Merge branch 'security-fix-xss-in-label-namespace' into 'master'

Escape namespace in label references Closes #2941 See merge request gitlab/gitlabhq!3509

Merge branch 'security-fix-xss-in-label-namespace' into 'master'
Escape namespace in label references Closes #2941 See merge request gitlab/gitlabhq!3509
6b50c98f · GitLab Release Tools Bot · 5df019e8 · 54564e79 · 6b50c98f · 6b50c98f
Commit 6b50c98f authored Nov 26, 2019 by GitLab Release Tools Bot
3 changed files
--- a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
+++ b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml
+---
+title: Escape namespace in label references to prevent XSS
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -89,7 +89,7 @@ module Banzai
          parent_from_ref = from_ref_cached(project_path)
          reference       = parent_from_ref.to_human_reference(parent)
-          label_suffix = " <i>in #{reference}</i>" if reference.present?
+          label_suffix = " <i>in #{ERB::Util.html_escape(reference)}</i>" if reference.present?
        end
        presenter = object.present(issuable_subject: parent)

--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do
      expect(reference_filter(act).to_html).to eq exp
    end
+    context 'when group name has HTML entities' do
+      let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') }
+      it 'escapes the HTML entities' do
+        expect(result.text)
+          .to eq "See #{group_label.name} in #{another_project.full_name}"
+      end
+    end
  end
  describe 'cross-project / same-group_label complete reference' do