Commit b4a0a234 authored by Robert May's avatar Robert May Committed by GitLab Release Tools Bot

Fix for XSS in branch names

parent 63c48c56
<script> <script>
import { GlLoadingIcon } from '@gitlab/ui'; import { GlLoadingIcon } from '@gitlab/ui';
import { escape } from 'lodash';
import simplePoll from '../../../lib/utils/simple_poll'; import simplePoll from '../../../lib/utils/simple_poll';
import eventHub from '../../event_hub'; import eventHub from '../../event_hub';
import statusIcon from '../mr_widget_status_icon.vue'; import statusIcon from '../mr_widget_status_icon.vue';
...@@ -44,11 +45,10 @@ export default { ...@@ -44,11 +45,10 @@ export default {
fastForwardMergeText() { fastForwardMergeText() {
return sprintf( return sprintf(
__( __(
`Fast-forward merge is not possible. Rebase the source branch onto %{startTag}${this.mr.targetBranch}%{endTag} to allow this merge request to be merged.`, 'Fast-forward merge is not possible. Rebase the source branch onto %{targetBranch} to allow this merge request to be merged.',
), ),
{ {
startTag: '<span class="label-branch">', targetBranch: `<span class="label-branch">${escape(this.mr.targetBranch)}</span>`,
endTag: '</span>',
}, },
false, false,
); );
......
...@@ -8,7 +8,9 @@ ...@@ -8,7 +8,9 @@
.form-group.row.d-flex.gl-pl-3.gl-pr-3.branch-selector .form-group.row.d-flex.gl-pl-3.gl-pr-3.branch-selector
.align-self-center .align-self-center
%span= s_('From %{source_title} into').html_safe % { source_title: "<code>#{source_title}</code>".html_safe } %span
= _('From <code>%{source_title}</code> into').html_safe % { source_title: source_title }
- if issuable.new_record? - if issuable.new_record?
%code= target_title %code= target_title
&nbsp; &nbsp;
......
---
title: Fix for XSS in branch names
merge_request:
author:
type: security
...@@ -8318,6 +8318,9 @@ msgstr "" ...@@ -8318,6 +8318,9 @@ msgstr ""
msgid "False positive" msgid "False positive"
msgstr "" msgstr ""
msgid "Fast-forward merge is not possible. Rebase the source branch onto %{targetBranch} to allow this merge request to be merged."
msgstr ""
msgid "Fast-forward merge is not possible. Rebase the source branch onto the target branch or merge target branch into source branch to allow this merge request to be merged." msgid "Fast-forward merge is not possible. Rebase the source branch onto the target branch or merge target branch into source branch to allow this merge request to be merged."
msgstr "" msgstr ""
...@@ -8768,7 +8771,7 @@ msgstr "" ...@@ -8768,7 +8771,7 @@ msgstr ""
msgid "From %{providerTitle}" msgid "From %{providerTitle}"
msgstr "" msgstr ""
msgid "From %{source_title} into" msgid "From <code>%{source_title}</code> into"
msgstr "" msgstr ""
msgid "From Bitbucket" msgid "From Bitbucket"
......
...@@ -5,9 +5,9 @@ require "spec_helper" ...@@ -5,9 +5,9 @@ require "spec_helper"
describe "User creates a merge request", :js do describe "User creates a merge request", :js do
include ProjectForksHelper include ProjectForksHelper
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:user) }
let(:title) { "Some feature" } let(:title) { "Some feature" }
let(:project) { create(:project, :repository) }
let(:user) { create(:user) }
before do before do
project.add_maintainer(user) project.add_maintainer(user)
...@@ -38,6 +38,26 @@ describe "User creates a merge request", :js do ...@@ -38,6 +38,26 @@ describe "User creates a merge request", :js do
end end
end end
context "XSS branch name exists" do
before do
project.repository.create_branch("<img/src='x'/onerror=alert('oops')>", "master")
end
it "doesn't execute the dodgy branch name" do
visit(project_new_merge_request_path(project))
find(".js-source-branch").click
click_link("<img/src='x'/onerror=alert('oops')>")
find(".js-target-branch").click
click_link("feature")
click_button("Compare branches")
expect { page.driver.browser.switch_to.alert }.to raise_error(Selenium::WebDriver::Error::NoSuchAlertError)
end
end
context "to a forked project" do context "to a forked project" do
let(:forked_project) { fork_project(project, user, namespace: user.namespace, repository: true) } let(:forked_project) { fork_project(project, user, namespace: user.namespace, repository: true) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment