Merge branch 'fix-escape-commit-block' into 'security-9-5'

[9.5] Prevent a persistent XSS in the commit author block See merge request gitlab/gitlabhq!2180
2017-09-04 10:28:30 +00:00 · 2017-09-04 10:28:30 +00:00 · 4acab552be
parent 941a2d2737
commit 4acab552be
3 changed files with 30 additions and 3 deletions
--- a/app/helpers/commits_helper.rb
+++ b/app/helpers/commits_helper.rb
@ -137,7 +137,7 @@ module CommitsHelper

    text =
      if options[:avatar]
-        %Q{<span class="commit-#{options[:source]}-name">#{person_name}</span>}
+        content_tag(:span, person_name, class: "commit-#{options[:source]}-name")
      else
        person_name
      end
@ -148,9 +148,9 @@ module CommitsHelper
    }

    if user.nil?
-      mail_to(source_email, text.html_safe, options)
+      mail_to(source_email, text, options)
    else
-      link_to(text.html_safe, user_path(user), options)
+      link_to(text, user_path(user), options)
    end
  end

--- a/changelogs/unreleased/fix-escape-commit-block.yml
+++ b/changelogs/unreleased/fix-escape-commit-block.yml
@ -0,0 +1,5 @@
+---
+title: Prevent a persistent XSS in the commit author block
+merge_request:
+author:
+type: security
--- a/spec/helpers/commits_helper_spec.rb
+++ b/spec/helpers/commits_helper_spec.rb
@ -12,6 +12,17 @@ describe CommitsHelper do
      expect(helper.commit_author_link(commit))
        .not_to include('onmouseover="alert(1)"')
    end
+
+    it 'escapes the author name' do
+      user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
+
+      commit = double(author: user, author_name: '', author_email: '')
+
+      expect(helper.commit_author_link(commit))
+        .to include('Foo &lt;script&gt;')
+      expect(helper.commit_author_link(commit, avatar: true))
+        .to include('commit-author-name', 'Foo &lt;script&gt;')
+    end
  end

  describe 'commit_committer_link' do
@ -25,6 +36,17 @@ describe CommitsHelper do
      expect(helper.commit_committer_link(commit))
        .not_to include('onmouseover="alert(1)"')
    end
+
+    it 'escapes the commiter name' do
+      user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
+
+      commit = double(committer: user, committer_name: '', committer_email: '')
+
+      expect(helper.commit_committer_link(commit))
+        .to include('Foo &lt;script&gt;')
+      expect(helper.commit_committer_link(commit, avatar: true))
+        .to include('commit-committer-name', 'Foo &lt;script&gt;')
+    end
  end

  describe '#view_on_environment_button' do