Merge branch 'fix-hamlit-xss' into 'security-9-1'

New Hamlit XSS fix, does not include extraneous changes See merge request !2095
2017-05-02 21:32:14 +00:00 · 2017-05-02 21:32:14 +00:00 · e5e94618c5
parent ad309f5d11
commit e5e94618c5
5 changed files with 29 additions and 3 deletions
--- a/app/views/import/base/create.js.haml
+++ b/app/views/import/base/create.js.haml
@ -10,4 +10,4 @@
 - else
  :plain
    job = $("tr#repo_#{@repo_id}")
-    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(@project.errors.full_messages.join(','))}")
+    job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(h(@project.errors.full_messages.join(',')))}")
--- a/app/views/projects/imports/new.html.haml
+++ b/app/views/projects/imports/new.html.haml
@ -10,7 +10,7 @@
    .panel-body
      %pre
        :preserve
-          #{sanitize_repo_path(@project, @project.import_error)}
+          #{h(sanitize_repo_path(@project, @project.import_error))}

 = form_for @project, url: namespace_project_import_path(@project.namespace, @project), method: :post, html: { class: 'form-horizontal' } do |f|
  = render "shared/import_form", f: f
--- a/app/views/projects/wikis/git_access.html.haml
+++ b/app/views/projects/wikis/git_access.html.haml
@ -28,7 +28,7 @@
    %h3 Clone your wiki
    %pre.dark
      :preserve
-        git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
+        git clone #{ content_tag(:span, h(default_url_to_repo(@project_wiki)), class: 'clone')}
        cd #{h @project_wiki.path}

    %h3 Start Gollum and edit locally
--- a/changelogs/unreleased/hamlit-xss-fix.yml
+++ b/changelogs/unreleased/hamlit-xss-fix.yml
@ -0,0 +1,4 @@
+---
+title: Fix for XSS in project import view caused by Hamlit filter usage.
+merge_request:
+author:
--- a/spec/views/projects/imports/new.html.haml_spec.rb
+++ b/spec/views/projects/imports/new.html.haml_spec.rb
@ -0,0 +1,22 @@
+require "spec_helper"
+
+describe "projects/imports/new.html.haml" do
+  let(:user) { create(:user) }
+
+  context 'when import fails' do
+    let(:project) { create(:project_empty_repo, import_status: :failed, import_error: '<a href="http://googl.com">Foo</a>', import_type: :gitlab_project, import_source: '/var/opt/gitlab/gitlab-rails/shared/tmp/project_exports/uploads/t.tar.gz', import_url: nil) }
+
+    before do
+      sign_in(user)
+      project.team << [user, :master]
+    end
+
+    it "escapes HTML in import errors" do
+      assign(:project, project)
+
+      render
+
+      expect(rendered).not_to have_link('Foo', href: "http://googl.com")
+    end
+  end
+end