Mario Celi

Escape HTML on scoped labels tooltip

parent 2eaa98f2
---
title: Escape HTML on scoped labels tooltip
merge_request:
author:
type: security
...@@ -10,12 +10,18 @@ module EE ...@@ -10,12 +10,18 @@ module EE
def data_attributes_for(text, parent, object, link_content: false, link_reference: false) def data_attributes_for(text, parent, object, link_content: false, link_reference: false)
return super unless object.scoped_label? return super unless object.scoped_label?
# Enabling HTML tooltips for scoped labels here but we do not need to do any additional # Enabling HTML tooltips for scoped labels here and additional escaping is done in `object_link_title`
# escaping because the label's tooltips are already stripped of dangerous HTML
super.merge!( super.merge!(
html: true html: true
) )
end end
override :object_link_title
def object_link_title(object, matches)
return super unless object.scoped_label?
ERB::Util.html_escape(super)
end
end end
end end
end end
......
...@@ -5,9 +5,10 @@ require 'spec_helper' ...@@ -5,9 +5,10 @@ require 'spec_helper'
RSpec.describe Banzai::Filter::LabelReferenceFilter do RSpec.describe Banzai::Filter::LabelReferenceFilter do
include FilterSpecHelper include FilterSpecHelper
let(:project) { create(:project, :public, name: 'sample-project') } let(:project) { create(:project, :public, name: 'sample-project') }
let(:label) { create(:label, name: 'label', project: project) } let(:label) { create(:label, name: 'label', project: project) }
let(:scoped_label) { create(:label, name: 'key::value', project: project) } let(:scoped_description) { 'xss <script>alert("scriptAlert");</script> &<a>lt;svg id=&quot;svgId&quot;&gt;&lt;/svg&gt;' }
let(:scoped_label) { create(:label, name: 'key::value', project: project, description: scoped_description) }
context 'with scoped labels enabled' do context 'with scoped labels enabled' do
before do before do
...@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do ...@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
it 'renders HTML tooltips' do it 'renders HTML tooltips' do
expect(doc.at_css('.gl-label-scoped a').attr('data-html')).to eq('true') expect(doc.at_css('.gl-label-scoped a').attr('data-html')).to eq('true')
end end
it "escapes HTML in the label's title" do
expect(doc.at_css('.gl-label-scoped a').attr('title')).to include('xss &lt;svg id="svgId"&gt;')
end
end end
context 'with a common label' do context 'with a common label' do
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
module Gitlab module Gitlab
module MarkdownCache module MarkdownCache
# Increment this number every time the renderer changes its output # Increment this number every time the renderer changes its output
CACHE_COMMONMARK_VERSION = 26 CACHE_COMMONMARK_VERSION = 27
CACHE_COMMONMARK_VERSION_START = 10 CACHE_COMMONMARK_VERSION_START = 10
BaseError = Class.new(StandardError) BaseError = Class.new(StandardError)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment