Use Lodash `escape` as a small security enhancement (!82974) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

There is one place that the user's username is used in the users_select code.

This MR uses Lodash's escape to prevent any potentially manipulative content from being rendered directly into the UI.

Caveats

username should never have dangerous content, because saving it isn't possible with any special characters
All the rest of the data is either already passed through escape or <%- %> (which itself uses escape).

Bottom Line

There's no security issue here as far as I can tell, but I'm adding escape to the one place that doesn't seem to be escaped on the off chance that a username somehow has malicious content.
This is a "maybe we can protect against a future mistake" addition.

Screenshots or screen recordings

There's no UI change with this MR.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 16, 2022 by Thomas Randolph

Use Lodash `escape` as a small security enhancement

What does this MR do and why?

Caveats

Bottom Line

Screenshots or screen recordings

MR acceptance checklist

Merge request reports