From 33e4d44c11427a31ada41e7a0757d35f03d62ce7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Jun 2021 11:42:13 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

---
 app/assets/javascripts/lib/utils/url_utility.js    | 24 ++++++++++++
 .../releases/components/app_edit_new.vue           |  9 ++++-
 app/models/audit_event.rb                          | 11 ++++++
 app/services/feature_flags/base_service.rb         |  6 +--
 app/services/feature_flags/create_service.rb       |  3 +-
 app/services/feature_flags/destroy_service.rb      |  2 +-
 app/services/feature_flags/update_service.rb       | 12 +++---
 spec/frontend/lib/utils/url_utility_spec.js        | 34 ++++++++++++++++
 .../releases/components/app_edit_new_spec.js       | 45 ++++++++++++++--------
 spec/models/audit_event_spec.rb                    | 12 ++++--
 spec/services/feature_flags/create_service_spec.rb | 12 +++---
 .../services/feature_flags/destroy_service_spec.rb |  2 +-
 spec/services/feature_flags/update_service_spec.rb | 12 +++---
 13 files changed, 140 insertions(+), 44 deletions(-)

diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js
index 48abc072675..d68b41b7f7a 100644
--- a/app/assets/javascripts/lib/utils/url_utility.js
+++ b/app/assets/javascripts/lib/utils/url_utility.js
@@ -545,3 +545,27 @@ export function getURLOrigin(url) {
     return null;
   }
 }
+
+/**
+ * Returns `true` if the given `url` resolves to the same origin the page is served
+ * from; otherwise, returns `false`.
+ *
+ * The `url` may be absolute or relative.
+ *
+ * @param {string} url The URL to check.
+ * @returns {boolean}
+ */
+export function isSameOriginUrl(url) {
+  if (typeof url !== 'string') {
+    return false;
+  }
+
+  const { origin } = window.location;
+
+  try {
+    return new URL(url, origin).origin === origin;
+  } catch {
+    // Invalid URLs cannot have the same origin
+    return false;
+  }
+}
diff --git a/app/assets/javascripts/releases/components/app_edit_new.vue b/app/assets/javascripts/releases/components/app_edit_new.vue
index aecd0d6371e..3774f97a060 100644
--- a/app/assets/javascripts/releases/components/app_edit_new.vue
+++ b/app/assets/javascripts/releases/components/app_edit_new.vue
@@ -2,6 +2,7 @@
 import { GlButton, GlFormInput, GlFormGroup, GlSprintf } from '@gitlab/ui';
 import { mapState, mapActions, mapGetters } from 'vuex';
 import { getParameterByName } from '~/lib/utils/common_utils';
+import { isSameOriginUrl } from '~/lib/utils/url_utility';
 import { __ } from '~/locale';
 import MilestoneCombobox from '~/milestones/components/milestone_combobox.vue';
 import { BACK_URL_PARAM } from '~/releases/constants';
@@ -65,7 +66,13 @@ export default {
       },
     },
     cancelPath() {
-      return getParameterByName(BACK_URL_PARAM) || this.releasesPagePath;
+      const backUrl = getParameterByName(BACK_URL_PARAM);
+
+      if (isSameOriginUrl(backUrl)) {
+        return backUrl;
+      }
+
+      return this.releasesPagePath;
     },
     saveButtonLabel() {
       return this.isExistingRelease ? __('Save changes') : __('Create release');
diff --git a/app/models/audit_event.rb b/app/models/audit_event.rb
index aff7eef4622..11036b76fc1 100644
--- a/app/models/audit_event.rb
+++ b/app/models/audit_event.rb
@@ -32,6 +32,9 @@ class AuditEvent < ApplicationRecord
   scope :by_author_id, -> (author_id) { where(author_id: author_id) }
 
   after_initialize :initialize_details
+
+  before_validation :sanitize_message
+
   # Note: The intention is to remove this once refactoring of AuditEvent
   # has proceeded further.
   #
@@ -83,6 +86,14 @@ class AuditEvent < ApplicationRecord
 
   private
 
+  def sanitize_message
+    message = details[:custom_message]
+
+    return unless message
+
+    self.details = details.merge(custom_message: Sanitize.clean(message))
+  end
+
   def default_author_value
     ::Gitlab::Audit::NullAuthor.for(author_id, (self[:author_name] || details[:author_name]))
   end
diff --git a/app/services/feature_flags/base_service.rb b/app/services/feature_flags/base_service.rb
index f48f95e2550..d041703803b 100644
--- a/app/services/feature_flags/base_service.rb
+++ b/app/services/feature_flags/base_service.rb
@@ -49,9 +49,9 @@ module FeatureFlags
     end
 
     def created_scope_message(scope)
-      "Created rule <strong>#{scope.environment_scope}</strong> "\
-      "and set it as <strong>#{scope.active ? "active" : "inactive"}</strong> "\
-      "with strategies <strong>#{scope.strategies}</strong>."
+      "Created rule #{scope.environment_scope} "\
+      "and set it as #{scope.active ? "active" : "inactive"} "\
+      "with strategies #{scope.strategies}."
     end
 
     def feature_flag_by_name
diff --git a/app/services/feature_flags/create_service.rb b/app/services/feature_flags/create_service.rb
index de3a55d10fc..5c87af561d5 100644
--- a/app/services/feature_flags/create_service.rb
+++ b/app/services/feature_flags/create_service.rb
@@ -22,8 +22,7 @@ module FeatureFlags
     private
 
     def audit_message(feature_flag)
-      message_parts = ["Created feature flag <strong>#{feature_flag.name}</strong>",
-                       "with description <strong>\"#{feature_flag.description}\"</strong>."]
+      message_parts = ["Created feature flag #{feature_flag.name} with description \"#{feature_flag.description}\"."]
 
       message_parts += feature_flag.scopes.map do |scope|
         created_scope_message(scope)
diff --git a/app/services/feature_flags/destroy_service.rb b/app/services/feature_flags/destroy_service.rb
index c77e3e03ec3..b131a349fc7 100644
--- a/app/services/feature_flags/destroy_service.rb
+++ b/app/services/feature_flags/destroy_service.rb
@@ -23,7 +23,7 @@ module FeatureFlags
     end
 
     def audit_message(feature_flag)
-      "Deleted feature flag <strong>#{feature_flag.name}</strong>."
+      "Deleted feature flag #{feature_flag.name}."
     end
 
     def can_destroy?(feature_flag)
diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb
index d956d4b3357..f5ab6f4005b 100644
--- a/app/services/feature_flags/update_service.rb
+++ b/app/services/feature_flags/update_service.rb
@@ -45,14 +45,14 @@ module FeatureFlags
 
       return if changes.empty?
 
-      "Updated feature flag <strong>#{feature_flag.name}</strong>. " + changes.join(" ")
+      "Updated feature flag #{feature_flag.name}. " + changes.join(" ")
     end
 
     def changed_attributes_messages(feature_flag)
       feature_flag.changes.slice(*AUDITABLE_ATTRIBUTES).map do |attribute_name, changes|
         "Updated #{attribute_name} "\
-        "from <strong>\"#{changes.first}\"</strong> to "\
-        "<strong>\"#{changes.second}\"</strong>."
+        "from \"#{changes.first}\" to "\
+        "\"#{changes.second}\"."
       end
     end
 
@@ -69,17 +69,17 @@ module FeatureFlags
     end
 
     def deleted_scope_message(scope)
-      "Deleted rule <strong>#{scope.environment_scope}</strong>."
+      "Deleted rule #{scope.environment_scope}."
     end
 
     def updated_scope_message(scope)
       changes = scope.changes.slice(*AUDITABLE_SCOPE_ATTRIBUTES_HUMAN_NAMES.keys)
       return if changes.empty?
 
-      message = "Updated rule <strong>#{scope.environment_scope}</strong> "
+      message = "Updated rule #{scope.environment_scope} "
       message += changes.map do |attribute_name, change|
         name = AUDITABLE_SCOPE_ATTRIBUTES_HUMAN_NAMES[attribute_name]
-        "#{name} from <strong>#{change.first}</strong> to <strong>#{change.second}</strong>"
+        "#{name} from #{change.first} to #{change.second}"
       end.join(' ')
 
       message + '.'
diff --git a/spec/frontend/lib/utils/url_utility_spec.js b/spec/frontend/lib/utils/url_utility_spec.js
index 305d3de3c53..31c78681994 100644
--- a/spec/frontend/lib/utils/url_utility_spec.js
+++ b/spec/frontend/lib/utils/url_utility_spec.js
@@ -1,3 +1,4 @@
+import { TEST_HOST } from 'helpers/test_constants';
 import * as urlUtils from '~/lib/utils/url_utility';
 
 const shas = {
@@ -923,4 +924,37 @@ describe('URL utility', () => {
       expect(urlUtils.encodeSaferUrl(input)).toBe(input);
     });
   });
+
+  describe('isSameOriginUrl', () => {
+    // eslint-disable-next-line no-script-url
+    const javascriptUrl = 'javascript:alert(1)';
+
+    beforeEach(() => {
+      setWindowLocation({ origin: TEST_HOST });
+    });
+
+    it.each`
+      url                                | expected
+      ${TEST_HOST}                       | ${true}
+      ${`${TEST_HOST}/a/path`}           | ${true}
+      ${'//test.host/no-protocol'}       | ${true}
+      ${'/a/root/relative/path'}         | ${true}
+      ${'a/relative/path'}               | ${true}
+      ${'#hash'}                         | ${true}
+      ${'?param=foo'}                    | ${true}
+      ${''}                              | ${true}
+      ${'../../../'}                     | ${true}
+      ${`${TEST_HOST}:8080/wrong-port`}  | ${false}
+      ${'ws://test.host/wrong-protocol'} | ${false}
+      ${'http://phishing.test'}          | ${false}
+      ${'//phishing.test'}               | ${false}
+      ${'//invalid:url'}                 | ${false}
+      ${javascriptUrl}                   | ${false}
+      ${'data:,Hello%2C%20World%21'}     | ${false}
+      ${null}                            | ${false}
+      ${undefined}                       | ${false}
+    `('returns $expected given $url', ({ url, expected }) => {
+      expect(urlUtils.isSameOriginUrl(url)).toBe(expected);
+    });
+  });
 });
diff --git a/spec/frontend/releases/components/app_edit_new_spec.js b/spec/frontend/releases/components/app_edit_new_spec.js
index 65ed6d6166f..748b48dacaa 100644
--- a/spec/frontend/releases/components/app_edit_new_spec.js
+++ b/spec/frontend/releases/components/app_edit_new_spec.js
@@ -4,6 +4,7 @@ import MockAdapter from 'axios-mock-adapter';
 import { merge } from 'lodash';
 import Vuex from 'vuex';
 import { getJSONFixture } from 'helpers/fixtures';
+import { TEST_HOST } from 'helpers/test_constants';
 import * as commonUtils from '~/lib/utils/common_utils';
 import ReleaseEditNewApp from '~/releases/components/app_edit_new.vue';
 import AssetLinksForm from '~/releases/components/asset_links_form.vue';
@@ -11,6 +12,7 @@ import { BACK_URL_PARAM } from '~/releases/constants';
 
 const originalRelease = getJSONFixture('api/releases/release.json');
 const originalMilestones = originalRelease.milestones;
+const releasesPagePath = 'path/to/releases/page';
 
 describe('Release edit/new component', () => {
   let wrapper;
@@ -24,7 +26,7 @@ describe('Release edit/new component', () => {
     state = {
       release,
       markdownDocsPath: 'path/to/markdown/docs',
-      releasesPagePath: 'path/to/releases/page',
+      releasesPagePath,
       projectId: '8',
       groupId: '42',
       groupMilestonesAvailable: true,
@@ -75,6 +77,8 @@ describe('Release edit/new component', () => {
   };
 
   beforeEach(() => {
+    global.jsdom.reconfigure({ url: TEST_HOST });
+
     mock = new MockAdapter(axios);
     gon.api_version = 'v4';
 
@@ -146,22 +150,33 @@ describe('Release edit/new component', () => {
     });
   });
 
-  describe(`when the URL contains a "${BACK_URL_PARAM}" parameter`, () => {
-    const backUrl = 'https://example.gitlab.com/back/url';
-
-    beforeEach(async () => {
-      commonUtils.getParameterByName = jest
-        .fn()
-        .mockImplementation((paramToGet) => ({ [BACK_URL_PARAM]: backUrl }[paramToGet]));
+  // eslint-disable-next-line no-script-url
+  const xssBackUrl = 'javascript:alert(1)';
+  describe.each`
+    backUrl                            | expectedHref
+    ${`${TEST_HOST}/back/url`}         | ${`${TEST_HOST}/back/url`}
+    ${`/back/url?page=2`}              | ${`/back/url?page=2`}
+    ${`back/url?page=3`}               | ${`back/url?page=3`}
+    ${'http://phishing.test/back/url'} | ${releasesPagePath}
+    ${'//phishing.test/back/url'}      | ${releasesPagePath}
+    ${xssBackUrl}                      | ${releasesPagePath}
+  `(
+    `when the URL contains a "${BACK_URL_PARAM}=$backUrl" parameter`,
+    ({ backUrl, expectedHref }) => {
+      beforeEach(async () => {
+        global.jsdom.reconfigure({
+          url: `${TEST_HOST}?${BACK_URL_PARAM}=${encodeURIComponent(backUrl)}`,
+        });
 
-      await factory();
-    });
+        await factory();
+      });
 
-    it('renders a "Cancel" button with an href pointing to the main Releases page', () => {
-      const cancelButton = wrapper.find('.js-cancel-button');
-      expect(cancelButton.attributes().href).toBe(backUrl);
-    });
-  });
+      it(`renders a "Cancel" button with an href pointing to ${expectedHref}`, () => {
+        const cancelButton = wrapper.find('.js-cancel-button');
+        expect(cancelButton.attributes().href).toBe(expectedHref);
+      });
+    },
+  );
 
   describe('when creating a new release', () => {
     beforeEach(async () => {
diff --git a/spec/models/audit_event_spec.rb b/spec/models/audit_event_spec.rb
index 5c87c2e68db..bc603bc5ab6 100644
--- a/spec/models/audit_event_spec.rb
+++ b/spec/models/audit_event_spec.rb
@@ -3,9 +3,6 @@
 require 'spec_helper'
 
 RSpec.describe AuditEvent do
-  let_it_be(:audit_event) { create(:project_audit_event) }
-  subject { audit_event }
-
   describe 'validations' do
     include_examples 'validates IP address' do
       let(:attribute) { :ip_address }
@@ -13,6 +10,15 @@ RSpec.describe AuditEvent do
     end
   end
 
+  it 'sanitizes custom_message in the details hash' do
+    audit_event = create(:project_audit_event, details: { target_id: 678, custom_message: '<strong>Arnold</strong>' })
+
+    expect(audit_event.details).to include(
+      target_id: 678,
+      custom_message: 'Arnold'
+    )
+  end
+
   describe '#as_json' do
     context 'ip_address' do
       subject { build(:group_audit_event, ip_address: '192.168.1.1').as_json }
diff --git a/spec/services/feature_flags/create_service_spec.rb b/spec/services/feature_flags/create_service_spec.rb
index 2e0c162ebc1..4eb2b25fb64 100644
--- a/spec/services/feature_flags/create_service_spec.rb
+++ b/spec/services/feature_flags/create_service_spec.rb
@@ -68,12 +68,12 @@ RSpec.describe FeatureFlags::CreateService do
       end
 
       it 'creates audit event' do
-        expected_message = 'Created feature flag <strong>feature_flag</strong> '\
-                           'with description <strong>"description"</strong>. '\
-                           'Created rule <strong>*</strong> and set it as <strong>active</strong> '\
-                           'with strategies <strong>[{"name"=>"default", "parameters"=>{}}]</strong>. '\
-                           'Created rule <strong>production</strong> and set it as <strong>inactive</strong> '\
-                           'with strategies <strong>[{"name"=>"default", "parameters"=>{}}]</strong>.'
+        expected_message = 'Created feature flag feature_flag '\
+                           'with description "description". '\
+                           'Created rule * and set it as active '\
+                           'with strategies [{"name"=&gt;"default", "parameters"=&gt;{}}]. '\
+                           'Created rule production and set it as inactive '\
+                           'with strategies [{"name"=&gt;"default", "parameters"=&gt;{}}].'
 
         expect { subject }.to change { AuditEvent.count }.by(1)
         expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
diff --git a/spec/services/feature_flags/destroy_service_spec.rb b/spec/services/feature_flags/destroy_service_spec.rb
index ee30474873c..d3796ef6b4d 100644
--- a/spec/services/feature_flags/destroy_service_spec.rb
+++ b/spec/services/feature_flags/destroy_service_spec.rb
@@ -33,7 +33,7 @@ RSpec.describe FeatureFlags::DestroyService do
 
     it 'creates audit log' do
       expect { subject }.to change { AuditEvent.count }.by(1)
-      expect(audit_event_message).to eq("Deleted feature flag <strong>#{feature_flag.name}</strong>.")
+      expect(audit_event_message).to eq("Deleted feature flag #{feature_flag.name}.")
     end
 
     context 'when user is reporter' do
diff --git a/spec/services/feature_flags/update_service_spec.rb b/spec/services/feature_flags/update_service_spec.rb
index d838549891a..4858139d60a 100644
--- a/spec/services/feature_flags/update_service_spec.rb
+++ b/spec/services/feature_flags/update_service_spec.rb
@@ -38,9 +38,9 @@ RSpec.describe FeatureFlags::UpdateService do
 
       expect { subject }.to change { AuditEvent.count }.by(1)
       expect(audit_event_message).to(
-        eq("Updated feature flag <strong>new_name</strong>. "\
-           "Updated name from <strong>\"#{name_was}\"</strong> "\
-           "to <strong>\"new_name\"</strong>.")
+        eq("Updated feature flag new_name. "\
+           "Updated name from \"#{name_was}\" "\
+           "to \"new_name\".")
       )
     end
 
@@ -94,8 +94,8 @@ RSpec.describe FeatureFlags::UpdateService do
       it 'creates audit event with changed description' do
         expect { subject }.to change { AuditEvent.count }.by(1)
         expect(audit_event_message).to(
-          include("Updated description from <strong>\"\"</strong>"\
-                  " to <strong>\"new description\"</strong>.")
+          include("Updated description from \"\""\
+                  " to \"new description\".")
         )
       end
     end
@@ -110,7 +110,7 @@ RSpec.describe FeatureFlags::UpdateService do
       it 'creates audit event about changing active state' do
         expect { subject }.to change { AuditEvent.count }.by(1)
         expect(audit_event_message).to(
-          include('Updated active from <strong>"true"</strong> to <strong>"false"</strong>.')
+          include('Updated active from "true" to "false".')
         )
       end
 
-- 
cgit v1.2.3