Fix XSS in resolve conflicts form

The issue arose when the branch name contained Vue template JavaScript. The fix is to use `v-pre` which disables Vue compilation in a template.
2019-02-26 08:43:43 -06:00 · 2019-02-26 08:43:43 -06:00 · e6e9c10ee1
parent f944971b0b
commit e6e9c10ee1
3 changed files with 21 additions and 1 deletions
--- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
+++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
@ -6,7 +6,7 @@
  .form-group.row
    .col-md-4
      %h4= _('Resolve conflicts on source branch')
-      .resolve-info
+      .resolve-info{ "v-pre": true }
        = translation.html_safe
    .col-md-8
      %label.label-bold{ "for" => "commit-message" }
--- a/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
+++ b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
@ -0,0 +1,5 @@
+---
+title: Fix XSS in resolve conflicts form
+merge_request:
+author:
+type: security
--- a/spec/features/merge_request/user_resolves_conflicts_spec.rb
+++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb
@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do
        expect(page).to have_content('Gregor Samsa woke from troubled dreams')
      end
    end
+
+    context "with malicious branch name" do
+      let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" }
+      let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') }
+      let(:merge_request) { create_merge_request(branch.name) }
+
+      before do
+        visit project_merge_request_path(project, merge_request)
+        click_link('conflicts', href: %r{/conflicts\Z})
+      end
+
+      it "renders bad name without xss issues" do
+        expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name)
+      end
+    end
  end

  UNRESOLVABLE_CONFLICTS = {