Commit 2c9cd67f authored by Douwe Maan's avatar Douwe Maan Committed by Rémy Coutable

Merge branch 'rs-issue-15126' into 'master'

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 93e923fc
Please view this file on the master branch, on stable branches it's out of date.
v 8.5.11
- No changes
- Fix persistent XSS vulnerability in `commit_person_link` helper
v 8.5.10
- Fix a 2FA authentication spoofing vulnerability.
......
......@@ -183,7 +183,7 @@ module CommitsHelper
options = {
class: "commit-#{options[:source]}-link has_tooltip",
data: { 'original-title'.to_sym => sanitize(source_email) }
title: source_email
}
if user.nil?
......
......@@ -46,7 +46,7 @@ module ProjectsHelper
link_to(author_html, user_path(author), class: "author_link").html_safe
else
title = opts[:title].sub(":name", sanitize(author.name))
link_to(author_html, user_path(author), class: "author_link has_tooltip", data: { 'original-title'.to_sym => title, container: 'body' } ).html_safe
link_to(author_html, user_path(author), class: "author_link has_tooltip", title: title, data: { container: 'body' } ).html_safe
end
end
......
......@@ -29,8 +29,9 @@ class Spinach::Features::ProjectCommitsUserLookup < Spinach::FeatureSteps
def check_author_link(email, user)
author_link = find('.commit-author-link')
expect(author_link['href']).to eq user_path(user)
expect(author_link['data-original-title']).to eq email
expect(author_link['title']).to eq email
expect(find('.commit-author-name').text).to eq user.name
end
......
require 'rails_helper'
describe CommitsHelper do
describe 'commit_author_link' do
it 'escapes the author email' do
commit = double(
author: nil,
author_name: 'Persistent XSS',
author_email: 'my@email.com" onmouseover="alert(1)'
)
expect(helper.commit_author_link(commit)).
not_to include('onmouseover="alert(1)"')
end
end
describe 'commit_committer_link' do
it 'escapes the committer email' do
commit = double(
committer: nil,
committer_name: 'Persistent XSS',
committer_email: 'my@email.com" onmouseover="alert(1)'
)
expect(helper.commit_committer_link(commit)).
not_to include('onmouseover="alert(1)"')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment