Merge branch 'security-fix-xss-in-mr-sidebar' into 'master'

Fixes XSS with source branch in the merge request sidebar

See merge request gitlab-org/security/gitlab!1317

app/views/shared/issuable/_sidebar.html.haml

@@ -138,7 +138,7 @@
               = clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport')
             .sidebar-mr-source-branch.hide-collapsed
               %span
-                = _('Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}').html_safe % { source_branch_open: "<cite class='ref-name' title='#{source_branch}'>".html_safe, source_branch_close: "</cite>".html_safe, source_branch: source_branch }
+                = _('Source branch: %{source_branch_open}%{source_branch}%{source_branch_close}').html_safe % { source_branch_open: "<cite class='ref-name' title='#{html_escape(source_branch)}'>".html_safe, source_branch_close: "</cite>".html_safe, source_branch: html_escape(source_branch) }
               = clipboard_button(text: source_branch, title: _('Copy branch name'), placement: "left", boundary: 'viewport')
 
       - if show_forwarding_email

changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml

+---
+title: Fixed XSS in merge requests sidebar
+merge_request:
+author:
+type: security

spec/features/merge_request/user_views_open_merge_request_spec.rb

@@ -111,4 +111,21 @@ RSpec.describe 'User views an open merge request' do
       end
     end
   end
+
+  context 'XSS source branch' do
+    let(:project) { create(:project, :public, :repository) }
+    let(:source_branch) { "'><iframe/srcdoc=''></iframe>" }
+
+    before do
+      project.repository.create_branch(source_branch, "master")
+
+      mr = create(:merge_request, source_project: project, target_project: project, source_branch: source_branch)
+
+      visit(merge_request_path(mr))
+    end
+
+    it 'encodes branch name' do
+      expect(find('cite.ref-name')[:title]).to eq(source_branch)
+    end
+  end
 end