From 6a462cd732d9f6980be89877245fd32fde9f9b73 Mon Sep 17 00:00:00 2001
From: Felipe Artur Cardozo <fcardozo@gitlab.com>
Date: Tue, 24 Jul 2018 19:35:12 +0000
Subject: Merge branch 'security-security-11-0-ide-branch-name-xss-11-0' into
 'security-11-0'

[11.0] Fixed XSS in branch name in Web IDE

See merge request gitlab/gitlabhq!2432
---
 app/assets/javascripts/ide/components/commit_sidebar/actions.vue | 3 ++-
 changelogs/unreleased/security-ide-branch-name-xss.yml           | 5 +++++
 spec/javascripts/ide/components/commit_sidebar/actions_spec.js   | 8 ++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/security-ide-branch-name-xss.yml
diff --git a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
index b4f3778d946..a82d743fec2 100644
--- a/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
+++ b/app/assets/javascripts/ide/components/commit_sidebar/actions.vue
@@ -1,4 +1,5 @@
 <script>
+import _ from 'underscore';
 import { mapActions, mapState, mapGetters } from 'vuex';
 import { sprintf, __ } from '~/locale';
 import * as consts from '../../stores/modules/commit/constants';
@@ -14,7 +15,7 @@ export default {
     commitToCurrentBranchText() {
       return sprintf(
         __('Commit to %{branchName} branch'),
-        { branchName: `<strong class="monospace">${this.currentBranchId}</strong>` },
+        { branchName: `<strong class="monospace">${_.escape(this.currentBranchId)}</strong>` },
         false,
       );
     },
diff --git a/changelogs/unreleased/security-ide-branch-name-xss.yml b/changelogs/unreleased/security-ide-branch-name-xss.yml
new file mode 100644
index 00000000000..51742ffa4e9
--- /dev/null
+++ b/changelogs/unreleased/security-ide-branch-name-xss.yml
@@ -0,0 +1,5 @@
+---
+title: Fixed XSS in branch name in Web IDE
+merge_request:
+author:
+type: security
diff --git a/spec/javascripts/ide/components/commit_sidebar/actions_spec.js b/spec/javascripts/ide/components/commit_sidebar/actions_spec.js
index 27f10caccb1..3a5d6c8a90b 100644
--- a/spec/javascripts/ide/components/commit_sidebar/actions_spec.js
+++ b/spec/javascripts/ide/components/commit_sidebar/actions_spec.js
@@ -46,4 +46,12 @@ describe('IDE commit sidebar actions', () => {
       done();
     });
   });
+
+  describe('commitToCurrentBranchText', () => {
+    it('escapes current branch', () => {
+      vm.$store.state.currentBranchId = '<img src="x" />';
+
+      expect(vm.commitToCurrentBranchText).not.toContain('<img src="x" />');
+    });
+  });
 });
-- 
cgit v1.2.3

