Merge branch '42028-xss-diffs-10-6' into 'security-10-6'

Port of "Fix XSS on commit diff view" for 10-6

See merge request gitlab/gitlabhq!2364
This commit is contained in:
Douwe Maan 2018-04-03 09:57:31 +00:00 committed by James Lopez
parent 0498a5dd77
commit 98106ec54e
No known key found for this signature in database
GPG key ID: 756BF8E9D7C0CF39
3 changed files with 38 additions and 4 deletions

View file

@ -0,0 +1,5 @@
---
title: Fix XSS on diff view stored on filenames
merge_request:
author:
type: security

View file

@ -1,11 +1,14 @@
module Gitlab module Gitlab
module Diff module Diff
class InlineDiffMarker < Gitlab::StringRangeMarker class InlineDiffMarker < Gitlab::StringRangeMarker
def initialize(line, rich_line = nil)
super(line, rich_line || line)
end
def mark(line_inline_diffs, mode: nil) def mark(line_inline_diffs, mode: nil)
mark = super(line_inline_diffs) do |text, left:, right:| super(line_inline_diffs) do |text, left:, right:|
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>} %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
end end
mark.html_safe
end end
private private

View file

@ -135,11 +135,37 @@ describe DiffHelper do
it "returns strings with marked inline diffs" do it "returns strings with marked inline diffs" do
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>}) expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">&#39;def&#39;</span>})
expect(marked_old_line).to be_html_safe expect(marked_old_line).to be_html_safe
expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>}) expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">&quot;def&quot;</span>})
expect(marked_new_line).to be_html_safe expect(marked_new_line).to be_html_safe
end end
context 'when given HTML' do
it 'sanitizes it' do
old_line = %{test.txt}
new_line = %{<img src=x onerror=alert(document.domain)>}
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
expect(marked_old_line).to eq(%q{<span class="idiff left right deletion">test.txt</span>})
expect(marked_old_line).to be_html_safe
expect(marked_new_line).to eq(%q{<span class="idiff left right addition">&lt;img src=x onerror=alert(document.domain)&gt;</span>})
expect(marked_new_line).to be_html_safe
end
it 'sanitizes the entire line, not just the changes' do
old_line = %{<img src=x onerror=alert(document.domain)>}
new_line = %{<img src=y onerror=alert(document.domain)>}
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
expect(marked_old_line).to eq(%q{&lt;img src=<span class="idiff left right deletion">x</span> onerror=alert(document.domain)&gt;})
expect(marked_old_line).to be_html_safe
expect(marked_new_line).to eq(%q{&lt;img src=<span class="idiff left right addition">y</span> onerror=alert(document.domain)&gt;})
expect(marked_new_line).to be_html_safe
end
end
end end
describe '#parallel_diff_discussions' do describe '#parallel_diff_discussions' do