Merge branch 'security-prevent-diff-for-path-vulnerability' into 'master'

Ignore user-defined diff paths in diff notes

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3159



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Stanislav Lashmanov <slashmanov@gitlab.com>
Approved-by: Nikhil George <ngeorge@gitlab.com>
Approved-by: Phil Hughes <me@iamphill.com>
Co-authored-by: Jacques <jerasmus@gitlab.com>

app/assets/javascripts/single_file_diff.js

@@ -24,7 +24,9 @@ export default class SingleFileDiff {
     this.content = $('.diff-content', this.file);
     this.$chevronRightIcon = $('.diff-toggle-caret .chevron-right', this.file);
     this.$chevronDownIcon = $('.diff-toggle-caret .chevron-down', this.file);
-    this.diffForPath = this.content.find('[data-diff-for-path]').data('diffForPath');
+    this.diffForPath = this.content
+      .find('div:not(.note-text)[data-diff-for-path]')
+      .data('diffForPath');
     this.isOpen = !this.diffForPath;
     if (this.diffForPath) {
       this.collapsedContent = this.content;

spec/frontend/single_file_diff_spec.js

@@ -67,6 +67,21 @@ describe('SingleFileDiff', () => {
     expect(mock.history.get.length).toBe(1);
   });
 
+  it('ignores user-defined diff path attributes', () => {
+    setHTMLFixture(`
+    <div class="diff-file">
+      <div class="diff-content">
+        <div class="diff-viewer" data-type="simple">
+          <div class="note-text"><a data-diff-for-path="test/note/path">Test note</a></div>
+          <div data-diff-for-path="${blobDiffPath}">MOCK CONTENT</div>
+        </div>
+      </div>
+    </div>
+`);
+    const { diffForPath } = new SingleFileDiff(document.querySelector('.diff-file'));
+    expect(diffForPath).toEqual(blobDiffPath);
+  });
+
   it('does not load diffs via axios for already expanded diffs', async () => {
     setHTMLFixture(`
     <div class="diff-file">