Merge branch 'asciidoctor-xss-patch' into 'security'
Add sanitization filter to asciidocs output to prevent XSS See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
This commit is contained in:
parent
4ca6a719a9
commit
33c8d413d2
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: Patch Asciidocs rendering to block XSS
|
||||||
|
merge_request:
|
||||||
|
author:
|
|
@ -36,6 +36,9 @@ module Gitlab
|
||||||
|
|
||||||
html = Banzai.post_process(html, context)
|
html = Banzai.post_process(html, context)
|
||||||
|
|
||||||
|
filter = Banzai::Filter::SanitizationFilter.new(html)
|
||||||
|
html = filter.call.to_s
|
||||||
|
|
||||||
html.html_safe
|
html.html_safe
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -41,6 +41,29 @@ module Gitlab
|
||||||
render(input, context, asciidoc_opts)
|
render(input, context, asciidoc_opts)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "XSS" do
|
||||||
|
links = {
|
||||||
|
'links' => {
|
||||||
|
input: 'link:mylink"onmouseover="alert(1)[Click Here]',
|
||||||
|
output: "<div>\n<p><a href=\"mylink\">Click Here</a></p>\n</div>"
|
||||||
|
},
|
||||||
|
'images' => {
|
||||||
|
input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]',
|
||||||
|
output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>"
|
||||||
|
},
|
||||||
|
'pre' => {
|
||||||
|
input: '```mypre"><script>alert(3)</script>',
|
||||||
|
output: "<div>\n<div>\n<pre lang=\"mypre\">\"><code></code></pre>\n</div>\n</div>"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
links.each do |name, data|
|
||||||
|
it "does not convert dangerous #{name} into HTML" do
|
||||||
|
expect(render(data[:input], context)).to eql data[:output]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def render(*args)
|
def render(*args)
|
||||||
|
|
Loading…
Reference in New Issue