Merge branch 'fix-hamlit-xss' into 'security-9-1'
New Hamlit XSS fix, does not include extraneous changes See merge request !2095
This commit is contained in:
parent
ad309f5d11
commit
e5e94618c5
|
@ -10,4 +10,4 @@
|
|||
- else
|
||||
:plain
|
||||
job = $("tr#repo_#{@repo_id}")
|
||||
job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(@project.errors.full_messages.join(','))}")
|
||||
job.find(".import-actions").html("<i class='fa fa-exclamation-circle'></i> Error saving project: #{escape_javascript(h(@project.errors.full_messages.join(',')))}")
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
.panel-body
|
||||
%pre
|
||||
:preserve
|
||||
#{sanitize_repo_path(@project, @project.import_error)}
|
||||
#{h(sanitize_repo_path(@project, @project.import_error))}
|
||||
|
||||
= form_for @project, url: namespace_project_import_path(@project.namespace, @project), method: :post, html: { class: 'form-horizontal' } do |f|
|
||||
= render "shared/import_form", f: f
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
%h3 Clone your wiki
|
||||
%pre.dark
|
||||
:preserve
|
||||
git clone #{ content_tag(:span, default_url_to_repo(@project_wiki), class: 'clone')}
|
||||
git clone #{ content_tag(:span, h(default_url_to_repo(@project_wiki)), class: 'clone')}
|
||||
cd #{h @project_wiki.path}
|
||||
|
||||
%h3 Start Gollum and edit locally
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Fix for XSS in project import view caused by Hamlit filter usage.
|
||||
merge_request:
|
||||
author:
|
|
@ -0,0 +1,22 @@
|
|||
require "spec_helper"
|
||||
|
||||
describe "projects/imports/new.html.haml" do
|
||||
let(:user) { create(:user) }
|
||||
|
||||
context 'when import fails' do
|
||||
let(:project) { create(:project_empty_repo, import_status: :failed, import_error: '<a href="http://googl.com">Foo</a>', import_type: :gitlab_project, import_source: '/var/opt/gitlab/gitlab-rails/shared/tmp/project_exports/uploads/t.tar.gz', import_url: nil) }
|
||||
|
||||
before do
|
||||
sign_in(user)
|
||||
project.team << [user, :master]
|
||||
end
|
||||
|
||||
it "escapes HTML in import errors" do
|
||||
assign(:project, project)
|
||||
|
||||
render
|
||||
|
||||
expect(rendered).not_to have_link('Foo', href: "http://googl.com")
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue