Merge branch '42028-xss-diffs-10-6' into 'security-10-6'
Port of "Fix XSS on commit diff view" for 10-6 See merge request gitlab/gitlabhq!2364
This commit is contained in:
parent
0498a5dd77
commit
98106ec54e
3 changed files with 38 additions and 4 deletions
5
changelogs/unreleased/42028-xss-diffs.yml
Normal file
5
changelogs/unreleased/42028-xss-diffs.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Fix XSS on diff view stored on filenames
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: security
|
|
@ -1,11 +1,14 @@
|
||||||
module Gitlab
|
module Gitlab
|
||||||
module Diff
|
module Diff
|
||||||
class InlineDiffMarker < Gitlab::StringRangeMarker
|
class InlineDiffMarker < Gitlab::StringRangeMarker
|
||||||
|
def initialize(line, rich_line = nil)
|
||||||
|
super(line, rich_line || line)
|
||||||
|
end
|
||||||
|
|
||||||
def mark(line_inline_diffs, mode: nil)
|
def mark(line_inline_diffs, mode: nil)
|
||||||
mark = super(line_inline_diffs) do |text, left:, right:|
|
super(line_inline_diffs) do |text, left:, right:|
|
||||||
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
|
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
|
||||||
end
|
end
|
||||||
mark.html_safe
|
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
@ -135,11 +135,37 @@ describe DiffHelper do
|
||||||
it "returns strings with marked inline diffs" do
|
it "returns strings with marked inline diffs" do
|
||||||
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
|
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
|
||||||
|
|
||||||
expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>})
|
expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>})
|
||||||
expect(marked_old_line).to be_html_safe
|
expect(marked_old_line).to be_html_safe
|
||||||
expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>})
|
expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>})
|
||||||
expect(marked_new_line).to be_html_safe
|
expect(marked_new_line).to be_html_safe
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when given HTML' do
|
||||||
|
it 'sanitizes it' do
|
||||||
|
old_line = %{test.txt}
|
||||||
|
new_line = %{<img src=x onerror=alert(document.domain)>}
|
||||||
|
|
||||||
|
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
|
||||||
|
|
||||||
|
expect(marked_old_line).to eq(%q{<span class="idiff left right deletion">test.txt</span>})
|
||||||
|
expect(marked_old_line).to be_html_safe
|
||||||
|
expect(marked_new_line).to eq(%q{<span class="idiff left right addition"><img src=x onerror=alert(document.domain)></span>})
|
||||||
|
expect(marked_new_line).to be_html_safe
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'sanitizes the entire line, not just the changes' do
|
||||||
|
old_line = %{<img src=x onerror=alert(document.domain)>}
|
||||||
|
new_line = %{<img src=y onerror=alert(document.domain)>}
|
||||||
|
|
||||||
|
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
|
||||||
|
|
||||||
|
expect(marked_old_line).to eq(%q{<img src=<span class="idiff left right deletion">x</span> onerror=alert(document.domain)>})
|
||||||
|
expect(marked_old_line).to be_html_safe
|
||||||
|
expect(marked_new_line).to eq(%q{<img src=<span class="idiff left right addition">y</span> onerror=alert(document.domain)>})
|
||||||
|
expect(marked_new_line).to be_html_safe
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#parallel_diff_discussions' do
|
describe '#parallel_diff_discussions' do
|
||||||
|
|
Loading…
Reference in a new issue