diff options
| author | Paul Slaughter <pslaughter@gitlab.com> | 2019-02-26 17:43:43 +0300 |
|---|---|---|
| committer | Paul Slaughter <pslaughter@gitlab.com> | 2019-03-21 19:04:59 +0300 |
| commit | 5f338ce9ebacfbf13daf435a845ce0b3da9c7e06 (patch) | |
| tree | c7b2f42496a7e031dca06fb4d4b4ae85b7999a36 | |
| parent | 2f25e43662addc546605cb161396a3fad299ecdb (diff) | |
Fix XSS in resolve conflicts form
The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
3 files changed, 21 insertions, 1 deletions
diff --git a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml index 8181267184a..55c89f137c5 100644 --- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml +++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml @@ -6,7 +6,7 @@ .form-group.row .col-md-4 %h4= _('Resolve conflicts on source branch') - .resolve-info + .resolve-info{ "v-pre": true } = translation.html_safe .col-md-8 %label.label-bold{ "for" => "commit-message" } diff --git a/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml new file mode 100644 index 00000000000..f92d2c0dcb1 --- /dev/null +++ b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS in resolve conflicts form +merge_request: +author: +type: security diff --git a/spec/features/merge_request/user_resolves_conflicts_spec.rb b/spec/features/merge_request/user_resolves_conflicts_spec.rb index 16c058ab6bd..8fd44b87e5a 100644 --- a/spec/features/merge_request/user_resolves_conflicts_spec.rb +++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb @@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do expect(page).to have_content('Gregor Samsa woke from troubled dreams') end end + + context "with malicious branch name" do + let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" } + let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') } + let(:merge_request) { create_merge_request(branch.name) } + + before do + visit project_merge_request_path(project, merge_request) + click_link('conflicts', href: %r{/conflicts\Z}) + end + + it "renders bad name without xss issues" do + expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name) + end + end end UNRESOLVABLE_CONFLICTS = { |