Skip to content

G
gitlab-ce
Commit acad5446 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files
Options

Merge branch 'security-sanitize-target-branch' into 'master' 

Sanitize target branch

See merge request gitlab-org/security/gitlab!1180
parents 86f24e7c 5ce41ac9
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 1 deletion
app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
View file @ acad5446
<script>
import { isNumber } from 'lodash';
import { sanitize } from '~/lib/dompurify';
import ArtifactsApp from './artifacts_list_app.vue';
import MrWidgetContainer from './mr_widget_container.vue';
import MrWidgetPipeline from './mr_widget_pipeline.vue';
......@@ -40,7 +41,7 @@ export default {
return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranch;
},
branchLink() {
return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranchLink;
return this.isPostMerge ? sanitize(this.mr.targetBranch) : this.mr.sourceBranchLink;
},
deployments() {
return this.isPostMerge ? this.mr.postMergeDeployments : this.mr.deployments;
......
changelogs/unreleased/security-sanitize-target-branch.yml 0 → 100644
View file @ acad5446
---
title: Sanitize target branch on MR page
merge_request:
author:
type: security
spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
View file @ acad5446
......@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
});
});
it('sanitizes the targetBranch', () => {
factory({
isPostMerge: true,
mr: {
...mockStore,
targetBranch: 'Foo<script>alert("XSS")</script>',
},
});
expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
});
it('renders deployments', () => {
const expectedProps = mockStore.postMergeDeployments.map((dep) =>
expect.objectContaining({
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7