Merge branch 'rs-pick-security' into 'master'

Pick 10.4.3 fixes into master See merge request gitlab-org/gitlab-ce!17040
author: Stan Hu <stanhu@gmail.com> 2018-02-09 23:42:02 +0300
committer: Ian Baum <ibaum@gitlab.com> 2018-02-10 00:51:51 +0300
commit: 328eb762a9eb82ae59d8e63657af21256e126419 (patch)
tree: f2e5bc0a93d9f2cb4852dae6e2cc97e7993f6f9d /lib
parent: ef2698915bfac9048343bb78290269c70e7d84dd (diff)
3 files changed, 24 insertions, 14 deletions
diff --git a/lib/api/todos.rb b/lib/api/todos.rb
index ffccfebe752..c6dbcf84e3a 100644
--- a/lib/api/todos.rb
+++ b/lib/api/todos.rb
@@ -60,7 +60,7 @@ module API
       end
       post ':id/mark_as_done' do
         TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-        todo = Todo.find(params[:id])
+        todo = current_user.todos.find(params[:id])
 
         present todo, with: Entities::Todo, current_user: current_user
       end
diff --git a/lib/api/v3/todos.rb b/lib/api/v3/todos.rb
index 2f2cf259987..3e2c61f6dbd 100644
--- a/lib/api/v3/todos.rb
+++ b/lib/api/v3/todos.rb
@@ -12,7 +12,7 @@ module API
         end
         delete ':id' do
           TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-          todo = Todo.find(params[:id])
+          todo = current_user.todos.find(params[:id])
 
           present todo, with: ::API::Entities::Todo, current_user: current_user
         end
diff --git a/lib/banzai/filter/syntax_highlight_filter.rb b/lib/banzai/filter/syntax_highlight_filter.rb
index a79a0154846..0ac7e231b5b 100644
--- a/lib/banzai/filter/syntax_highlight_filter.rb
+++ b/lib/banzai/filter/syntax_highlight_filter.rb
@@ -14,23 +14,33 @@ module Banzai
       end
 
       def highlight_node(node)
-        code = node.text
         css_classes = 'code highlight js-syntax-highlight'
-        language = node.attr('lang')
+        lang = node.attr('lang')
+        retried = false
 
-        if use_rouge?(language)
-          lexer = lexer_for(language)
+        if use_rouge?(lang)
+          lexer = lexer_for(lang)
           language = lexer.tag
+        else
+          lexer = Rouge::Lexers::PlainText.new
+          language = lang
+        end
+
+        begin
+          code = Rouge::Formatters::HTMLGitlab.format(lex(lexer, node.text), tag: language)
+          css_classes << " #{language}" if language
+        rescue
+          # Gracefully handle syntax highlighter bugs/errors to ensure users can
+          # still access an issue/comment/etc. First, retry with the plain text
+          # filter. If that fails, then just skip this entirely, but that would
+          # be a pretty bad upstream bug.
+          return if retried
 
-          begin
-            code = Rouge::Formatters::HTMLGitlab.format(lex(lexer, code), tag: language)
-            css_classes << " #{language}"
-          rescue
-            # Gracefully handle syntax highlighter bugs/errors to ensure
-            # users can still access an issue/comment/etc.
+          language = nil
+          lexer = Rouge::Lexers::PlainText.new
+          retried = true
 
-            language = nil
-          end
+          retry
         end
 
         highlighted = %(<pre class="#{css_classes}" lang="#{language}" v-pre="true"><code>#{code}</code></pre>)
author	Stan Hu <stanhu@gmail.com>	2018-02-09 23:42:02 +0300
committer	Ian Baum <ibaum@gitlab.com>	2018-02-10 00:51:51 +0300
commit	328eb762a9eb82ae59d8e63657af21256e126419 (patch)
tree	f2e5bc0a93d9f2cb4852dae6e2cc97e7993f6f9d /lib
parent	ef2698915bfac9048343bb78290269c70e7d84dd (diff)