Commit ee2ad681 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-674-fix-jira-content-injection-14-10' into '14-10-stable-ee'

Fix content injection in Jira issue title

See merge request gitlab-org/security/gitlab!2464
parents 7d3860c3 b8f82ec8
......@@ -13,6 +13,10 @@ module Integrations
jira_issue.summary
end
expose :title_html do |jira_issue|
html_escape jira_issue.summary
end
expose :created_at do |jira_issue|
jira_issue.created.to_datetime.utc
end
......
......@@ -79,6 +79,43 @@ RSpec.describe 'Jira issues list', :js do
end
end
context 'when title or description contains HTML characters' do
let(:html) { '<script>foobar</script>' }
let(:escaped_html) { ERB::Util.html_escape(html) }
let(:issue) { build_issue(1).deep_merge(fields: { summary: html }) }
before do
stub_licensed_features(jira_issues_integration: true)
end
it 'escapes the HTML on issues#index' do
stub_issues([issue])
visit project_integrations_jira_issues_path(project)
expect(page).to have_text(html)
expect(page).not_to have_css('script', text: 'foobar')
expect(page.source).to include(escaped_html)
end
it 'escapes the HTML on issues#show' do
issue.deep_merge!(
fields: { comment: { comments: [] } },
renderedFields: { description: html },
duedate: Time.zone.now.to_s
)
stub_request(:get, /\A#{public_url}/)
.to_return(headers: { 'Content-Type' => 'application/json' }, body: issue.to_json)
visit project_integrations_jira_issue_path(project, 1)
expect(page).to have_text(html)
expect(page).not_to have_css('script', text: 'foobar')
expect(page.source).to include(escaped_html)
end
end
private
def all_pages
......
......@@ -26,7 +26,7 @@ RSpec.describe Integrations::JiraSerializers::IssueEntity do
let(:jira_issue) do
double(
summary: 'Title',
summary: 'Title with <h1>HTML</h1>',
created: '2020-06-25T15:39:30.000+0000',
updated: '2020-06-26T15:38:32.000+0000',
resolutiondate: '2020-06-27T13:23:51.000+0000',
......@@ -46,7 +46,8 @@ RSpec.describe Integrations::JiraSerializers::IssueEntity do
it 'returns the Jira issues attributes' do
expect(subject).to include(
project_id: project.id,
title: 'Title',
title: 'Title with <h1>HTML</h1>',
title_html: 'Title with &lt;h1&gt;HTML&lt;/h1&gt;',
created_at: '2020-06-25T15:39:30.000+0000'.to_datetime.utc,
updated_at: '2020-06-26T15:38:32.000+0000'.to_datetime.utc,
closed_at: '2020-06-27T13:23:51.000+0000'.to_datetime.utc,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment