diff options
author | Marin Jankovski <marin@gitlab.com> | 2019-07-02 09:22:45 +0300 |
---|---|---|
committer | Marin Jankovski <marin@gitlab.com> | 2019-07-02 09:22:45 +0300 |
commit | 23dedd53a73a01429c0a5c99414548694f1fab0b (patch) | |
tree | 02bf23c4d0469afa63c8155e7fe386e2595f007a | |
parent | 7eae0e9b529c5fb28b30857c06cd004dc5ebd74e (diff) | |
parent | ef5fdd3f3c7e46c9c051af094e5472fbe5f0af22 (diff) |
Merge branch 'security-DOS_issue_comments_banzai' into 'master'
Fix DOS when rendering issue/MR comments
See merge request gitlab/gitlabhq!3152
-rw-r--r-- | changelogs/unreleased/security-DOS_issue_comments_banzai.yml | 5 | ||||
-rw-r--r-- | lib/banzai/filter/relative_link_filter.rb | 2 | ||||
-rw-r--r-- | spec/lib/banzai/filter/relative_link_filter_spec.rb | 5 |
3 files changed, 11 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml new file mode 100644 index 00000000000..2405b1a4f5f --- /dev/null +++ b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml @@ -0,0 +1,5 @@ +--- +title: Fix Denial of Service for comments when rendering issues/MR comments +merge_request: +author: +type: security diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 80c84c0f622..bf84d7cddae 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -102,7 +102,7 @@ module Banzai end def relative_file_path(uri) - path = Addressable::URI.unescape(uri.path) + path = Addressable::URI.unescape(uri.path).delete("\0") request_path = Addressable::URI.unescape(context[:requested_path]) nested_path = build_relative_path(path, request_path) file_exists?(nested_path) ? nested_path : path diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb index 8ff971114d6..a714fa50f5f 100644 --- a/spec/lib/banzai/filter/relative_link_filter_spec.rb +++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb @@ -83,6 +83,11 @@ describe Banzai::Filter::RelativeLinkFilter do expect { filter(act) }.not_to raise_error end + it 'does not explode with an escaped null byte' do + act = link("/%00") + expect { filter(act) }.not_to raise_error + end + it 'does not raise an exception with a space in the path' do act = link("/uploads/d18213acd3732630991986120e167e3d/Landscape_8.jpg \nBut here's some more unexpected text :smile:)") expect { filter(act) }.not_to raise_error |