From aa5a29806f359945ec3483906a4e40ec71362a61 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 30 Jun 2021 11:44:06 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee --- app/assets/javascripts/behaviors/markdown/copy_as_gfm.js | 3 ++- app/controllers/ide_controller.rb | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'app') diff --git a/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js b/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js index 9a8af79210e..19ebab36481 100644 --- a/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js +++ b/app/assets/javascripts/behaviors/markdown/copy_as_gfm.js @@ -1,4 +1,5 @@ import $ from 'jquery'; +import { sanitize } from '~/lib/dompurify'; import { getSelectedFragment, insertText } from '~/lib/utils/common_utils'; export class CopyAsGFM { @@ -69,7 +70,7 @@ export class CopyAsGFM { } else { // Due to the async copy call we are not able to produce gfm so we transform the cached HTML const div = document.createElement('div'); - div.innerHTML = gfmHtml; + div.innerHTML = sanitize(gfmHtml); CopyAsGFM.nodeToGFM(div) .then((transformedGfm) => { CopyAsGFM.insertPastedText(e.target, text, transformedGfm); diff --git a/app/controllers/ide_controller.rb b/app/controllers/ide_controller.rb index 4c7a91ee602..44beceb4f48 100644 --- a/app/controllers/ide_controller.rb +++ b/app/controllers/ide_controller.rb @@ -7,6 +7,8 @@ class IdeController < ApplicationController include StaticObjectExternalStorageCSP include Gitlab::Utils::StrongMemoize + before_action :authorize_read_project! + before_action do push_frontend_feature_flag(:build_service_proxy) push_frontend_feature_flag(:schema_linting) @@ -22,6 +24,10 @@ class IdeController < ApplicationController private + def authorize_read_project! + render_404 unless can?(current_user, :read_project, project) + end + def define_index_vars return unless project -- cgit v1.2.3