Skip to content
Snippets Groups Projects
Commit e91fd7f9 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge branch 'security-291004-scoped-label-xss' into 'master'

Escape HTML on scoped labels tooltip

See merge request gitlab-org/security/gitlab!1321
parents 620c9407 11a72bc3
No related branches found
No related tags found
No related merge requests found
---
title: Escape HTML on scoped labels tooltip
merge_request:
author:
type: security
......@@ -10,12 +10,18 @@ module LabelReferenceFilter
def data_attributes_for(text, parent, object, link_content: false, link_reference: false)
return super unless object.scoped_label?
# Enabling HTML tooltips for scoped labels here but we do not need to do any additional
# escaping because the label's tooltips are already stripped of dangerous HTML
# Enabling HTML tooltips for scoped labels here and additional escaping is done in `object_link_title`
super.merge!(
html: true
)
end
override :object_link_title
def object_link_title(object, matches)
return super unless object.scoped_label?
ERB::Util.html_escape(super)
end
end
end
end
......
......@@ -5,9 +5,10 @@
RSpec.describe Banzai::Filter::LabelReferenceFilter do
include FilterSpecHelper
let(:project) { create(:project, :public, name: 'sample-project') }
let(:label) { create(:label, name: 'label', project: project) }
let(:scoped_label) { create(:label, name: 'key::value', project: project) }
let(:project) { create(:project, :public, name: 'sample-project') }
let(:label) { create(:label, name: 'label', project: project) }
let(:scoped_description) { 'xss <script>alert("scriptAlert");</script> &<a>lt;svg id=&quot;svgId&quot;&gt;&lt;/svg&gt;' }
let(:scoped_label) { create(:label, name: 'key::value', project: project, description: scoped_description) }
context 'with scoped labels enabled' do
before do
......@@ -24,6 +25,10 @@
it 'renders HTML tooltips' do
expect(doc.at_css('.gl-label-scoped a').attr('data-html')).to eq('true')
end
it "escapes HTML in the label's title" do
expect(doc.at_css('.gl-label-scoped a').attr('title')).to include('xss &lt;svg id="svgId"&gt;')
end
end
context 'with a common label' do
......
......@@ -3,7 +3,7 @@
module Gitlab
module MarkdownCache
# Increment this number every time the renderer changes its output
CACHE_COMMONMARK_VERSION = 26
CACHE_COMMONMARK_VERSION = 27
CACHE_COMMONMARK_VERSION_START = 10
BaseError = Class.new(StandardError)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment