Fix XSS in resolve conflicts form

The issue arose when the branch name contained Vue template JavaScript. The fix is to use `v-pre` which disables Vue compilation in a template.

Fix XSS in resolve conflicts form
a0eceee8 · Paul Slaughter · 34ee2590 · a0eceee8 · a0eceee8 · a0eceee8
Unverified Commit a0eceee8 authored 6 years ago by Paul Slaughter
--- a/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
+++ b/app/views/projects/merge_requests/conflicts/_submit_form.html.haml
@@ -6,7 +6,7 @@
  .form-group.row
    .col-md-4
      %h4= _('Resolve conflicts on source branch')
-      .resolve-info
+      .resolve-info{ "v-pre": true }
        = translation.html_safe
    .col-md-8
      %label.label-bold{ "for" => "commit-message" }

--- a/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
+++ b/changelogs/unreleased/security-56927-xss-resolve-conflicts-branch-name.yml
+---
+title: Fix XSS in resolve conflicts form
+merge_request:
+author:
+type: security
--- a/spec/features/merge_request/user_resolves_conflicts_spec.rb
+++ b/spec/features/merge_request/user_resolves_conflicts_spec.rb
@@ -162,6 +162,21 @@ describe 'Merge request > User resolves conflicts', :js do
        expect(page).to have_content('Gregor Samsa woke from troubled dreams')
      end
    end
+
+    context "with malicious branch name" do
+      let(:bad_branch_name) { "malicious-branch-{{toString.constructor('alert(/xss/)')()}}" }
+      let(:branch) { project.repository.create_branch(bad_branch_name, 'conflict-resolvable') }
+      let(:merge_request) { create_merge_request(branch.name) }
+
+      before do
+        visit project_merge_request_path(project, merge_request)
+        click_link('conflicts', href: %r{/conflicts\Z})
+      end
+
+      it "renders bad name without xss issues" do
+        expect(find('.resolve-conflicts-form .resolve-info')).to have_content(bad_branch_name)
+      end
+    end
  end
  
  UNRESOLVABLE_CONFLICTS = {