Merge branch 'security-mermaid-xss-11-3' into 'security-11-3'

[11.3] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2640

Merge branch 'security-mermaid-xss-11-3' into 'security-11-3'
d0dadd3b · Steve Xuereb · 7e1abc38 · 0d64da48 · d0dadd3b · d0dadd3b
Commit d0dadd3b authored 6 years ago by Steve Xuereb
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -25,6 +25,9 @@ export default function renderMermaid($els) {
      },
      // mermaidAPI options
      theme: 'neutral',
+      flowchart: {
+        htmlLabels: false,
+      },
    });
  
    $els.each((i, el) => {

--- a/changelogs/unreleased/security-mermaid-xss.yml
+++ b/changelogs/unreleased/security-mermaid-xss.yml
+---
+title: Configure mermaid to not render HTML content in diagrams
+merge_request:
+author:
+type: security
--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
  
      expect(page.find('pre code').text).to eq code_block_content
    end
+
+    it "does not render html content in mermaid" do
+      html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
+      mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      comment = "```mermaid\n#{mermaid_content}\n```"
+
+      add_note(comment)
+
+      wait_for_requests
+
+      expect(page.find('svg.mermaid')).to have_content html_content
+    end
  end
  
  context "when editing comments" do

--- a/spec/features/markdown/mermaid_spec.rb
+++ b/spec/features/markdown/mermaid_spec.rb
@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
    visit project_issue_path(project, issue)
  
    %w[A B C D].each do |label|
-      expect(page).to have_selector('svg foreignObject', text: label)
+      expect(page).to have_selector('svg text', text: label)
    end
  end
 end