From 2f4afe45525f6536c808d46249d7557ea14de7e8 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Fri, 12 Oct 2018 16:39:13 -0500
Subject: Fix XSS in MR source branch name

---
 spec/presenters/merge_request_presenter_spec.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'spec/presenters')

diff --git a/spec/presenters/merge_request_presenter_spec.rb b/spec/presenters/merge_request_presenter_spec.rb
index a1b52d8692d..bafcddebbb7 100644
--- a/spec/presenters/merge_request_presenter_spec.rb
+++ b/spec/presenters/merge_request_presenter_spec.rb
@@ -403,6 +403,15 @@ describe MergeRequestPresenter do
       is_expected
         .to eq("<a href=\"/#{resource.source_project.full_path}/tree/#{resource.source_branch}\">#{resource.source_branch}</a>")
     end
+
+    it 'escapes html, when source_branch does not exist' do
+      xss_attempt = "<img src='x' onerror=alert('bad stuff') />"
+
+      allow(resource).to receive(:source_branch) { xss_attempt }
+      allow(resource).to receive(:source_branch_exists?) { false }
+
+      is_expected.to eq(ERB::Util.html_escape(xss_attempt))
+    end
   end
 
   describe '#rebase_path' do
-- 
cgit v1.2.1