Merge branch 'security-49085-persistent-xss-rendering' into 'master'

[master] Fixed persistent XSS rendering/escaping of diff location lines See merge request gitlab/gitlabhq!2463
author: José Iván Vargas López <jvargas@gitlab.com> 2018-08-29 00:27:31 +0300
committer: José Iván Vargas López <jvargas@gitlab.com> 2018-08-29 00:27:31 +0300
commit: 365217eb9a3272133b6db53726d443f1eb126cde (patch)
tree: 3952a78821253ae526b11e7fc1843bd8fe4e2a2b /spec/features/merge_request
parent: 1df7360ff945fe0004e1a7f13fe77fc4b3018f98 (diff)
parent: aa73b3e19b740ec779780e9e7a0528fc9e20e8ee (diff)
1 files changed, 54 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_sees_diff_spec.rb b/spec/features/merge_request/user_sees_diff_spec.rb
index d6e7ff33d5d..0c15febe8df 100644
--- a/spec/features/merge_request/user_sees_diff_spec.rb
+++ b/spec/features/merge_request/user_sees_diff_spec.rb
@@ -2,6 +2,7 @@ require 'rails_helper'
 
 describe 'Merge request > User sees diff', :js do
   include ProjectForksHelper
+  include RepoHelpers
 
   let(:project) { create(:project, :public, :repository) }
   let(:merge_request) { create(:merge_request, source_project: project) }
@@ -81,5 +82,58 @@ describe 'Merge request > User sees diff', :js do
         expect(page).to have_selector('.js-cancel-fork-suggestion-button', count: 1)
       end
     end
+
+    context 'when file contains html' do
+      let(:current_user) { project.owner }
+      let(:branch_name) {"test_branch"}
+
+      def create_file(branch_name, file_name, content)
+        Files::CreateService.new(
+          project,
+          current_user,
+          start_branch: branch_name,
+          branch_name: branch_name,
+          commit_message: "Create file",
+          file_path: file_name,
+          file_content: content
+        ).execute
+
+        project.commit(branch_name)
+      end
+
+      it 'escapes any HTML special characters in the diff chunk header' do
+        file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let d = 3;
+          }
+        CONTENT
+
+        new_file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let x = 3;
+          }
+        CONTENT
+
+        file_name = 'xss_file.txt'
+
+        create_file('master', file_name, file_content)
+        merge_request = create(:merge_request, source_project: project)
+        create_file(merge_request.source_branch, file_name, new_file_content)
+
+        project.commit(merge_request.source_branch)
+
+        visit diffs_project_merge_request_path(project, merge_request)
+
+        expect(page).to have_text("function foo<input> {")
+      end
+    end
   end
 end
author	José Iván Vargas López <jvargas@gitlab.com>	2018-08-29 00:27:31 +0300
committer	José Iván Vargas López <jvargas@gitlab.com>	2018-08-29 00:27:31 +0300
commit	365217eb9a3272133b6db53726d443f1eb126cde (patch)
tree	3952a78821253ae526b11e7fc1843bd8fe4e2a2b /spec/features/merge_request
parent	1df7360ff945fe0004e1a7f13fe77fc4b3018f98 (diff)
parent	aa73b3e19b740ec779780e9e7a0528fc9e20e8ee (diff)