Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

b2e1abee · GitLab Bot · 23330db1 · b2e1abee · b2e1abee · b2e1abee
Commit b2e1abee authored Feb 01, 2021 by GitLab Bot
3 changed files
--- a/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
+++ b/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_pipeline_container.vue
 <script>
 import { isNumber } from 'lodash';
+import { sanitize } from '~/lib/dompurify';
 import ArtifactsApp from './artifacts_list_app.vue';
 import MrWidgetContainer from './mr_widget_container.vue';
 import MrWidgetPipeline from './mr_widget_pipeline.vue';
@@ -40,7 +41,7 @@ export default {
      return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranch;
    },
    branchLink() {
-      return this.isPostMerge ? this.mr.targetBranch : this.mr.sourceBranchLink;
+      return this.isPostMerge ? sanitize(this.mr.targetBranch) : this.mr.sourceBranchLink;
    },
    deployments() {
      return this.isPostMerge ? this.mr.postMergeDeployments : this.mr.deployments;

--- a/changelogs/unreleased/security-sanitize-target-branch.yml
+++ b/changelogs/unreleased/security-sanitize-target-branch.yml
+---
+title: Sanitize target branch on MR page
+merge_request:
+author:
+type: security
--- a/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
+++ b/spec/frontend/vue_mr_widget/components/mr_widget_pipeline_container_spec.js
@@ -78,6 +78,18 @@ describe('MrWidgetPipelineContainer', () => {
      });
    });

+    it('sanitizes the targetBranch', () => {
+      factory({
+        isPostMerge: true,
+        mr: {
+          ...mockStore,
+          targetBranch: 'Foo<script>alert("XSS")</script>',
+        },
+      });
+
+      expect(wrapper.find(MrWidgetPipeline).props().sourceBranchLink).toBe('Foo');
+    });
+
    it('renders deployments', () => {
      const expectedProps = mockStore.postMergeDeployments.map((dep) =>
        expect.objectContaining({