Merge branch 'security-11-2-51527-xss-in-mr-source-branch' into 'security-11-2'

[11.2] Fix XSS in MR source branch name See merge request gitlab/gitlabhq!2546
author: Thiago Presa <tpresa@gitlab.com> 2018-10-23 02:21:40 +0000
committer: Thiago Presa <tpresa@gitlab.com> 2018-10-24 21:59:46 -0300
commit: bf097697f543bc2551f88895ca08084420e45068 (patch)
tree: b5962991b754ce1c18e143a6d696c6f795fa4df7 /spec
parent: 39473cc0addedc3d9b7aebe37b4470904c68eaea (diff)
download: gitlab-ce-bf097697f543bc2551f88895ca08084420e45068.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/spec/presenters/merge_request_presenter_spec.rb b/spec/presenters/merge_request_presenter_spec.rb
index a1b52d8692d..bafcddebbb7 100644
--- a/spec/presenters/merge_request_presenter_spec.rb
+++ b/spec/presenters/merge_request_presenter_spec.rb
@@ -403,6 +403,15 @@ describe MergeRequestPresenter do
       is_expected
         .to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>")
     end
+
+    it 'escapes html, when source_branch does not exist' do
+      xss_attempt = "<img src='x' onerror=alert('bad stuff') />"
+
+      allow(resource).to receive(:source_branch) { xss_attempt }
+      allow(resource).to receive(:source_branch_exists?) { false }
+
+      is_expected.to eq(ERB::Util.html_escape(xss_attempt))
+    end
   end
 
   describe '#rebase_path' do
author	Thiago Presa <tpresa@gitlab.com>	2018-10-23 02:21:40 +0000
committer	Thiago Presa <tpresa@gitlab.com>	2018-10-24 21:59:46 -0300
commit	bf097697f543bc2551f88895ca08084420e45068 (patch)
tree	b5962991b754ce1c18e143a6d696c6f795fa4df7 /spec
parent	39473cc0addedc3d9b7aebe37b4470904c68eaea (diff)
download	gitlab-ce-bf097697f543bc2551f88895ca08084420e45068.tar.gz