Minimise JsonTableFilter output and permissivity

Asherah Connorrequested to merge
push-ovtkyxkypqnp into master

What does this MR do and why?

Minimise JsonTableFilter output and permissivity

!117511 (merged) caused JSON tables to pass their "class" field onto the instantiated GlTable. This is a completely user-controlled field, so issues involving user-controlled classes have occurred.

This MR rewrites JsonTableFilter to address issues noted in #591696 (closed) and to remove this user-controlled class.

The functionality added in that MR has since regressed (CSS selector specificity overrides gl-font-bold), so this change does not actually impact current live functionality.

This was originally authored as a security fix (https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/5807), but the vulnerability was reclassified as out-of-scope and the bug deemed bugfunctional, and so the fix is being made in public.

References

How to set up and validate locally

  1. Check out the branch.
  2. Create some new JSON tables in Markdown in your GDK per the docs. It's important that they're new, since old ones will be cached renders so you won't be exercising the rewritten filter.
  3. Check they look OK!

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports