diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-09-27 12:18:32 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2017-10-16 07:51:44 +0300 |
commit | 59948731d65fbb9cac116d6a3d57207a2bb81794 (patch) | |
tree | 33400eaac81421f2ed14867a31a7ae6f2ca313d6 /lib | |
parent | e4884d9d2b4bd540e60d32a012a90ff6c21ba17c (diff) |
Merge branch 'rs-sanitize-unicode-in-protocol' into 'security-10-0'
[10.0] Prevent a persistent XSS in user-provided markup
See merge request gitlab/gitlabhq!2199
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index d8c8deea628..6786b9d07b6 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -75,9 +75,19 @@ module Banzai begin node['href'] = node['href'].strip uri = Addressable::URI.parse(node['href']) - uri.scheme = uri.scheme.downcase if uri.scheme - node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) + return unless uri.scheme + + # Remove all invalid scheme characters before checking against the + # list of unsafe protocols. + # + # See https://tools.ietf.org/html/rfc3986#section-3.1 + scheme = uri.scheme + .strip + .downcase + .gsub(/[^A-Za-z0-9\+\.\-]+/, '') + + node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme) rescue Addressable::URI::InvalidURIError node.remove_attribute('href') end |