Add latest changes from gitlab-org/security/gitlab@14-9-stable-ee

8 files changed, 108 insertions, 35 deletions

diff --git a/lib/banzai/filter/kroki_filter.rb b/lib/banzai/filter/kroki_filter.rb
index 3803302c324..9aa2afce5a8 100644
--- a/lib/banzai/filter/kroki_filter.rb
+++ b/lib/banzai/filter/kroki_filter.rb
@@ -6,8 +6,10 @@ require "asciidoctor/extensions/asciidoctor_kroki/extension"
 module Banzai
   module Filter
     # HTML that replaces all diagrams supported by Kroki with the corresponding img tags.
-    #
+    # If the source content is large then the hidden attribute is added to the img tag.
     class KrokiFilter < HTML::Pipeline::Filter
+      MAX_CHARACTER_LIMIT = 2000
+
       def call
         return doc unless settings.kroki_enabled
 
@@ -21,7 +23,12 @@ module Banzai
         diagram_format = "svg"
         doc.xpath(xpath).each do |node|
           diagram_type = node.parent['lang']
-          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{create_image_src(diagram_type, diagram_format, node.content)}"/>))
+          diagram_src = node.content
+          image_src = create_image_src(diagram_type, diagram_format, diagram_src)
+          lazy_load = diagram_src.length > MAX_CHARACTER_LIMIT
+          other_attrs = lazy_load ? "hidden" : ""
+
+          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img class="js-render-kroki" src="#{image_src}" #{other_attrs} />))
           node.parent.replace(img_tag)
         end
 
diff --git a/lib/banzai/reference_redactor.rb b/lib/banzai/reference_redactor.rb
index 81e4fd45966..c19f992078a 100644
--- a/lib/banzai/reference_redactor.rb
+++ b/lib/banzai/reference_redactor.rb
@@ -65,16 +65,15 @@ module Banzai
     #
     def redacted_node_content(node)
       original_content = node.attr('data-original')
-      link_reference = node.attr('data-link-reference')
+      original_content = CGI.escape_html(original_content) if original_content
 
       # Build the raw <a> tag just with a link as href and content if
       # it's originally a link pattern. We shouldn't return a plain text href.
       original_link =
-        if link_reference == 'true'
+        if node.attr('data-link-reference') == 'true'
           href = node.attr('href')
-          content = original_content
 
-          %(<a href="#{href}">#{content}</a>)
+          %(<a href="#{href}">#{original_content}</a>)
         end
 
       # The reference should be replaced by the original link's content,
diff --git a/lib/gitlab/error_tracking.rb b/lib/gitlab/error_tracking.rb
index 259b430a73c..d71f9b5e7cf 100644
--- a/lib/gitlab/error_tracking.rb
+++ b/lib/gitlab/error_tracking.rb
@@ -19,7 +19,8 @@ module Gitlab
     PROCESSORS = [
       ::Gitlab::ErrorTracking::Processor::SidekiqProcessor,
       ::Gitlab::ErrorTracking::Processor::GrpcErrorProcessor,
-      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor
+      ::Gitlab::ErrorTracking::Processor::ContextPayloadProcessor,
+      ::Gitlab::ErrorTracking::Processor::SanitizeErrorMessageProcessor
     ].freeze
 
     class << self
diff --git a/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
new file mode 100644
index 00000000000..4b6c69a8b33
--- /dev/null
+++ b/lib/gitlab/error_tracking/processor/concerns/processes_exceptions.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module ErrorTracking
+    module Processor
+      module Concerns
+        module ProcessesExceptions
+          private
+
+          def extract_exceptions_from(event)
+            exceptions = if event.is_a?(Raven::Event)
+                           event.instance_variable_get(:@interfaces)[:exception]&.values
+                         else
+                           event&.exception&.instance_variable_get(:@values)
+                         end
+
+            Array.wrap(exceptions)
+          end
+
+          def set_exception_message(exception, message)
+            if exception.respond_to?(:value=)
+              exception.value = message
+            else
+              exception.instance_variable_set(:@value, message)
+            end
+          end
+
+          def valid_exception?(exception)
+            case exception
+            when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface
+              exception&.value.present?
+            else
+              false
+            end
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/error_tracking/processor/grpc_error_processor.rb b/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
index 045a18f4110..ab0df39e512 100644
--- a/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
+++ b/lib/gitlab/error_tracking/processor/grpc_error_processor.rb
@@ -4,6 +4,8 @@ module Gitlab
   module ErrorTracking
     module Processor
       module GrpcErrorProcessor
+        extend Gitlab::ErrorTracking::Processor::Concerns::ProcessesExceptions
+
         DEBUG_ERROR_STRING_REGEX = RE2('(.*) debug_error_string:(.*)')
 
         class << self
@@ -19,9 +21,6 @@ module Gitlab
           def process_first_exception_value(event)
             # Better in new version, will be event.exception.values
             exceptions = extract_exceptions_from(event)
-
-            return unless exceptions.is_a?(Array)
-
             exception = exceptions.first
 
             return unless valid_exception?(exception)
@@ -39,11 +38,7 @@ module Gitlab
               exceptions.each do |exception|
                 next unless valid_exception?(exception)
 
-                if exception.respond_to?(:value=)
-                  exception.value = message
-                else
-                  exception.instance_variable_set(:@value, message)
-                end
+                set_exception_message(exception, message)
               end
             end
 
@@ -59,16 +54,6 @@ module Gitlab
             fingerprint[1] = message if message
           end
 
-          private
-
-          def extract_exceptions_from(event)
-            if event.is_a?(Raven::Event)
-              event.instance_variable_get(:@interfaces)[:exception]&.values
-            else
-              event.exception&.instance_variable_get(:@values)
-            end
-          end
-
           def custom_grpc_fingerprint?(fingerprint)
             fingerprint.is_a?(Array) && fingerprint.length == 2 && fingerprint[0].start_with?('GRPC::')
           end
@@ -82,15 +67,6 @@ module Gitlab
 
             [match[1], match[2]]
           end
-
-          def valid_exception?(exception)
-            case exception
-            when Raven::SingleExceptionInterface, Sentry::SingleExceptionInterface
-              exception&.value
-            else
-              false
-            end
-          end
         end
       end
     end
diff --git a/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb b/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb
new file mode 100644
index 00000000000..1d6547256c7
--- /dev/null
+++ b/lib/gitlab/error_tracking/processor/sanitize_error_message_processor.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module ErrorTracking
+    module Processor
+      module SanitizeErrorMessageProcessor
+        extend Gitlab::ErrorTracking::Processor::Concerns::ProcessesExceptions
+
+        class << self
+          def call(event)
+            exceptions = extract_exceptions_from(event)
+
+            exceptions.each do |exception|
+              next unless valid_exception?(exception)
+
+              message = Gitlab::Sanitizers::ExceptionMessage.clean(exception.type, exception.value)
+
+              set_exception_message(exception, message)
+            end
+
+            event
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/exception_log_formatter.rb b/lib/gitlab/exception_log_formatter.rb
index 315574fed31..ce802b562f0 100644
--- a/lib/gitlab/exception_log_formatter.rb
+++ b/lib/gitlab/exception_log_formatter.rb
@@ -10,7 +10,7 @@ module Gitlab
         # Use periods to flatten the fields.
         payload.merge!(
           'exception.class' => exception.class.name,
-          'exception.message' => exception.message
+          'exception.message' => sanitize_message(exception)
         )
 
         if exception.backtrace
@@ -38,6 +38,10 @@ module Gitlab
       rescue PgQuery::ParseError
         sql
       end
+
+      def sanitize_message(exception)
+        Gitlab::Sanitizers::ExceptionMessage.clean(exception.class.name, exception.message)
+      end
     end
   end
 end
diff --git a/lib/gitlab/sanitizers/exception_message.rb b/lib/gitlab/sanitizers/exception_message.rb
new file mode 100644
index 00000000000..11c91093d88
--- /dev/null
+++ b/lib/gitlab/sanitizers/exception_message.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Sanitizers
+    module ExceptionMessage
+      FILTERED_STRING = '[FILTERED]'
+      EXCEPTION_NAMES = %w(URI::InvalidURIError Addressable::URI::InvalidURIError).freeze
+      MESSAGE_REGEX = %r{(\A[^:]+:\s).*\Z}.freeze
+
+      class << self
+        def clean(exception_name, message)
+          return message unless exception_name.in?(EXCEPTION_NAMES)
+
+          message.sub(MESSAGE_REGEX, '\1' + FILTERED_STRING)
+        end
+      end
+    end
+  end
+end