diff options
| author | Alejandro Rodriguez <alejandro@gitlab.com> | 2016-10-22 01:35:49 +0300 |
|---|---|---|
| committer | Alejandro RodrÃguez <alejorro70@gmail.com> | 2016-10-22 01:57:43 +0300 |
| commit | eb54c711a0c43f768cd46aa2cc1b00f9a9c9a078 (patch) | |
| tree | 26196884d2a2ffaea147688bcc1aa32f7dbcf4a4 | |
| parent | 0aed998d961e24c3a24de8208b1c111315eaa82c (diff) | |
Merge branch 'markdown-xss-fix-option-2' into 'security'
Don't autolink unsafe protocols
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2013
| -rw-r--r-- | lib/banzai/filter/autolink_filter.rb | 13 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/autolink_filter_spec.rb | 22 |
2 files changed, 35 insertions, 0 deletions
diff --git a/lib/banzai/filter/autolink_filter.rb b/lib/banzai/filter/autolink_filter.rb index 799b83b1069..f076d59d259 100644 --- a/lib/banzai/filter/autolink_filter.rb +++ b/lib/banzai/filter/autolink_filter.rb @@ -71,6 +71,11 @@ module Banzai @doc = parse_html(rinku) end + # Return true if any of the UNSAFE_PROTOCOLS strings are included in the URI scheme + def contains_unsafe?(scheme) + Banzai::Filter::SanitizationFilter::UNSAFE_PROTOCOLS.any? { |protocol| scheme.include?(protocol) } + end + # Autolinks any text matching LINK_PATTERN that Rinku didn't already # replace def text_parse @@ -79,6 +84,14 @@ module Banzai next unless content.match(LINK_PATTERN) + begin + uri = Addressable::URI.parse(content) + uri.scheme = uri.scheme.strip.downcase if uri.scheme + next if contains_unsafe?(uri.scheme) + rescue Addressable::URI::InvalidURIError + next + end + html = autolink_filter(content) next if html == content diff --git a/spec/lib/banzai/filter/autolink_filter_spec.rb b/spec/lib/banzai/filter/autolink_filter_spec.rb index dca7f997570..6d3dd49e780 100644 --- a/spec/lib/banzai/filter/autolink_filter_spec.rb +++ b/spec/lib/banzai/filter/autolink_filter_spec.rb @@ -99,6 +99,28 @@ describe Banzai::Filter::AutolinkFilter, lib: true do expect(doc.at_css('a')['href']).to eq link end + it 'autolinks rdar' do + link = 'rdar://localhost.com/blah' + doc = filter("See #{link}") + + expect(doc.at_css('a').text).to eq link + expect(doc.at_css('a')['href']).to eq link + end + + it 'does not autolink javascript' do + link = 'javascript://alert(document.cookie);' + doc = filter("See #{link}") + + expect(doc.to_s).not_to include('href="javascript://') + end + + it 'does not autolink bad URLs' do + link = 'foo://23423:::asdf' + doc = filter("See #{link}") + + expect(doc.to_s).to eq("See #{link}") + end + it 'does not include trailing punctuation' do doc = filter("See #{link}.") expect(doc.at_css('a').text).to eq link |