Merge branch 'manifest-unsafe-scheme' into 'master'

Disallow import url scheme to start with javascript

See merge request gitlab-org/gitlab!57071

changelogs/unreleased/manifest-unsafe-scheme.yml

+---
+title: Validate import manifest url scheme
+merge_request: 57071
+author:
+type: fixed

lib/gitlab/manifest_import/manifest.rb

@@ -47,6 +47,10 @@ module Gitlab
           @errors << 'Make sure every <project> tag has name and path attributes.'
         end
 
+        unless validate_scheme
+          @errors << 'Make sure the url does not start with javascript'
+        end
+
         @errors.empty?
       end
 
@@ -64,6 +68,10 @@ module Gitlab
         end
       end
 
+      def validate_scheme
+        remote !~ /\Ajavascript/i
+      end
+
       def repository_url(name)
         Gitlab::Utils.append_path(remote, name)
       end

spec/features/import/manifest_import_spec.rb

@@ -42,6 +42,15 @@ RSpec.describe 'Import multiple repositories by uploading a manifest file', :js
     end
   end
 
+  it 'renders an error if the remote url scheme starts with javascript' do
+    visit new_import_manifest_path
+
+    attach_file('manifest', Rails.root.join('spec/fixtures/unsafe_javascript.xml'))
+    click_on 'List available repositories'
+
+    expect(page).to have_content 'Make sure the url does not start with javascript'
+  end
+
   it 'renders an error if invalid file was provided' do
     visit new_import_manifest_path
 

spec/fixtures/unsafe_javascript.xml

+<manifest>
+  <remote review="javascript://HelloTheGitlabSecurityTeam%0Aprompt(1)%0A" />
+
+  <project path="test1" name="manifest1" />
+  <project path="test2" name="manifest2" />
+  <project path="test3" name="manifest3" />
+  <project path="test4" name="manifest4" />
+  <project path="test5" name="manifest5" />
+  <project path="test6" name="manifest6" />
+</manifest>
\ No newline at end of file