Add latest changes from gitlab-org/gitlab@13-8-stable-eev13.8.0-rc42

6 files changed, 70 insertions, 57 deletions

diff --git a/lib/banzai/filter/ascii_doc_sanitization_filter.rb b/lib/banzai/filter/ascii_doc_sanitization_filter.rb
index 11762c3bfb4..67f5baf4635 100644
--- a/lib/banzai/filter/ascii_doc_sanitization_filter.rb
+++ b/lib/banzai/filter/ascii_doc_sanitization_filter.rb
@@ -27,7 +27,7 @@ module Banzai
       TABLE_GRID_CLASSES = %w(grid-all grid-rows grid-cols grid-none).freeze
       TABLE_STRIPES_CLASSES = %w(stripes-all stripes-odd stripes-even stripes-hover stripes-none).freeze
 
-      ELEMENT_CLASSES_WHITELIST = {
+      ELEMENT_CLASSES_ALLOWLIST = {
         span: %w(big small underline overline line-through).freeze,
         div: ALIGNMENT_BUILTINS_CLASSES + ['admonitionblock'].freeze,
         td: ['icon'].freeze,
@@ -38,35 +38,35 @@ module Banzai
         table: TABLE_FRAME_CLASSES + TABLE_GRID_CLASSES + TABLE_STRIPES_CLASSES
       }.freeze
 
-      def customize_whitelist(whitelist)
+      def customize_allowlist(allowlist)
         # Allow marks
-        whitelist[:elements].push('mark')
+        allowlist[:elements].push('mark')
 
         # Allow any classes in `span`, `i`, `div`, `td`, `ul`, `ol` and `a` elements
         # but then remove any unknown classes
-        whitelist[:attributes]['span'] = %w(class)
-        whitelist[:attributes]['div'].push('class')
-        whitelist[:attributes]['td'] = %w(class)
-        whitelist[:attributes]['i'] = %w(class)
-        whitelist[:attributes]['ul'] = %w(class)
-        whitelist[:attributes]['ol'] = %w(class)
-        whitelist[:attributes]['a'].push('class')
-        whitelist[:attributes]['table'] = %w(class)
-        whitelist[:transformers].push(self.class.remove_element_classes)
+        allowlist[:attributes]['span'] = %w(class)
+        allowlist[:attributes]['div'].push('class')
+        allowlist[:attributes]['td'] = %w(class)
+        allowlist[:attributes]['i'] = %w(class)
+        allowlist[:attributes]['ul'] = %w(class)
+        allowlist[:attributes]['ol'] = %w(class)
+        allowlist[:attributes]['a'].push('class')
+        allowlist[:attributes]['table'] = %w(class)
+        allowlist[:transformers].push(self.class.remove_element_classes)
 
         # Allow `id` in anchor and footnote elements
-        whitelist[:attributes]['a'].push('id')
-        whitelist[:attributes]['div'].push('id')
+        allowlist[:attributes]['a'].push('id')
+        allowlist[:attributes]['div'].push('id')
 
         # Allow `id` in heading elements for section anchors
         SECTION_HEADINGS.each do |header|
-          whitelist[:attributes][header] = %w(id)
+          allowlist[:attributes][header] = %w(id)
         end
 
         # Remove ids that are not explicitly allowed
-        whitelist[:transformers].push(self.class.remove_disallowed_ids)
+        allowlist[:transformers].push(self.class.remove_disallowed_ids)
 
-        whitelist
+        allowlist
       end
 
       class << self
@@ -91,11 +91,11 @@ module Banzai
           lambda do |env|
             node = env[:node]
 
-            return unless (classes_whitelist = ELEMENT_CLASSES_WHITELIST[node.name.to_sym])
+            return unless (classes_allowlist = ELEMENT_CLASSES_ALLOWLIST[node.name.to_sym])
             return unless node.has_attribute?('class')
 
             classes = node['class'].strip.split(' ')
-            allowed_classes = (classes & classes_whitelist)
+            allowed_classes = (classes & classes_allowlist)
             if allowed_classes.empty?
               node.remove_attribute('class')
             else
diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb
index 8acd3917d81..55dc426edaf 100644
--- a/lib/banzai/filter/asset_proxy_filter.rb
+++ b/lib/banzai/filter/asset_proxy_filter.rb
@@ -15,7 +15,7 @@ module Banzai
         needs(:asset_proxy, :asset_proxy_secret_key) if asset_proxy_enabled?
       end
 
-      def asset_host_whitelisted?(host)
+      def asset_host_allowed?(host)
         context[:asset_proxy_domain_regexp] ? context[:asset_proxy_domain_regexp].match?(host) : false
       end
 
@@ -44,21 +44,21 @@ module Banzai
           Gitlab.config.asset_proxy['enabled']       = application_settings.asset_proxy_enabled
           Gitlab.config.asset_proxy['url']           = application_settings.asset_proxy_url
           Gitlab.config.asset_proxy['secret_key']    = application_settings.asset_proxy_secret_key
-          Gitlab.config.asset_proxy['whitelist']     = determine_whitelist(application_settings)
-          Gitlab.config.asset_proxy['domain_regexp'] = compile_whitelist(Gitlab.config.asset_proxy.whitelist)
+          Gitlab.config.asset_proxy['allowlist']     = determine_allowlist(application_settings)
+          Gitlab.config.asset_proxy['domain_regexp'] = compile_allowlist(Gitlab.config.asset_proxy.allowlist)
         else
           Gitlab.config.asset_proxy['enabled']       = ::ApplicationSetting.defaults[:asset_proxy_enabled]
         end
       end
 
-      def self.compile_whitelist(domain_list)
+      def self.compile_allowlist(domain_list)
         return if domain_list.empty?
 
         escaped = domain_list.map { |domain| Regexp.escape(domain).gsub('\*', '.*?') }
         Regexp.new("^(#{escaped.join('|')})$", Regexp::IGNORECASE)
       end
 
-      def self.determine_whitelist(application_settings)
+      def self.determine_allowlist(application_settings)
         application_settings.asset_proxy_whitelist.presence || [Gitlab.config.gitlab.host]
       end
     end
diff --git a/lib/banzai/filter/base_sanitization_filter.rb b/lib/banzai/filter/base_sanitization_filter.rb
index 4f9e8cffd11..c63453f94ca 100644
--- a/lib/banzai/filter/base_sanitization_filter.rb
+++ b/lib/banzai/filter/base_sanitization_filter.rb
@@ -16,42 +16,42 @@ module Banzai
 
       UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
 
-      def whitelist
-        strong_memoize(:whitelist) do
-          whitelist = super.deep_dup
+      def allowlist
+        strong_memoize(:allowlist) do
+          allowlist = super.deep_dup
 
           # Allow span elements
-          whitelist[:elements].push('span')
+          allowlist[:elements].push('span')
 
           # Allow data-math-style attribute in order to support LaTeX formatting
-          whitelist[:attributes]['code'] = %w(data-math-style)
-          whitelist[:attributes]['pre'] = %w(data-math-style data-mermaid-style data-kroki-style)
+          allowlist[:attributes]['code'] = %w(data-math-style)
+          allowlist[:attributes]['pre'] = %w(data-math-style data-mermaid-style data-kroki-style)
 
           # Allow html5 details/summary elements
-          whitelist[:elements].push('details')
-          whitelist[:elements].push('summary')
+          allowlist[:elements].push('details')
+          allowlist[:elements].push('summary')
 
           # Allow abbr elements with title attribute
-          whitelist[:elements].push('abbr')
-          whitelist[:attributes]['abbr'] = %w(title)
+          allowlist[:elements].push('abbr')
+          allowlist[:attributes]['abbr'] = %w(title)
 
           # Disallow `name` attribute globally, allow on `a`
-          whitelist[:attributes][:all].delete('name')
-          whitelist[:attributes]['a'].push('name')
+          allowlist[:attributes][:all].delete('name')
+          allowlist[:attributes]['a'].push('name')
 
           # Allow any protocol in `a` elements
           # and then remove links with unsafe protocols
-          whitelist[:protocols].delete('a')
-          whitelist[:transformers].push(self.class.method(:remove_unsafe_links))
+          allowlist[:protocols].delete('a')
+          allowlist[:transformers].push(self.class.method(:remove_unsafe_links))
 
           # Remove `rel` attribute from `a` elements
-          whitelist[:transformers].push(self.class.remove_rel)
+          allowlist[:transformers].push(self.class.remove_rel)
 
-          customize_whitelist(whitelist)
+          customize_allowlist(allowlist)
         end
       end
 
-      def customize_whitelist(whitelist)
+      def customize_allowlist(allowlist)
         raise NotImplementedError
       end
 
diff --git a/lib/banzai/filter/broadcast_message_sanitization_filter.rb b/lib/banzai/filter/broadcast_message_sanitization_filter.rb
index 042293170c8..183908d02a9 100644
--- a/lib/banzai/filter/broadcast_message_sanitization_filter.rb
+++ b/lib/banzai/filter/broadcast_message_sanitization_filter.rb
@@ -6,14 +6,14 @@ module Banzai
     #
     # Extends Banzai::Filter::BaseSanitizationFilter with specific rules.
     class BroadcastMessageSanitizationFilter < Banzai::Filter::BaseSanitizationFilter
-      def customize_whitelist(whitelist)
-        whitelist[:elements].push('br')
+      def customize_allowlist(allowlist)
+        allowlist[:elements].push('br')
 
-        whitelist[:attributes]['a'].push('class', 'style')
+        allowlist[:attributes]['a'].push('class', 'style')
 
-        whitelist[:css] = { properties: %w(color border background padding margin text-decoration) }
+        allowlist[:css] = { properties: %w(color border background padding margin text-decoration) }
 
-        whitelist
+        allowlist
       end
     end
   end
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index f57e57890f8..f6314040f28 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -9,26 +9,26 @@ module Banzai
       # Styles used by Markdown for table alignment
       TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/.freeze
 
-      def customize_whitelist(whitelist)
-        # Allow table alignment; we whitelist specific text-align values in a
+      def customize_allowlist(allowlist)
+        # Allow table alignment; we allow specific text-align values in a
         # transformer below
-        whitelist[:attributes]['th'] = %w(style)
-        whitelist[:attributes]['td'] = %w(style)
-        whitelist[:css] = { properties: ['text-align'] }
+        allowlist[:attributes]['th'] = %w(style)
+        allowlist[:attributes]['td'] = %w(style)
+        allowlist[:css] = { properties: ['text-align'] }
 
         # Allow the 'data-sourcepos' from CommonMark on all elements
-        whitelist[:attributes][:all].push('data-sourcepos')
+        allowlist[:attributes][:all].push('data-sourcepos')
 
         # Remove any `style` properties not required for table alignment
-        whitelist[:transformers].push(self.class.remove_unsafe_table_style)
+        allowlist[:transformers].push(self.class.remove_unsafe_table_style)
 
         # Allow `id` in a and li elements for footnotes
         # and remove any `id` properties not matching for footnotes
-        whitelist[:attributes]['a'].push('id')
-        whitelist[:attributes]['li'] = %w(id)
-        whitelist[:transformers].push(self.class.remove_non_footnote_ids)
+        allowlist[:attributes]['a'].push('id')
+        allowlist[:attributes]['li'] = %w(id)
+        allowlist[:transformers].push(self.class.remove_non_footnote_ids)
 
-        whitelist
+        allowlist
       end
 
       class << self
diff --git a/lib/banzai/filter/truncate_source_filter.rb b/lib/banzai/filter/truncate_source_filter.rb
new file mode 100644
index 00000000000..c903b83d868
--- /dev/null
+++ b/lib/banzai/filter/truncate_source_filter.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Banzai
+  module Filter
+    class TruncateSourceFilter < HTML::Pipeline::TextFilter
+      def call
+        return text unless context.key?(:limit)
+
+        text.truncate_bytes(context[:limit])
+      end
+    end
+  end
+end