Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-02-01 12:03:26 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2021-02-01 12:03:59 +0300
commit3faa16e1219541f4413df946fc98bc51761efd99 (patch)
treefedd7e8653aac962c42b6cda6a11e1948b337c5a
parent39b9de3e20e49178a95a040f763209298a684c09 (diff)
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
Diffstat
-rw-r--r--app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue3
-rw-r--r--changelogs/unreleased/security-sanitize-target-branch.yml5
-rw-r--r--spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js12
3 files changed, 19 insertions, 1 deletions
diff --git a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
index 55efd7e7d3b..953710ccbfc 100644
--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
@@ -1,5 +1,6 @@
<script>
import { isNumber } from 'lodash';
+import { sanitize } from '~/lib/dompurify';
import ArtifactsApp from './artifacts_list_app.vue';
import Deployment from './deployment/deployment.vue';
import MrWidgetContainer from './mr_widget_container.vue';
@@ -41,7 +42,7 @@ export default {
return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranch;
},
branchLink() {
- return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranchLink;
+ return this.isPostMerge ? sanitize(this.mr.targetBranch) : this.mr.sourceBranchLink;
},
deployments() {
return this.isPostMerge ? this.mr.postMergeDeployments : this.mr.deployments;
diff --git a/changelogs/unreleased/security-sanitize-target-branch.yml b/changelogs/unreleased/security-sanitize-target-branch.yml
new file mode 100644
index 00000000000..9cf07fbfca4
--- /dev/null
+++ b/changelogs/unreleased/security-sanitize-target-branch.yml
@@ -0,0 +1,5 @@
+---
+title: Sanitize target branch on MR page
+merge_request:
+author:
+type: security
diff --git a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
index d67f1adadf2..e4da729bec6 100644
--- a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
+++ b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
});
});
+ it('sanitizes the targetBranch', () => {
+ factory({
+ isPostMerge: true,
+ mr: {
+ ...mockStore,
+ targetBranch: 'Foo<script>alert("XSS")</script>',
+ },
+ });
+
+ expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
+ });
+
it('renders deployments', () => {
const expectedProps = mockStore.postMergeDeployments.map(dep =>
expect.objectContaining({
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 08:58:38 +0300