Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorBob Van Landuyt <bob@gitlab.com>2018-09-25 12:32:53 +0300
committerBob Van Landuyt <bob@vanlanduyt.co>2018-09-25 12:36:51 +0300
commit14e45a03a6c38960c1888dab12c6f040345e8bb5 (patch)
tree68e38ed9dd90abda06fdee0bbd344224df4c6d6d /app
parentf8578ff3a13ab423e1970ba85a7149810e323aa9 (diff)
Merge branch 'security-package-json-xss-11-3' into 'security-11-3'
[11.3] Fix XSS vulnerability sourced from package.json's homepage See merge request gitlab/gitlabhq!2508
Diffstat (limited to 'app')
-rw-r--r--app/models/blob_viewer/package_json.rb3
1 files changed, 2 insertions, 1 deletions
diff --git a/app/models/blob_viewer/package_json.rb b/app/models/blob_viewer/package_json.rb
index d12dd93ce2e..7cae60a74d6 100644
--- a/app/models/blob_viewer/package_json.rb
+++ b/app/models/blob_viewer/package_json.rb
@@ -33,7 +33,8 @@ module BlobViewer
end
def homepage
- json_data['homepage']
+ url = json_data['homepage']
+ url if Gitlab::UrlSanitizer.valid?(url)
end
def npm_url
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 14:38:59 +0300