From eb54c711a0c43f768cd46aa2cc1b00f9a9c9a078 Mon Sep 17 00:00:00 2001
From: Alejandro Rodriguez <alejandro@gitlab.com>
Date: Fri, 21 Oct 2016 22:35:49 +0000
Subject: Merge branch 'markdown-xss-fix-option-2' into 'security'

Don't autolink unsafe protocols

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153

See merge request !2013
---
 lib/banzai/filter/autolink_filter.rb           | 13 +++++++++++++
 spec/lib/banzai/filter/autolink_filter_spec.rb | 22 ++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/lib/banzai/filter/autolink_filter.rb b/lib/banzai/filter/autolink_filter.rb
index 799b83b1069..f076d59d259 100644
--- a/lib/banzai/filter/autolink_filter.rb
+++ b/lib/banzai/filter/autolink_filter.rb
@@ -71,6 +71,11 @@ module Banzai
         @doc = parse_html(rinku)
       end
 
+      # Return true if any of the UNSAFE_PROTOCOLS strings are included in the URI scheme
+      def contains_unsafe?(scheme)
+        Banzai::Filter::SanitizationFilter::UNSAFE_PROTOCOLS.any? { |protocol| scheme.include?(protocol) }
+      end
+
       # Autolinks any text matching LINK_PATTERN that Rinku didn't already
       # replace
       def text_parse
@@ -79,6 +84,14 @@ module Banzai
 
           next unless content.match(LINK_PATTERN)
 
+          begin
+            uri = Addressable::URI.parse(content)
+            uri.scheme = uri.scheme.strip.downcase if uri.scheme
+            next if contains_unsafe?(uri.scheme)
+          rescue Addressable::URI::InvalidURIError
+            next
+          end
+
           html = autolink_filter(content)
 
           next if html == content
diff --git a/spec/lib/banzai/filter/autolink_filter_spec.rb b/spec/lib/banzai/filter/autolink_filter_spec.rb
index dca7f997570..6d3dd49e780 100644
--- a/spec/lib/banzai/filter/autolink_filter_spec.rb
+++ b/spec/lib/banzai/filter/autolink_filter_spec.rb
@@ -99,6 +99,28 @@ describe Banzai::Filter::AutolinkFilter, lib: true do
       expect(doc.at_css('a')['href']).to eq link
     end
 
+    it 'autolinks rdar' do
+      link = 'rdar://localhost.com/blah'
+      doc = filter("See #{link}")
+
+      expect(doc.at_css('a').text).to eq link
+      expect(doc.at_css('a')['href']).to eq link
+    end
+
+    it 'does not autolink javascript' do
+      link = 'javascript://alert(document.cookie);'
+      doc = filter("See #{link}")
+
+      expect(doc.to_s).not_to include('href="javascript://')
+    end
+
+    it 'does not autolink bad URLs' do
+      link = 'foo://23423:::asdf'
+      doc = filter("See #{link}")
+
+      expect(doc.to_s).to eq("See #{link}")
+    end
+
     it 'does not include trailing punctuation' do
       doc = filter("See #{link}.")
       expect(doc.at_css('a').text).to eq link
-- 
cgit v1.2.3