Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2017-09-27 12:18:32 +0300
committerRobert Speicher <rspeicher@gmail.com>2017-10-11 16:54:20 +0300
commit517c49dd4ec503e952d8cd24fa6ad72cc695bfbb (patch)
treef021db708258ce158d27eb3a832630e199384875
parent1123942fce9590bfa1a0f21f078020e342ec1223 (diff)
Merge branch 'rs-sanitize-unicode-in-protocol' into 'security-10-0'
[10.0] Prevent a persistent XSS in user-provided markup See merge request gitlab/gitlabhq!2199
Diffstat
-rw-r--r--changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml5
-rw-r--r--lib/banzai/filter/sanitization_filter.rb14
-rw-r--r--spec/lib/banzai/filter/sanitization_filter_spec.rb5
3 files changed, 22 insertions, 2 deletions
diff --git a/changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml b/changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml
new file mode 100644
index 00000000000..093c99943e2
--- /dev/null
+++ b/changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent a persistent XSS in user-provided markup
+merge_request:
+author:
+type: security
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 88b17e12576..6735a346598 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -74,9 +74,19 @@ module Banzai
begin
uri = Addressable::URI.parse(node['href'])
- uri.scheme = uri.scheme.strip.downcase if uri.scheme
- node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
+ return unless uri.scheme
+
+ # Remove all invalid scheme characters before checking against the
+ # list of unsafe protocols.
+ #
+ # See https://tools.ietf.org/html/rfc3986#section-3.1
+ scheme = uri.scheme
+ .strip
+ .downcase
+ .gsub(/[^A-Za-z0-9\+\.\-]+/, '')
+
+ node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
rescue Addressable::URI::InvalidURIError
node.remove_attribute('href')
end
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 5f41e28fece..17a620ef603 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -217,6 +217,11 @@ describe Banzai::Filter::SanitizationFilter do
output: '<img>'
},
+ 'protocol-based JS injection: Unicode' => {
+ input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>),
+ output: '<a>foo</a>'
+ },
+
'protocol-based JS injection: spaces and entities' => {
input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>',
output: '<a href="">foo</a>'
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-18 04:21:27 +0300