Skip to content

G
gitlab-ce
Commit bbf010e4 authored by Giorgenes Gelatti's avatar Giorgenes Gelatti
Browse files
Options

Fixes pypi XSS

parent e653b984
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 4 deletions
ee/app/presenters/packages/pypi/package_presenter.rb
View file @ bbf010e4
......@@ -20,10 +20,10 @@ module Packages
<!DOCTYPE html>
<html>
<head>
<title>Links for #{name}</title>
<title>Links for #{escape(name)}</title>
</head>
<body>
<h1>Links for #{name}</h1>
<h1>Links for #{escape(name)}</h1>
#{links}
</body>
</html>
......@@ -47,7 +47,7 @@ module Packages
end
def package_link(url, required_python, filename)
"<a href=\"#{url}\" data-requires-python=\"#{required_python}\">#{filename}</a><br>"
"<a href=\"#{url}\" data-requires-python=\"#{escape(required_python)}\">#{filename}</a><br>"
end
def build_pypi_package_path(file)
......@@ -66,6 +66,10 @@ module Packages
def name
@packages.first.name
end
def escape(str)
ERB::Util.html_escape(str)
end
end
end
end
ee/changelogs/unreleased/security-215640-pypi.yml 0 → 100644
View file @ bbf010e4
---
title: Fixed pypi package API XSS
merge_request:
author:
type: security
ee/spec/presenters/packages/pypi/package_presenter_spec.rb
View file @ bbf010e4
......@@ -19,16 +19,30 @@ describe ::Packages::Pypi::PackagePresenter do
shared_examples_for "pypi package presenter" do
let(:file) { package.package_files.first }
let(:filename) { file.file_name }
let(:expected_file) { "<a href=\"http://localhost/api/v4/projects/#{project.id}/packages/pypi/files/#{file.file_sha256}/#{filename}#sha256=#{file.file_sha256}\" data-requires-python=\"#{package.pypi_metadatum.required_python}\">#{filename}</a><br>" }
let(:expected_file) { "<a href=\"http://localhost/api/v4/projects/#{project.id}/packages/pypi/files/#{file.file_sha256}/#{filename}#sha256=#{file.file_sha256}\" data-requires-python=\"#{expected_python_version}\">#{filename}</a><br>" }
before do
package.pypi_metadatum.required_python = python_version
end
it { is_expected.to include expected_file }
end
it_behaves_like "pypi package presenter" do
let(:python_version) { '>=2.7' }
let(:expected_python_version) { '&gt;=2.7' }
let(:package) { package1 }
end
it_behaves_like "pypi package presenter" do
let(:python_version) { '"><script>alert(1)</script>' }
let(:expected_python_version) { '&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;' }
let(:package) { package1 }
end
it_behaves_like "pypi package presenter" do
let(:python_version) { '>=2.7, !=3.0' }
let(:expected_python_version) { '&gt;=2.7, !=3.0' }
let(:package) { package2 }
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7