Merge branch 'security-xss-in-markdown-following-unrecognized-html-element' into 'master'

[master] XSS in markdown following unrecognized HTML element Closes #2732 See merge request gitlab/gitlabhq!2599
2018-11-28 19:02:01 +00:00 · 2018-11-28 19:02:01 +00:00 · b5b475c273
commit b5b475c273
parent c4bb0a116e
5 changed files with 25 additions and 2 deletions
--- a/app/models/concerns/cache_markdown_field.rb
+++ b/app/models/concerns/cache_markdown_field.rb
@ -15,7 +15,7 @@ module CacheMarkdownField
  # Increment this number every time the renderer changes its output
  CACHE_REDCARPET_VERSION         = 3
  CACHE_COMMONMARK_VERSION_START  = 10
-  CACHE_COMMONMARK_VERSION        = 11
+  CACHE_COMMONMARK_VERSION        = 12

  # changes to these attributes cause the cache to be invalidates
  INVALIDATED_BY = %w[author project].freeze
--- a/changelogs/unreleased/security-xss-in-markdown-following-unrecognized-html-element.yml
+++ b/changelogs/unreleased/security-xss-in-markdown-following-unrecognized-html-element.yml
@ -0,0 +1,5 @@
+---
+title: Fix possible XSS attack in Markdown urls with spaces
+merge_request: 2599
+author:
+type: security
--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@ -17,6 +17,9 @@ module Banzai
    # This is a small extension to the CommonMark spec.  If they start allowing
    # spaces in urls, we could then remove this filter.
    #
+    # Note: Filter::SanitizationFilter should always be run sometime after this filter
+    # to prevent XSS attacks
+    #
    class SpacedLinkFilter < HTML::Pipeline::Filter
      include ActionView::Helpers::TagHelper

--- a/lib/banzai/pipeline/gfm_pipeline.rb
+++ b/lib/banzai/pipeline/gfm_pipeline.rb
@ -12,13 +12,16 @@ module Banzai
      def self.filters
        @filters ||= FilterArray[
          Filter::PlantumlFilter,
+
+          # Must always be before the SanitizationFilter to prevent XSS attacks
+          Filter::SpacedLinkFilter,
+
          Filter::SanitizationFilter,
          Filter::SyntaxHighlightFilter,

          Filter::MathFilter,
          Filter::ColorFilter,
          Filter::MermaidFilter,
-          Filter::SpacedLinkFilter,
          Filter::VideoLinkFilter,
          Filter::ImageLazyLoadFilter,
          Filter::ImageLinkFilter,
--- a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
@ -104,5 +104,17 @@ describe Banzai::Pipeline::GfmPipeline do

      expect(output).to include("src=\"test%20image.png\"")
    end
+
+    it 'sanitizes the fixed link' do
+      markdown_xss = "[xss](javascript: alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+
+      markdown_xss = "<invalidtag>\n[xss](javascript:alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+    end
  end
 end