Merge branch 'html-safe-diff-line-content' into 'security'

Don't accidentally mark unsafe diff lines as HTML safe Fixes potential XSS issue when a legacy diff note is created on a merge request whose diff contained HTML See https://gitlab.com/gitlab-org/gitlab-ce/issues/25249 See merge request !2040

Merge branch 'html-safe-diff-line-content' into 'security'
edf7dbfa · Robert Speicher · Alejandro Rodríguez · 6e1b52b8 · edf7dbfa · edf7dbfa
Commit edf7dbfa authored Dec 02, 2016 by Robert Speicher Committed by Alejandro Rodríguez Dec 08, 2016
Showing with 56 additions and 7 deletions

diff_helper.rb app/helpers/diff_helper.rb +3 -1

html-safe-diff-line-content.yml changelogs/unreleased/html-safe-diff-line-content.yml +4 -0

diff_helper_spec.rb spec/helpers/diff_helper_spec.rb +49 -6

No files found.
--- a/app/helpers/diff_helper.rb
+++ b/app/helpers/diff_helper.rb
@@ -55,7 +55,9 @@ module DiffHelper
    if line.blank?
      "&nbsp;".html_safe
    else
-      line.sub(/^[\-+ ]/, '').html_safe
+      # We can't use `sub` because the HTML-safeness of `line` will not survive.
+      line[0] = '' if line.start_with?('+', '-', ' ')
+      line
    end
  end


--- a/changelogs/unreleased/html-safe-diff-line-content.yml
+++ b/changelogs/unreleased/html-safe-diff-line-content.yml
+---
+title: Don't accidentally mark unsafe diff lines as HTML safe
+merge_request: 
+author: 
--- a/spec/helpers/diff_helper_spec.rb
+++ b/spec/helpers/diff_helper_spec.rb
@@ -60,15 +60,58 @@ describe DiffHelper do
  end

  describe '#diff_line_content' do
-    it 'returns non breaking space when line is empty' do
+    context 'when the line is empty' do
+      it 'returns a non breaking space' do
        expect(diff_line_content(nil)).to eq('&nbsp;')
      end

-    it 'returns the line itself' do
-      expect(diff_line_content(diff_file.diff_lines.first.text)).
-        to eq('@@ -6,12 +6,18 @@ module Popen')
-      expect(diff_line_content(diff_file.diff_lines.first.type)).to eq('match')
-      expect(diff_file.diff_lines.first.new_pos).to eq(6)
+      it 'returns an HTML-safe string' do
+        expect(diff_line_content(nil)).to be_html_safe
+      end
+    end
+
+    context 'when the line is not empty' do
+      context 'when the line starts with +, -, or a space' do
+        it 'strips the first character' do
+          expect(diff_line_content('+new line')).to eq('new line')
+          expect(diff_line_content('-new line')).to eq('new line')
+          expect(diff_line_content(' new line')).to eq('new line')
+        end
+
+        context 'when the line is HTML-safe' do
+          it 'returns an HTML-safe string' do
+            expect(diff_line_content('+new line'.html_safe)).to be_html_safe
+            expect(diff_line_content('-new line'.html_safe)).to be_html_safe
+            expect(diff_line_content(' new line'.html_safe)).to be_html_safe
+          end
+        end
+
+        context 'when the line is not HTML-safe' do
+          it 'returns a non-HTML-safe string' do
+            expect(diff_line_content('+new line')).not_to be_html_safe
+            expect(diff_line_content('-new line')).not_to be_html_safe
+            expect(diff_line_content(' new line')).not_to be_html_safe
+          end
+        end
+      end
+
+      context 'when the line does not start with a +, -, or a space' do
+        it 'returns the string' do
+          expect(diff_line_content('@@ -6,12 +6,18 @@ module Popen')).to eq('@@ -6,12 +6,18 @@ module Popen')
+        end
+
+        context 'when the line is HTML-safe' do
+          it 'returns an HTML-safe string' do
+            expect(diff_line_content('@@ -6,12 +6,18 @@ module Popen'.html_safe)).to be_html_safe
+          end
+        end
+
+        context 'when the line is not HTML-safe' do
+          it 'returns a non-HTML-safe string' do
+            expect(diff_line_content('@@ -6,12 +6,18 @@ module Popen')).not_to be_html_safe
+          end
+        end
+      end
    end
  end