Fix XSS in resolve conflicts form

The issue arose when the branch name contained Vue template
JavaScript. The fix is to use `v-pre` which disables Vue
compilation in a template.
parent 2f25e436
......@@ -6,7 +6,7 @@
.form-group.row
.col-md-4
%h4= _('Resolve conflicts on source branch')
.resolve-info
.resolve-info{ "v-pre": true }
= translation.html_safe
.col-md-8
%label.label-bold{ "for" => "commit-message" }
......
---
title: Fix XSS in resolve conflicts form
merge_request:
author:
type: security
......@@ -164,6 +164,21 @@ describe 'Merge request > User resolves conflicts', :js do
expect(page).to have_content('Gregor Samsa woke from troubled dreams')
end
end
context "with malicious branch name" do
let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" }
let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') }
let(:merge_request) { create_merge_request(branch.name) }
before do
visit project_merge_request_path(project, merge_request)
click_link('conflicts', href: %r{/conflicts\Z})
end
it "renders bad name without xss issues" do
expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name)
end
end
end
UNRESOLVABLE_CONFLICTS = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment