Merge branch 'security-xss-epic-milestone' into 'master'

Sanitize XSS in Epic milestone due date See merge request gitlab-org/security/gitlab!1142

Merge branch 'security-xss-epic-milestone' into 'master'
Sanitize XSS in Epic milestone due date See merge request gitlab-org/security/gitlab!1142
0a81cbbe · GitLab Release Tools Bot · a32e201d · 09c1bdb8 · 0a81cbbe · 0a81cbbe
Commit 0a81cbbe authored Jan 27, 2021 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/assets/javascripts/epic/utils/epic_utils.js
+++ b/ee/app/assets/javascripts/epic/utils/epic_utils.js
@@ -6,6 +6,7 @@ import { __, s__, sprintf } from '~/locale';
 import createGqClient, { fetchPolicies } from '~/lib/graphql';
 import { parseBoolean } from '~/lib/utils/common_utils';
 import { dateInWords, parsePikadayDate } from '~/lib/utils/datetime_utility';
+import { sanitize } from '~/lib/dompurify';
 import { dateTypes } from '../constants';
@@ -54,8 +55,9 @@ const getDateFromMilestonesTooltip = ({
  dueDateSourcingMilestoneDates,
  dueDateTimeFromMilestones,
 }) => {
-  const dateSourcingMilestoneTitle =
+  const dateSourcingMilestoneTitle = sanitize(
-    dateType === dateTypes.start ? startDateSourcingMilestoneTitle : dueDateSourcingMilestoneTitle;
+    dateType === dateTypes.start ? startDateSourcingMilestoneTitle : dueDateSourcingMilestoneTitle,
+  );
  const sourcingMilestoneDates =
    dateType === dateTypes.start ? startDateSourcingMilestoneDates : dueDateSourcingMilestoneDates;

--- a/ee/changelogs/unreleased/security-xss-epic-milestone.yml
+++ b/ee/changelogs/unreleased/security-xss-epic-milestone.yml
+---
+title: Sanitize XSS in Epic milestone due date
+merge_request:
+author:
+type: security
--- a/ee/spec/frontend/epic/utils/epic_utils_spec.js
+++ b/ee/spec/frontend/epic/utils/epic_utils_spec.js
@@ -57,4 +57,23 @@ describe('epicUtils', () => {
      expect(Cookies.get('collapsed_gutter')).toBe(`${collapsedGutterVal}`); // Cookie value will always be string
    });
  });
+  describe('getDateFromMilestonesTooltip', () => {
+    it('Sanitizes html in milestone title', () => {
+      const tooltipText = epicUtils.getDateFromMilestonesTooltip({
+        dateType: 'start',
+        startDateSourcingMilestoneTitle:
+          '<svg width="100"><use xlink:href="/h5bp/html5-boilerplate/-/raw/master/demo.svg#x" /></svg>',
+        startDateSourcingMilestoneDates: {
+          startDate: '2020-12-23',
+          dueDate: '2021-01-28',
+        },
+        startDateTimeFromMilestones: '2020-12-22T18:30:00.000Z',
+        dueDateTimeFromMilestones: '2021-01-27T18:30:00.000Z',
+      });
+      const sanitizedTitle = '<svg width="100"><use></use></svg>';
+      expect(tooltipText.startsWith(sanitizedTitle)).toBe(true);
+    });
+  });
 });