Merge branch 'fix_maintenance_mode_message' into 'master'

Sanitize custom maintenance mode message See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/139266 Merged-by: Kerri Miller <kerrizor@kerrizor.com> Approved-by: Kerri Miller <kerrizor@kerrizor.com> Approved-by: Kevin Morrison <kmorrison@gitlab.com> Approved-by: mo khan <mo@mokhan.ca> Reviewed-by: mo khan <mo@mokhan.ca> Co-authored-by: Thomas Hutterer <thutterer@gitlab.com>

Merge branch 'fix_maintenance_mode_message' into 'master'
69645dae · Kerri Miller · 296e9ed2 · 06161453 · 69645dae · 69645dae
--- a/ee/app/helpers/ee/application_helper.rb
+++ b/ee/app/helpers/ee/application_helper.rb
@@ -108,7 +108,7 @@ def show_last_push_widget?(event)
    private

    def custom_maintenance_mode_message
-      ::Gitlab::CurrentSettings.maintenance_mode_message&.html_safe ||
+      sanitize(::Gitlab::CurrentSettings.maintenance_mode_message) ||
        _('GitLab is undergoing maintenance')
    end


--- a/ee/spec/helpers/application_helper_spec.rb
+++ b/ee/spec/helpers/application_helper_spec.rb
@@ -30,11 +30,25 @@
            expect(helper.read_only_message).to match(default_maintenance_mode_message)
          end

-          it 'returns user set custom maintenance mode message' do
-            custom_message = 'Maintenance window ends at 00:00.'
-            stub_application_setting(maintenance_mode_message: custom_message)
+          context 'with user set custom maintenance mode message' do
+            before do
+              stub_application_setting(maintenance_mode_message: custom_message)
+            end

-            expect(helper.read_only_message).to match(/#{custom_message}/)
+            let(:custom_message) { 'Maintenance window ends at 00:00.' }
+
+            it 'returns the custom message' do
+              expect(helper.read_only_message).to match(/#{custom_message}/)
+            end
+
+            context 'with XSS injection' do
+              let(:custom_message) { 'Hi <script>alert("XSS")</script>' }
+
+              it 'sanitizes the custom message' do
+                expect(helper.read_only_message).to match(/Hi alert/)
+                expect(helper.read_only_message).not_to match(/script/)
+              end
+            end
          end
        end