Merge branch 'security_issue_42029' into 'security-10-6'

Sanitizes user name to avoid XSS attacks See merge request gitlab/gitlabhq!2365

Merge branch 'security_issue_42029' into 'security-10-6'
bf86fba0 · Phil Hughes · Filipa Lacerda · 99845d95 · bf86fba0 · bf86fba0
Commit bf86fba0 authored Apr 18, 2018 by Phil Hughes Committed by Filipa Lacerda Apr 24, 2018
4 changed files
--- a/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
+++ b/app/assets/javascripts/sidebar/lib/sidebar_move_issue.js
+import _ from 'underscore';
+
 function isValidProjectId(id) {
  return id > 0;
 }
@@ -41,7 +43,7 @@ class SidebarMoveIssue {
      renderRow: project => `
        <li>
          <a href="#" class="js-move-issue-dropdown-item">
-            ${project.name_with_namespace}
+            ${_.escape(project.name_with_namespace)}
          </a>
        </li>
      `,

--- a/changelogs/unreleased/security_issue_42029.yml
+++ b/changelogs/unreleased/security_issue_42029.yml
+---
+title: Sanitizes user name to avoid XSS attacks
+merge_request:
+author:
+type: security
--- a/spec/javascripts/sidebar/mock_data.js
+++ b/spec/javascripts/sidebar/mock_data.js
@@ -130,7 +130,7 @@ const RESPONSE_MAP = {
        'name_with_namespace': 'No project',
      }, {
        'id': 20,
-        'name_with_namespace': 'foo / bar',
+        'name_with_namespace': '<img src=x onerror=alert(document.domain)> foo / bar',
      },
    ],
  },

--- a/spec/javascripts/sidebar/sidebar_move_issue_spec.js
+++ b/spec/javascripts/sidebar/sidebar_move_issue_spec.js
@@ -68,6 +68,15 @@ describe('SidebarMoveIssue', () => {

      expect($.fn.glDropdown).toHaveBeenCalled();
    });
+
+    it('escapes html from project name', (done) => {
+      this.$toggleButton.dropdown('toggle');
+
+      setTimeout(() => {
+        expect(this.$content.find('.js-move-issue-dropdown-item')[1].innerHTML.trim()).toEqual('&lt;img src=x onerror=alert(document.domain)&gt; foo / bar');
+        done();
+      });
+    });
  });

  describe('onConfirmClicked', () => {