kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Fix the leak mentioned in 504a3b5 by another way

Browse source 
The previous fix introduced another leak; as it made
Banzai::Filter::SanitizationFiler#customized? always return false, so we
were always appending two elements to
HTML::Pipeline::SanitizationFilter::WHITELIST[:elements]. This growth in
the elements array would slow the sanitization process over time.
This commit is contained in:
Ahmad Sherif 2016-09-21 15:55:04 +02:00
parent 0fe33f925a
commit ca823abacd
2 changed files with 32 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG
View file

@ -4,6 +4,7 @@ v 8.13.0 (unreleased)
- Speed-up group milestones show page - Speed-up group milestones show page
v 8.12.1 (unreleased) v 8.12.1 (unreleased)
- Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST
v 8.12.0 v 8.12.0
- Update the rouge gem to 2.0.6, which adds highlighting support for JSX, Prometheus, and others. !6251 - Update the rouge gem to 2.0.6, which adds highlighting support for JSX, Prometheus, and others. !6251

60
lib/banzai/filter/sanitization_filter.rb
View file

@ -43,55 +43,57 @@ module Banzai
whitelist[:protocols].delete('a') whitelist[:protocols].delete('a')
# ...but then remove links with unsafe protocols # ...but then remove links with unsafe protocols
whitelist[:transformers].push(remove_unsafe_links) whitelist[:transformers].push(self.class.remove_unsafe_links)
# Remove `rel` attribute from `a` elements # Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel) whitelist[:transformers].push(self.class.remove_rel)
# Remove `class` attribute from non-highlight spans # Remove `class` attribute from non-highlight spans
whitelist[:transformers].push(clean_spans) whitelist[:transformers].push(self.class.clean_spans)
whitelist whitelist
end end
def remove_unsafe_links class << self
lambda do |env| def remove_unsafe_links
node = env[:node] lambda do |env|
node = env[:node]
return unless node.name == 'a' return unless node.name == 'a'
return unless node.has_attribute?('href') return unless node.has_attribute?('href')
begin begin
uri = Addressable::URI.parse(node['href']) uri = Addressable::URI.parse(node['href'])
uri.scheme = uri.scheme.strip.downcase if uri.scheme uri.scheme = uri.scheme.strip.downcase if uri.scheme
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
rescue Addressable::URI::InvalidURIError rescue Addressable::URI::InvalidURIError
node.remove_attribute('href') node.remove_attribute('href')
end
end end
end end
end
def remove_rel def remove_rel
lambda do |env| lambda do |env|
if env[:node_name] == 'a' if env[:node_name] == 'a'
env[:node].remove_attribute('rel') env[:node].remove_attribute('rel')
end
end end
end end
end
def clean_spans def clean_spans
lambda do |env| lambda do |env|
node = env[:node] node = env[:node]
return unless node.name == 'span' return unless node.name == 'span'
return unless node.has_attribute?('class') return unless node.has_attribute?('class')
unless has_ancestor?(node, 'pre') unless node.ancestors.any? { |n| n.name.casecmp('pre').zero? }
node.remove_attribute('class') node.remove_attribute('class')
end
{ node_whitelist: [node] }
end end
{ node_whitelist: [node] }
end end
end end
end end