Merge branch 'security-html_escape_usernames' into 'master'

[master] HTML escape the name of the user in ProjectsHelper#link_to_member See merge request gitlab/gitlabhq!2401

Merge branch 'security-html_escape_usernames' into 'master'
[master] HTML escape the name of the user in ProjectsHelper#link_to_member See merge request gitlab/gitlabhq!2401
8d18f219 · Alessio Caiazza · 9d6499a5 · 1fbf6f18 · 8d18f219 · 8d18f219
Commit 8d18f219 authored Jun 25, 2018 by Alessio Caiazza
3 changed files
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -40,7 +40,8 @@ module ProjectsHelper
      name_tag_options[:class] << 'has-tooltip'
    end

-    content_tag(:span, sanitize(username), name_tag_options)
+    # NOTE: ActionView::Helpers::TagHelper#content_tag HTML escapes username
+    content_tag(:span, username, name_tag_options)
  end

  def link_to_member(project, author, opts = {}, &block)

--- a/changelogs/unreleased/security-html_escape_usernames.yml
+++ b/changelogs/unreleased/security-html_escape_usernames.yml
+---
+title: HTML escape the name of the user in ProjectsHelper#link_to_member
+merge_request:
+author:
+type: security
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -248,7 +248,7 @@ describe ProjectsHelper do
  describe '#link_to_member' do
    let(:group)   { build_stubbed(:group) }
    let(:project) { build_stubbed(:project, group: group) }
-    let(:user)    { build_stubbed(:user) }
+    let(:user)    { build_stubbed(:user, name: '<h1>Administrator</h1>') }

    describe 'using the default options' do
      it 'returns an HTML link to the user' do
@@ -256,6 +256,13 @@ describe ProjectsHelper do

        expect(link).to match(%r{/#{user.username}})
      end
+
+      it 'HTML escapes the name of the user' do
+        link = helper.link_to_member(project, user)
+
+        expect(link).to include(ERB::Util.html_escape(user.name))
+        expect(link).not_to include(user.name)
+      end
    end
  end