diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-11-07 19:27:35 +0300 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-11-09 14:26:44 +0300 |
commit | a14ee68fe4815d2906ece670bcc333303fd3c816 (patch) | |
tree | bf472312b78036d29fe47476822c938d6c311173 /lib/banzai | |
parent | bf061d0aff091a73611037b811cea2d3380962f4 (diff) |
Merge branch 'markdown-xss-fix-option-2.1' into 'security'
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'lib/banzai')
-rw-r--r-- | lib/banzai/filter/autolink_filter.rb | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/lib/banzai/filter/autolink_filter.rb b/lib/banzai/filter/autolink_filter.rb index 799b83b1069..80c844baecd 100644 --- a/lib/banzai/filter/autolink_filter.rb +++ b/lib/banzai/filter/autolink_filter.rb @@ -71,6 +71,14 @@ module Banzai @doc = parse_html(rinku) end + # Return true if any of the UNSAFE_PROTOCOLS strings are included in the URI scheme + def contains_unsafe?(scheme) + return false unless scheme + + scheme = scheme.strip.downcase + Banzai::Filter::SanitizationFilter::UNSAFE_PROTOCOLS.any? { |protocol| scheme.include?(protocol) } + end + # Autolinks any text matching LINK_PATTERN that Rinku didn't already # replace def text_parse @@ -89,17 +97,27 @@ module Banzai doc end - def autolink_filter(text) - text.gsub(LINK_PATTERN) do |match| - # Remove any trailing HTML entities and store them for appending - # outside the link element. The entity must be marked HTML safe in - # order to be output literally rather than escaped. - match.gsub!(/((?:&[\w#]+;)+)\z/, '') - dropped = ($1 || '').html_safe - - options = link_options.merge(href: match) - content_tag(:a, match, options) + dropped + def autolink_match(match) + # start by stripping out dangerous links + begin + uri = Addressable::URI.parse(match) + return match if contains_unsafe?(uri.scheme) + rescue Addressable::URI::InvalidURIError + return match end + + # Remove any trailing HTML entities and store them for appending + # outside the link element. The entity must be marked HTML safe in + # order to be output literally rather than escaped. + match.gsub!(/((?:&[\w#]+;)+)\z/, '') + dropped = ($1 || '').html_safe + + options = link_options.merge(href: match) + content_tag(:a, match, options) + dropped + end + + def autolink_filter(text) + text.gsub(LINK_PATTERN) { |match| autolink_match(match) } end def link_options |