Fixes XSS in shared runner description

27fb5b3b · Miguel Rincon · Mike Greiling · c3626715 · 27fb5b3b · 27fb5b3b
Commit 27fb5b3b authored May 04, 2021 by Miguel Rincon Committed by Mike Greiling May 04, 2021
3 changed files
--- a/app/views/shared/runners/_shared_runners_description.html.haml
+++ b/app/views/shared/runners/_shared_runners_description.html.haml
@@ -3,11 +3,10 @@
 %h4
  = _('Shared runners')

-.bs-callout.shared-runners-description
-  = _('These runners are shared across this GitLab instance.')
-  %p
+.bs-callout{ data: { testid: 'shared-runners-description' } }
+  %p= _('These runners are shared across this GitLab instance.')
  - if Gitlab::CurrentSettings.shared_runners_text.present?
-    = markdown_field(Gitlab::CurrentSettings.current_application_settings, :shared_runners_text)
+    = markdown(Gitlab::CurrentSettings.current_application_settings.shared_runners_text)
  - else
-    = _('The same shared runner executes code from multiple projects, unless you configure autoscaling with %{link} set to 1 (which it is on GitLab.com).').html_safe % { link: link }
+    %p= _('The same shared runner executes code from multiple projects, unless you configure autoscaling with %{link} set to 1 (which it is on GitLab.com).').html_safe % { link: link }
  = yield
--- a/changelogs/unreleased/mrincon-fix-xss-shared-runners-text.yml
+++ b/changelogs/unreleased/mrincon-fix-xss-shared-runners-text.yml
+---
+title: Fix XSS vulnerability in shared runner description
+merge_request: 60891
+author:
+type: security
--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -160,18 +160,67 @@ RSpec.describe 'Runners' do
      end
    end

-    context 'when application settings have shared_runners_text' do
-      let(:shared_runners_text) { 'custom **shared** runners description' }
-      let(:shared_runners_html) { 'custom shared runners description' }
+    context 'shared runner text' do
+      context 'when application settings have no shared_runners_text' do
+        it 'user sees default shared runners description' do
+          visit project_runners_path(project)

-      before do
-        stub_application_setting(shared_runners_text: shared_runners_text)
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('The same shared runner executes code from multiple projects')
+          end
+        end
      end

-      it 'user sees shared runners description' do
-        visit project_runners_path(project)
+      context 'when application settings have shared_runners_text' do
+        let(:shared_runners_text) { 'custom **shared** runners description' }
+        let(:shared_runners_html) { 'custom shared runners description' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees shared runners description' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).not_to have_content('The same shared runner executes code from multiple projects')
+            expect(page).to have_content(shared_runners_html)
+          end
+        end
+      end
+
+      context 'when application settings have an unsafe link in shared_runners_text' do
+        let(:shared_runners_text) { '<a href="javascript:alert(\'xss\')">link</a>' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees no link' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('link')
+            expect(page).not_to have_link('link')
+          end
+        end
+      end

-        expect(page.find('.shared-runners-description')).to have_content(shared_runners_html)
+      context 'when application settings have an unsafe image in shared_runners_text' do
+        let(:shared_runners_text) { '<img src="404.png" onerror="alert(\'xss\')"/>' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees image safely' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_css('img')
+            expect(page).not_to have_css('img[onerror]')
+          end
+        end
      end
    end
  end
@@ -190,7 +239,7 @@ RSpec.describe 'Runners' do

        click_on 'Enable shared runners'

-        expect(page.find('.shared-runners-description')).to have_content('Disable shared runners')
+        expect(page.find("[data-testid='shared-runners-description']")).to have_content('Disable shared runners')
        expect(page).not_to have_selector('#toggle-shared-runners-form')
      end
    end