Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

2 files changed, 8 insertions, 1 deletions

diff --git a/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js b/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js
index 9a8af79210e..19ebab36481 100644
--- a/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js
+++ b/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js
@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import { sanitize } from '~/lib/dompurify';
 import { getSelectedFragment, insertText } from '~/lib/utils/common_utils';
 
 export class CopyAsGFM {
@@ -69,7 +70,7 @@ export class CopyAsGFM {
     } else {
       // Due to the async copy call we are not able to produce gfm so we transform the cached HTML
       const div = document.createElement('div');
-      div.innerHTML = gfmHtml;
+      div.innerHTML = sanitize(gfmHtml);
       CopyAsGFM.nodeToGFM(div)
         .then((transformedGfm) => {
           CopyAsGFM.insertPastedText(e.target, text, transformedGfm);
diff --git a/app/controllers/ide_controller.rb b/app/controllers/ide_controller.rb
index 4c7a91ee602..44beceb4f48 100644
--- a/app/controllers/ide_controller.rb
+++ b/app/controllers/ide_controller.rb
@@ -7,6 +7,8 @@ class IdeController < ApplicationController
   include StaticObjectExternalStorageCSP
   include Gitlab::Utils::StrongMemoize
 
+  before_action :authorize_read_project!
+
   before_action do
     push_frontend_feature_flag(:build_service_proxy)
     push_frontend_feature_flag(:schema_linting)
@@ -22,6 +24,10 @@ class IdeController < ApplicationController
 
   private
 
+  def authorize_read_project!
+    render_404 unless can?(current_user, :read_project, project)
+  end
+
   def define_index_vars
     return unless project