Merge branch 'ac/41346-xss-ci-job-output-backport-10-2' into 'security-10-2'

[10.2] Fix XSS vulnerability in Pipeline job trace - backport 10 2 See merge request gitlab/gitlabhq!2260 (cherry picked from commit 4ba826b5df561e85f6fdfc86c20779b1a91b598b) b890d809 Fix XSS vulnerability in Pipeline job trace

Merge branch 'ac/41346-xss-ci-job-output-backport-10-2' into 'security-10-2'
6ae14819 · Robert Speicher · Tiago Botelho · 43100ddc · 6ae14819 · 6ae14819
Commit 6ae14819 authored Dec 22, 2017 by Robert Speicher Committed by Tiago Botelho Jan 08, 2018
Showing with 57 additions and 5 deletions

ac-41346-xss-ci-job-output.yml changelogs/unreleased/ac-41346-xss-ci-job-output.yml +5 -0

regex.rb lib/gitlab/regex.rb +1 -1

ansi2html_spec.rb spec/lib/gitlab/ci/ansi2html_spec.rb +51 -4

No files found.
--- a/changelogs/unreleased/ac-41346-xss-ci-job-output.yml
+++ b/changelogs/unreleased/ac-41346-xss-ci-job-output.yml
+---
+title: Fix XSS vulnerability in pipeline job trace
+merge_request:
+author:
+type: security
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -67,7 +67,7 @@ module Gitlab
    end

    def build_trace_section_regex
-      @build_trace_section_regexp ||= /section_((?:start)|(?:end)):(\d+):([^\r]+)\r\033\[0K/.freeze
+      @build_trace_section_regexp ||= /section_((?:start)|(?:end)):(\d+):([a-zA-Z0-9_.-]+)\r\033\[0K/.freeze
    end
  end
 end
--- a/spec/lib/gitlab/ci/ansi2html_spec.rb
+++ b/spec/lib/gitlab/ci/ansi2html_spec.rb
@@ -213,11 +213,58 @@ describe Gitlab::Ci::Ansi2html do
      "#{section_end[0...-5]}</div>"
    end

-    it "prints light red" do
-      text = "#{section_start}\e[91mHello\e[0m\n#{section_end}"
-      html = %{#{section_start_html}<span class="term-fg-l-red">Hello</span><br>#{section_end_html}}
+    shared_examples 'forbidden char in section_name' do
+      it 'ignores sections' do
+        text = "#{section_start}Some text#{section_end}"
+        html = text.gsub("\033[0K", '').gsub('<', '&lt;')

-      expect(convert_html(text)).to eq(html)
+        expect(convert_html(text)).to eq(html)
+      end
+    end
+
+    shared_examples 'a legit section' do
+      let(:text) { "#{section_start}Some text#{section_end}" }
+
+      it 'prints light red' do
+        text = "#{section_start}\e[91mHello\e[0m\n#{section_end}"
+        html = %{#{section_start_html}<span class="term-fg-l-red">Hello</span><br>#{section_end_html}}
+
+        expect(convert_html(text)).to eq(html)
+      end
+
+      it 'begins with a section_start html marker' do
+        expect(convert_html(text)).to start_with(section_start_html)
+      end
+
+      it 'ends with a section_end html marker' do
+        expect(convert_html(text)).to end_with(section_end_html)
+      end
+    end
+
+    it_behaves_like 'a legit section'
+
+    context 'section name includes $' do
+      let(:section_name) { 'my_$ection'}
+
+      it_behaves_like 'forbidden char in section_name'
+    end
+
+    context 'section name includes <' do
+      let(:section_name) { '<a_tag>'}
+
+      it_behaves_like 'forbidden char in section_name'
+    end
+
+    context 'section name contains .-_' do
+      let(:section_name) { 'a.Legit-SeCtIoN_namE' }
+
+      it_behaves_like 'a legit section'
+    end
+
+    it 'do not allow XSS injections' do
+      text = "#{section_start}section_end:1:2<script>alert('XSS Hack!');</script>#{section_end}"
+
+      expect(convert_html(text)).not_to include('<script>')
    end
  end