Fix HTML injection for label description

23517b61 · Patrick Derichs · 01e37ab6 · 23517b61 · 23517b61 · 23517b61
Commit 23517b61 authored Jul 15, 2019 by Patrick Derichs
5 changed files
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -71,7 +71,7 @@ module LabelsHelper
  end

  def label_tooltip_title(label)
-    label.description
+    Sanitize.clean(label.description)
  end

  def suggested_colors

--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -197,7 +197,11 @@ class Label < ApplicationRecord
  end

  def title=(value)
-    write_attribute(:title, sanitize_title(value)) if value.present?
+    write_attribute(:title, sanitize_value(value)) if value.present?
+  end
+
+  def description=(value)
+    write_attribute(:description, sanitize_value(value)) if value.present?
  end

  ##
@@ -258,7 +262,7 @@ class Label < ApplicationRecord
    end
  end

-  def sanitize_title(value)
+  def sanitize_value(value)
    CGI.unescapeHTML(Sanitize.clean(value.to_s))
  end


--- a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
+++ b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
+---
+title: Fix HTML injection for label description
+merge_request:
+author:
+type: security
--- a/spec/helpers/labels_helper_spec.rb
+++ b/spec/helpers/labels_helper_spec.rb
@@ -278,4 +278,14 @@ describe LabelsHelper do
      it { is_expected.to eq('Subscribe at group level') }
    end
  end
+
+  describe '#label_tooltip_title' do
+    let(:html) { '<img src="example.png">This is an image</img>' }
+    let(:label_with_html_content) { create(:label, title: 'test', description: html) }
+
+    it 'removes HTML' do
+      tooltip = label_tooltip_title(label_with_html_content)
+      expect(tooltip).to eq('This is an image')
+    end
+  end
 end
--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@@ -84,6 +84,13 @@ describe Label do
    end
  end

+  describe '#description' do
+    it 'sanitizes description' do
+      label = described_class.new(description: '<b>foo & bar?</b>')
+      expect(label.description).to eq('foo & bar?')
+    end
+  end
+
  describe 'priorization' do
    subject(:label) { create(:label) }