Skip to content

G
gitlab-ce
Commit bbf010e4 authored by Giorgenes Gelatti's avatar Giorgenes Gelatti
Browse files
Options

Fixes pypi XSS

parent e653b984
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 4 deletions
ee/app/presenters/packages/pypi/package_presenter.rb
View file @ bbf010e4
...@@ -20,10 +20,10 @@ module Packages ...@@ -20,10 +20,10 @@ module Packages
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
<title>Links for #{name}</title> <title>Links for #{escape(name)}</title>
</head> </head>
<body> <body>
<h1>Links for #{name}</h1> <h1>Links for #{escape(name)}</h1>
#{links} #{links}
</body> </body>
</html> </html>
...@@ -47,7 +47,7 @@ module Packages ...@@ -47,7 +47,7 @@ module Packages
end end
def package_link(url, required_python, filename) def package_link(url, required_python, filename)
"<a href=\"#{url}\" data-requires-python=\"#{required_python}\">#{filename}</a><br>" "<a href=\"#{url}\" data-requires-python=\"#{escape(required_python)}\">#{filename}</a><br>"
end end
def build_pypi_package_path(file) def build_pypi_package_path(file)
...@@ -66,6 +66,10 @@ module Packages ...@@ -66,6 +66,10 @@ module Packages
def name def name
@packages.first.name @packages.first.name
end end
def escape(str)
ERB::Util.html_escape(str)
end
end end
end end
end end
ee/changelogs/unreleased/security-215640-pypi.yml 0 → 100644
View file @ bbf010e4
---
title: Fixed pypi package API XSS
merge_request:
author:
type: security
ee/spec/presenters/packages/pypi/package_presenter_spec.rb
View file @ bbf010e4
...@@ -19,16 +19,30 @@ describe ::Packages::Pypi::PackagePresenter do ...@@ -19,16 +19,30 @@ describe ::Packages::Pypi::PackagePresenter do
shared_examples_for "pypi package presenter" do shared_examples_for "pypi package presenter" do
let(:file) { package.package_files.first } let(:file) { package.package_files.first }
let(:filename) { file.file_name } let(:filename) { file.file_name }
let(:expected_file) { "<a href=\"http://localhost/api/v4/projects/#{project.id}/packages/pypi/files/#{file.file_sha256}/#{filename}#sha256=#{file.file_sha256}\" data-requires-python=\"#{package.pypi_metadatum.required_python}\">#{filename}</a><br>" } let(:expected_file) { "<a href=\"http://localhost/api/v4/projects/#{project.id}/packages/pypi/files/#{file.file_sha256}/#{filename}#sha256=#{file.file_sha256}\" data-requires-python=\"#{expected_python_version}\">#{filename}</a><br>" }
before do
package.pypi_metadatum.required_python = python_version
end
it { is_expected.to include expected_file } it { is_expected.to include expected_file }
end end
it_behaves_like "pypi package presenter" do it_behaves_like "pypi package presenter" do
let(:python_version) { '>=2.7' }
let(:expected_python_version) { '&gt;=2.7' }
let(:package) { package1 }
end
it_behaves_like "pypi package presenter" do
let(:python_version) { '"><script>alert(1)</script>' }
let(:expected_python_version) { '&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;' }
let(:package) { package1 } let(:package) { package1 }
end end
it_behaves_like "pypi package presenter" do it_behaves_like "pypi package presenter" do
let(:python_version) { '>=2.7, !=3.0' }
let(:expected_python_version) { '&gt;=2.7, !=3.0' }
let(:package) { package2 } let(:package) { package2 }
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7