From 7e1f7a02dbe3ebb6688005a4d966670bea12beb1 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Thu, 9 Feb 2017 17:30:06 +0000 Subject: [PATCH] Merge branch 'fix-rdoc-xss' into 'security' Fix XSS in rdoc and other markups See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058 --- changelogs/unreleased/patch-rdoc-xss.yml | 4 ++++ lib/gitlab/other_markup.rb | 3 +++ spec/lib/gitlab/other_markup.rb | 22 ++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 changelogs/unreleased/patch-rdoc-xss.yml create mode 100644 spec/lib/gitlab/other_markup.rb diff --git a/changelogs/unreleased/patch-rdoc-xss.yml b/changelogs/unreleased/patch-rdoc-xss.yml new file mode 100644 index 00000000000..b428f5435e3 --- /dev/null +++ b/changelogs/unreleased/patch-rdoc-xss.yml @@ -0,0 +1,4 @@ +--- +title: Patch XSS vulnerability in RDOC support +merge_request: +author: diff --git a/lib/gitlab/other_markup.rb b/lib/gitlab/other_markup.rb index 4e2f8ed5587..e67acf28c94 100644 --- a/lib/gitlab/other_markup.rb +++ b/lib/gitlab/other_markup.rb @@ -17,6 +17,9 @@ module Gitlab html = Banzai.post_process(html, context) + filter = Banzai::Filter::SanitizationFilter.new(html) + html = filter.call.to_s + html.html_safe end end diff --git a/spec/lib/gitlab/other_markup.rb b/spec/lib/gitlab/other_markup.rb new file mode 100644 index 00000000000..8f5a353b381 --- /dev/null +++ b/spec/lib/gitlab/other_markup.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe Gitlab::OtherMarkup, lib: true do + context "XSS Checks" do + links = { + 'links' => { + file: 'file.rdoc', + input: 'XSS[JaVaScriPt:alert(1)]', + output: '

XSS

' + } + } + links.each do |name, data| + it "does not convert dangerous #{name} into HTML" do + expect(render(data[:file], data[:input], context)).to eql data[:output] + end + end + end + + def render(*args) + described_class.render(*args) + end +end