Commit 6557858f authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-2819-xss-resolve-conflicts-branch-name' into 'master'

Fix XSS in resolve conflicts form

See merge request gitlab/gitlabhq!2977
parents 3e4c2b04 e6e9c10e
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
.form-group.row .form-group.row
.col-md-4 .col-md-4
%h4= _('Resolve conflicts on source branch') %h4= _('Resolve conflicts on source branch')
.resolve-info .resolve-info{ "v-pre": true }
= translation.html_safe = translation.html_safe
.col-md-8 .col-md-8
%label.label-bold{ "for" => "commit-message" } %label.label-bold{ "for" => "commit-message" }
......
---
title: Fix XSS in resolve conflicts form
merge_request:
author:
type: security
...@@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do ...@@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do
expect(page).to have_content('Gregor Samsa woke from troubled dreams') expect(page).to have_content('Gregor Samsa woke from troubled dreams')
end end
end end
context "with malicious branch name" do
let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" }
let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') }
let(:merge_request) { create_merge_request(branch.name) }
before do
visit project_merge_request_path(project, merge_request)
click_link('conflicts', href: %r{/conflicts\Z})
end
it "renders bad name without xss issues" do
expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name)
end
end
end end
UNRESOLVABLE_CONFLICTS = { UNRESOLVABLE_CONFLICTS = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment