Fix DOS when rendering issue/MR comments

2019-06-11 22:14:40 -06:00 · 2019-06-11 22:14:40 -06:00 · ef5fdd3f3c
parent 20bdbc3d0c
commit ef5fdd3f3c
3 changed files with 11 additions and 1 deletions
--- a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml
+++ b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml
@ -0,0 +1,5 @@
+---
+title: Fix Denial of Service for comments when rendering issues/MR comments
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/relative_link_filter.rb
+++ b/lib/banzai/filter/relative_link_filter.rb
@ -100,7 +100,7 @@ module Banzai
      end

      def relative_file_path(uri)
-        path = Addressable::URI.unescape(uri.path)
+        path = Addressable::URI.unescape(uri.path).delete("\0")
        request_path = Addressable::URI.unescape(context[:requested_path])
        nested_path = build_relative_path(path, request_path)
        file_exists?(nested_path) ? nested_path : path
--- a/spec/lib/banzai/filter/relative_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb
@ -83,6 +83,11 @@ describe Banzai::Filter::RelativeLinkFilter do
    expect { filter(act) }.not_to raise_error
  end

+  it 'does not explode with an escaped null byte' do
+    act = link("/%00")
+    expect { filter(act) }.not_to raise_error
+  end
+
  it 'does not raise an exception with a space in the path' do
    act = link("/uploads/d18213acd3732630991986120e167e3d/Landscape_8.jpg  \nBut here's some more unexpected text :smile:)")
    expect { filter(act) }.not_to raise_error