Merge branch '329493-confidential-issue' into 'master'

Fixes XSS in shared runner description See merge request gitlab-org/gitlab!60891

Merge branch '329493-confidential-issue' into 'master'
Fixes XSS in shared runner description See merge request gitlab-org/gitlab!60891
d2949e54 · Mike Greiling · fcdc7fea · 27fb5b3b · d2949e54 · d2949e54
Commit d2949e54 authored May 04, 2021 by Mike Greiling
3 changed files
--- a/app/views/shared/runners/_shared_runners_description.html.haml
+++ b/app/views/shared/runners/_shared_runners_description.html.haml
@@ -3,11 +3,10 @@
 %h4
  = _('Shared runners')

-.bs-callout.shared-runners-description
-  = _('These runners are shared across this GitLab instance.')
-  %p
+.bs-callout{ data: { testid: 'shared-runners-description' } }
+  %p= _('These runners are shared across this GitLab instance.')
  - if Gitlab::CurrentSettings.shared_runners_text.present?
-    = markdown_field(Gitlab::CurrentSettings.current_application_settings, :shared_runners_text)
+    = markdown(Gitlab::CurrentSettings.current_application_settings.shared_runners_text)
  - else
-    = _('The same shared runner executes code from multiple projects, unless you configure autoscaling with %{link} set to 1 (which it is on GitLab.com).').html_safe % { link: link }
+    %p= _('The same shared runner executes code from multiple projects, unless you configure autoscaling with %{link} set to 1 (which it is on GitLab.com).').html_safe % { link: link }
  = yield
--- a/changelogs/unreleased/mrincon-fix-xss-shared-runners-text.yml
+++ b/changelogs/unreleased/mrincon-fix-xss-shared-runners-text.yml
+---
+title: Fix XSS vulnerability in shared runner description
+merge_request: 60891
+author:
+type: security
--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -160,6 +160,17 @@ RSpec.describe 'Runners' do
      end
    end

+    context 'shared runner text' do
+      context 'when application settings have no shared_runners_text' do
+        it 'user sees default shared runners description' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('The same shared runner executes code from multiple projects')
+          end
+        end
+      end
+
      context 'when application settings have shared_runners_text' do
        let(:shared_runners_text) { 'custom **shared** runners description' }
        let(:shared_runners_html) { 'custom shared runners description' }
@@ -171,7 +182,45 @@ RSpec.describe 'Runners' do
        it 'user sees shared runners description' do
          visit project_runners_path(project)

-        expect(page.find('.shared-runners-description')).to have_content(shared_runners_html)
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).not_to have_content('The same shared runner executes code from multiple projects')
+            expect(page).to have_content(shared_runners_html)
+          end
+        end
+      end
+
+      context 'when application settings have an unsafe link in shared_runners_text' do
+        let(:shared_runners_text) { '<a href="javascript:alert(\'xss\')">link</a>' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees no link' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('link')
+            expect(page).not_to have_link('link')
+          end
+        end
+      end
+
+      context 'when application settings have an unsafe image in shared_runners_text' do
+        let(:shared_runners_text) { '<img src="404.png" onerror="alert(\'xss\')"/>' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees image safely' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_css('img')
+            expect(page).not_to have_css('img[onerror]')
+          end
+        end
      end
    end
  end
@@ -190,7 +239,7 @@ RSpec.describe 'Runners' do

        click_on 'Enable shared runners'

-        expect(page.find('.shared-runners-description')).to have_content('Disable shared runners')
+        expect(page.find("[data-testid='shared-runners-description']")).to have_content('Disable shared runners')
        expect(page).not_to have_selector('#toggle-shared-runners-form')
      end
    end