From 54564e79d311f06cbf279d137d6d517efc5c9fb2 Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <heinrich@gitlab.com>
Date: Sat, 26 Oct 2019 14:06:59 +0800
Subject: Escape namespace in label references

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.
---
 changelogs/unreleased/security-fix-xss-in-label-namespace.yml | 5 +++++
 lib/banzai/filter/label_reference_filter.rb                   | 2 +-
 spec/lib/banzai/filter/label_reference_filter_spec.rb         | 9 +++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-fix-xss-in-label-namespace.yml

diff --git a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
new file mode 100644
index 00000000000..342cf3e68cb
--- /dev/null
+++ b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
@@ -0,0 +1,5 @@
+---
+title: Escape namespace in label references to prevent XSS
+merge_request:
+author:
+type: security
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index db620c65237..609ea8fb5ca 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
           parent_from_ref = from_ref_cached(project_path)
           reference       = parent_from_ref.to_human_reference(parent)
 
-          label_suffix = " <i>in #{reference}</i>" if reference.present?
+          label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
         end
 
         presenter = object.present(issuable_subject: parent)
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb
index 35e99d2586e..66af26bc51c 100644
--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
 
       expect(reference_filter(act).to_html).to eq exp
     end
+
+    context 'when group name has HTML entities' do
+      let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
+
+      it 'escapes the HTML entities' do
+        expect(result.text)
+          .to eq "See #{group_label.name} in #{another_project.full_name}"
+      end
+    end
   end
 
   describe 'cross-project / same-group_label complete reference' do
-- 
cgit v1.2.3