Commit bbe836b2 authored by Robert Speicher's avatar Robert Speicher

Unmark the commit author/committer link as HTML-safe

We now make use of the `content_tag` helper so that the untrusted input
is escaped and the trusted output is then automatically safe. When we
don't need to wrap the name in a `span` tag (when `avatar` is falsey),
it's treated as unsafe by default, so no further sanitization/escaping
is necessary.
parent 65649b9f
...@@ -133,11 +133,11 @@ module CommitsHelper ...@@ -133,11 +133,11 @@ module CommitsHelper
source_name = clean(commit.send "#{options[:source]}_name".to_sym) source_name = clean(commit.send "#{options[:source]}_name".to_sym)
source_email = clean(commit.send "#{options[:source]}_email".to_sym) source_email = clean(commit.send "#{options[:source]}_email".to_sym)
person_name = sanitize(user.try(:name) || source_name) person_name = user.try(:name) || source_name
text = text =
if options[:avatar] if options[:avatar]
%Q{<span class="commit-#{options[:source]}-name">#{person_name}</span>} content_tag(:span, person_name, class: "commit-#{options[:source]}-name")
else else
person_name person_name
end end
...@@ -148,9 +148,9 @@ module CommitsHelper ...@@ -148,9 +148,9 @@ module CommitsHelper
} }
if user.nil? if user.nil?
mail_to(source_email, text.html_safe, options) mail_to(source_email, text, options)
else else
link_to(text.html_safe, user_path(user), options) link_to(text, user_path(user), options)
end end
end end
......
---
title: Prevent a persistent XSS in the commit author block
merge_request:
author:
type: security
...@@ -12,6 +12,17 @@ describe CommitsHelper do ...@@ -12,6 +12,17 @@ describe CommitsHelper do
expect(helper.commit_author_link(commit)) expect(helper.commit_author_link(commit))
.not_to include('onmouseover="alert(1)"') .not_to include('onmouseover="alert(1)"')
end end
it 'escapes the author name' do
user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
commit = double(author: user, author_name: '', author_email: '')
expect(helper.commit_author_link(commit))
.to include('Foo &lt;script&gt;')
expect(helper.commit_author_link(commit, avatar: true))
.to include('commit-author-name', 'Foo &lt;script&gt;')
end
end end
describe 'commit_committer_link' do describe 'commit_committer_link' do
...@@ -25,6 +36,17 @@ describe CommitsHelper do ...@@ -25,6 +36,17 @@ describe CommitsHelper do
expect(helper.commit_committer_link(commit)) expect(helper.commit_committer_link(commit))
.not_to include('onmouseover="alert(1)"') .not_to include('onmouseover="alert(1)"')
end end
it 'escapes the commiter name' do
user = build_stubbed(:user, name: 'Foo <script>alert("XSS")</script>')
commit = double(committer: user, committer_name: '', committer_email: '')
expect(helper.commit_committer_link(commit))
.to include('Foo &lt;script&gt;')
expect(helper.commit_committer_link(commit, avatar: true))
.to include('commit-committer-name', 'Foo &lt;script&gt;')
end
end end
describe '#view_on_environment_button' do describe '#view_on_environment_button' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment