Sanitize admin email "Recipient Group" dropdown options

Dropdown is found at `admin/email`. Passes dropdown options through `sanitizeItem`. To prevent errors `sanitizeItem` is updated to check if `name` and `namespace` keys exist before sanitizing.

Sanitize admin email "Recipient Group" dropdown options
Dropdown is found at `admin/email`. Passes dropdown options through `sanitizeItem`. To prevent errors `sanitizeItem` is updated to check if `name` and `namespace` keys exist before sanitizing.
e40eba87 · Peter Hegman · GitLab Release Tools Bot · ec39a640 · e40eba87 · e40eba87
Commit e40eba87 authored Mar 24, 2020 by Peter Hegman Committed by GitLab Release Tools Bot Mar 24, 2020
4 changed files
--- a/app/assets/javascripts/frequent_items/utils.js
+++ b/app/assets/javascripts/frequent_items/utils.js
@@ -45,8 +45,19 @@ export const updateExistingFrequentItem = (frequentItem, item) => {
  };
 };

-export const sanitizeItem = item => ({
-  ...item,
-  name: sanitize(item.name.toString(), { allowedTags: [] }),
-  namespace: sanitize(item.namespace.toString(), { allowedTags: [] }),
-});
+export const sanitizeItem = item => {
+  // Only sanitize if the key exists on the item
+  const maybeSanitize = key => {
+    if (!Object.prototype.hasOwnProperty.call(item, key)) {
+      return {};
+    }
+
+    return { [key]: sanitize(item[key].toString(), { allowedTags: [] }) };
+  };
+
+  return {
+    ...item,
+    ...maybeSanitize('name'),
+    ...maybeSanitize('namespace'),
+  };
+};
--- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml
+++ b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml
+---
+title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown
+merge_request:
+author:
+type: security
--- a/ee/app/assets/javascripts/pages/admin/emails/show/admin_email_select.js
+++ b/ee/app/assets/javascripts/pages/admin/emails/show/admin_email_select.js
 import $ from 'jquery';
 import Api from '~/api';
 import { sprintf, __ } from '~/locale';
+import { sanitizeItem } from '~/frequent_items/utils';

 const formatResult = selectedItem => {
  if (selectedItem.path_with_namespace) {
@@ -38,7 +39,7 @@ const AdminEmailSelect = () => {
          const all = {
            id: 'all',
          };
-          const data = [all].concat(groups, projects.data);
+          const data = [all].concat(groups, projects.data).map(sanitizeItem);
          return query.callback({
            results: data,
          });

--- a/spec/javascripts/frequent_items/utils_spec.js
+++ b/spec/javascripts/frequent_items/utils_spec.js
@@ -108,5 +108,23 @@ describe('Frequent Items utils spec', () => {

      expect(sanitizeItem(input)).toEqual({ name: 'test', namespace: 'test', id: 1 });
    });
+
+    it("skips `name` key if it doesn't exist on the item", () => {
+      const input = {
+        namespace: '<br>test',
+        id: 1,
+      };
+
+      expect(sanitizeItem(input)).toEqual({ namespace: 'test', id: 1 });
+    });
+
+    it("skips `namespace` key if it doesn't exist on the item", () => {
+      const input = {
+        name: '<br><b>test</b>',
+        id: 1,
+      };
+
+      expect(sanitizeItem(input)).toEqual({ name: 'test', id: 1 });
+    });
  });
 });