Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter

This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.

Closes #22541

See merge request !2001
Signed-off-by: Rémy Coutable <remy@rymai.me>

CHANGELOG

@@ -4,6 +4,7 @@ v 8.9.11
   - Respect the fork_project permission when forking projects
   - Set a restrictive CORS policy on the API for credentialed requests
   - API: disable rails session auth for non-GET/HEAD requests
+  - Escape HTML nodes in builds commands in CI linter
 
 v 8.9.10
   - Allow the Rails cookie to be used for API authentication.

app/views/ci/lints/_create.html.haml

@@ -16,8 +16,7 @@
             %tr
               %td #{stage.capitalize} Job - #{build[:name]}
               %td
-                %pre
-                  = simple_format build[:commands]
+                %pre= build[:commands]
 
                 %br
                 %b Tag list:

spec/views/ci/lints/show.html.haml_spec.rb

+require 'spec_helper'
+
+describe 'ci/lints/show' do
+  include Devise::TestHelpers
+
+  before do
+    assign(:status, true)
+    assign(:stages, %w[test])
+    assign(:builds, builds)
+  end
+
+  context 'when builds attrbiutes contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
+    end
+
+    it 'does not render HTML elements' do
+      render
+
+      expect(rendered).not_to have_css('h1', text: 'rspec')
+    end
+  end
+
+  context 'when builds attributes do not contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
+    end
+
+    it 'shows configuration in the table' do
+      render
+
+      expect(rendered).to have_css('td pre', text: 'rspec')
+    end
+  end
+end