diff options
author | Mario de la Ossa <mdelaossa@gitlab.com> | 2019-06-18 23:01:17 +0300 |
---|---|---|
committer | Mario de la Ossa <mdelaossa@gitlab.com> | 2019-06-18 23:01:17 +0300 |
commit | 82cdee2b7bfc004dba6c7ff45688145ba0a47983 (patch) | |
tree | e18b7e31fa5f1622e5b169eb0b95cc69d3a01d28 | |
parent | f41d39f97288d17e0d88a60e61c1b046bd12aa66 (diff) |
Fix DOS when rendering issue/MR comments
-rw-r--r-- | changelogs/unreleased/security-DOS_issue_comments_banzai.yml | 5 | ||||
-rw-r--r-- | lib/banzai/filter/relative_link_filter.rb | 2 | ||||
-rw-r--r-- | spec/lib/banzai/filter/relative_link_filter_spec.rb | 6 |
3 files changed, 12 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml new file mode 100644 index 00000000000..2405b1a4f5f --- /dev/null +++ b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml @@ -0,0 +1,5 @@ +--- +title: Fix Denial of Service for comments when rendering issues/MR comments +merge_request: +author: +type: security diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 199b3533cf4..cdf97e75491 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -100,7 +100,7 @@ module Banzai end def relative_file_path(uri) - path = Addressable::URI.unescape(uri.path) + path = Addressable::URI.unescape(uri.path).delete("\0") request_path = Addressable::URI.unescape(context[:requested_path]) nested_path = build_relative_path(path, request_path) file_exists?(nested_path) ? nested_path : path diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb index dad0a5535c0..f49c4e3586c 100644 --- a/spec/lib/banzai/filter/relative_link_filter_spec.rb +++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb @@ -83,6 +83,12 @@ describe Banzai::Filter::RelativeLinkFilter do expect { filter(act) }.not_to raise_error end + + it 'does not explode with an escaped null byte' do + act = link("/%00") + expect { filter(act) }.not_to raise_error + end + it 'does not raise an exception with a space in the path' do act = link("/uploads/d18213acd3732630991986120e167e3d/Landscape_8.jpg \nBut here's some more unexpected text :smile:)") expect { filter(act) }.not_to raise_error |