File bsc_1059664.patch of Package portus.5728

From c21dfec24cfcf93f0ac06c1b9a08afad1824e41f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miquel=20Sabat=C3=A9=20Sol=C3=A0?= <msabate@suse.com>
Date: Tue, 19 Sep 2017 16:56:44 +0200
Subject: [PATCH] Mitigate a possible XSS attack on typeahead
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Thanks Ricardo Sánchez for reporting!

Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
---
 app/controllers/namespaces_controller.rb       |  2 +-
 app/controllers/teams_controller.rb            |  4 ++--
 spec/controllers/namespaces_controller_spec.rb | 12 ++++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/app/controllers/namespaces_controller.rb b/app/controllers/namespaces_controller.rb
index 408d0407..27e56027 100644
--- a/app/controllers/namespaces_controller.rb
+++ b/app/controllers/namespaces_controller.rb
@@ -76,7 +76,7 @@ def typeahead
     @query = params[:query]
     valid_teams = TeamUser.get_valid_team_ids(current_user.id)
     matches = Team.search_from_query(valid_teams, "#{@query}%").pluck(:name)
-    matches = matches.map { |team| { name: team } }
+    matches = matches.map { |team| { name: ActionController::Base.helpers.sanitize(team) } }
     respond_to do |format|
       format.json { render json: matches.to_json }
     end
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index b3c24ae4..0471afbd 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -50,7 +50,7 @@ def typeahead
     authorize @team
     @query = params[:query]
     matches = User.search_from_query(@team.member_ids, "#{@query}%").pluck(:username)
-    matches = matches.map { |user| { name: user } }
+    matches = matches.map { |user| { name: ActionController::Base.helpers.sanitize(user) } }
     respond_to do |format|
       format.json { render json: matches.to_json }
     end
@@ -60,7 +60,7 @@ def typeahead
   def all_with_query
     query = "#{params[:query]}%"
     teams = policy_scope(Team).where("name LIKE ?", query).pluck(:name)
-    matches = teams.map { |t| { name: t } }
+    matches = teams.map { |t| { name: ActionController::Base.helpers.sanitize(t) } }
     respond_to do |format|
       format.json { render json: matches.to_json }
     end
diff --git a/spec/controllers/namespaces_controller_spec.rb b/spec/controllers/namespaces_controller_spec.rb
index 811ddec5..39de7bbd 100644
--- a/spec/controllers/namespaces_controller_spec.rb
+++ b/spec/controllers/namespaces_controller_spec.rb
@@ -349,6 +349,7 @@
 
   describe "typeahead" do
     render_views
+
     it "does allow to search for valid teams by owner" do
       testing_team = create(:team, name: "testing", owners: [owner])
       sign_in owner
@@ -367,6 +368,17 @@
       teamnames = JSON.parse(response.body)
       expect(teamnames.length).to eq(0)
     end
+
+    it "prevents XSS attacks" do
+      create(:team, name: "<script>alert(1)</script>", owners: [owner])
+
+      sign_in owner
+      get :typeahead, query: "<", format: "json"
+      expect(response.status).to eq(200)
+      teamnames = JSON.parse(response.body)
+
+      expect(teamnames[0]["name"]).to eq("alert(1)")
+    end
   end
 
   describe "activity tracking" do