Escape HTML on scoped labels tooltip

11a72bc3 · Mario Celi · 2eaa98f2 · 11a72bc3 · 11a72bc3 · 11a72bc3
Commit 11a72bc3 authored Mar 26, 2021 by Mario Celi
4 changed files
--- a/ee/changelogs/unreleased/security-291004-scoped-label-xss.yml
+++ b/ee/changelogs/unreleased/security-291004-scoped-label-xss.yml
+---
+title: Escape HTML on scoped labels tooltip
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/banzai/filter/label_reference_filter.rb
+++ b/ee/lib/ee/banzai/filter/label_reference_filter.rb
@@ -10,12 +10,18 @@ module EE
        def data_attributes_for(text, parent, object, link_content: false, link_reference: false)
          return super unless object.scoped_label?

-          # Enabling HTML tooltips for scoped labels here but we do not need to do any additional
-          # escaping because the label's tooltips are already stripped of dangerous HTML
+          # Enabling HTML tooltips for scoped labels here and additional escaping is done in `object_link_title`
          super.merge!(
            html: true
          )
        end
+
+        override :object_link_title
+        def object_link_title(object, matches)
+          return super unless object.scoped_label?
+
+          ERB::Util.html_escape(super)
+        end
      end
    end
  end

--- a/ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/ee/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -7,7 +7,8 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do

  let(:project) { create(:project, :public, name: 'sample-project') }
  let(:label) { create(:label, name: 'label', project: project) }
-  let(:scoped_label) { create(:label, name: 'key::value', project: project) }
+  let(:scoped_description) { 'xss <script>alert("scriptAlert");</script> &<a>lt;svg id=&quot;svgId&quot;&gt;&lt;/svg&gt;' }
+  let(:scoped_label) { create(:label, name: 'key::value', project: project, description: scoped_description) }

  context 'with scoped labels enabled' do
    before do
@@ -24,6 +25,10 @@ RSpec.describe Banzai::Filter::LabelReferenceFilter do
      it 'renders HTML tooltips' do
        expect(doc.at_css('.gl-label-scoped a').attr('data-html')).to eq('true')
      end
+
+      it "escapes HTML in the label's title" do
+        expect(doc.at_css('.gl-label-scoped a').attr('title')).to include('xss  &lt;svg id="svgId"&gt;')
+      end
    end

    context 'with a common label' do

--- a/lib/gitlab/markdown_cache.rb
+++ b/lib/gitlab/markdown_cache.rb
@@ -3,7 +3,7 @@
 module Gitlab
  module MarkdownCache
    # Increment this number every time the renderer changes its output
-    CACHE_COMMONMARK_VERSION        = 26
+    CACHE_COMMONMARK_VERSION        = 27
    CACHE_COMMONMARK_VERSION_START  = 10

    BaseError = Class.new(StandardError)