Merge branch 'asciidoctor-xss-patch' into 'security'

Add sanitization filter to asciidocs output to prevent XSS See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
2017-02-08 20:33:29 +00:00 · 2017-02-08 20:33:29 +00:00 · 33c8d413d2
parent 4ca6a719a9
commit 33c8d413d2
3 changed files with 30 additions and 0 deletions
--- a/changelogs/unreleased/asciidocs-xss-patch.yml
+++ b/changelogs/unreleased/asciidocs-xss-patch.yml
@ -0,0 +1,4 @@
+---
+title: Patch Asciidocs rendering to block XSS
+merge_request:
+author:
--- a/lib/gitlab/asciidoc.rb
+++ b/lib/gitlab/asciidoc.rb
@ -36,6 +36,9 @@ module Gitlab

      html = Banzai.post_process(html, context)

+      filter = Banzai::Filter::SanitizationFilter.new(html)
+      html = filter.call.to_s
+
      html.html_safe
    end

--- a/spec/lib/gitlab/asciidoc_spec.rb
+++ b/spec/lib/gitlab/asciidoc_spec.rb
@ -41,6 +41,29 @@ module Gitlab
          render(input, context, asciidoc_opts)
        end
      end
+      
+      context "XSS" do
+        links = {
+          'links' => {
+            input: 'link:mylink"onmouseover="alert(1)[Click Here]',
+            output: "<div>\n<p><a href=\"mylink\">Click Here</a></p>\n</div>"
+          },
+          'images' => {
+            input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]',
+            output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>"
+          },
+          'pre' => {
+            input: '```mypre"><script>alert(3)</script>',
+            output: "<div>\n<div>\n<pre lang=\"mypre\">\"&gt;<code></code></pre>\n</div>\n</div>"
+          }
+        }
+
+        links.each do |name, data|
+          it "does not convert dangerous #{name} into HTML" do
+            expect(render(data[:input], context)).to eql data[:output]
+          end
+        end
+      end
    end

    def render(*args)