Merge branch 'security-xss-mermaid-12-1' into '12-1-stable'

Gitlab XSS in markdown preview page See merge request gitlab/gitlabhq!3400

Merge branch 'security-xss-mermaid-12-1' into '12-1-stable'
Gitlab XSS in markdown preview page See merge request gitlab/gitlabhq!3400
65a022ad · GitLab Release Tools Bot · 254b09ef · 22af7220 · 65a022ad · 65a022ad
5 changed file
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -33,6 +33,7 @@ export default function renderMermaid($els) {
        flowchart: {
          htmlLabels: false,
        },
+        securityLevel: 'strict',
      });

      let renderedChars = 0;

--- a/changelogs/unreleased/security-xss-mermaid-12-1.yml
+++ b/changelogs/unreleased/security-xss-mermaid-12-1.yml
+---
+title: Upgrade mermaid to prevent XSS
+merge_request:
+author:
+type: security
--- a/package.json
+++ b/package.json
@@ -96,7 +96,7 @@
    "jszip-utils": "^0.0.2",
    "katex": "^0.10.0",
    "marked": "^0.3.12",
-    "mermaid": "^8.1.0",
+    "mermaid": "^8.2.3",
    "monaco-editor": "^0.15.6",
    "monaco-editor-webpack-plugin": "^1.7.0",
    "mousetrap": "^1.4.6",
@@ -138,7 +138,7 @@
    "vue-virtual-scroll-list": "^1.3.1",
    "vuex": "^3.1.0",
    "webpack": "^4.29.0",
-    "webpack-bundle-analyzer": "^3.0.3",
+    "webpack-bundle-analyzer": "^3.3.2",
    "webpack-cli": "^3.2.1",
    "webpack-stats-plugin": "^0.2.1",
    "worker-loader": "^2.0.0",

--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -41,16 +41,17 @@ describe "User comments on issue", :js do
      expect(page.find('pre code').text).to eq code_block_content
    end

-    it "does not render html content in mermaid" do
+    it "renders escaped HTML content in Mermaid" do
      html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
      mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      escaped_content = CGI.escapeHTML(html_content).gsub('=', "&equals;")
      comment = "```mermaid\n#{mermaid_content}\n```"

      add_note(comment)

      wait_for_requests

-      expect(page.find('svg.mermaid')).to have_content html_content
+      expect(page.find('svg.mermaid')).to have_content escaped_content
    end
  end


--- a/yarn.lock
+++ b/yarn.lock