Merge remote-tracking branch 'dev/13-7-stable' into 13-7-stable13-7-stable

5 files changed, 72 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5de844c88a6..29f238a162e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.7.9 (2021-03-17)
+
+### Security (1 change)
+
+- Patch Kramdown syntax highlighter gem.
+
+
 ## 13.7.8 (2021-03-04)
 
 ### Security (5 changes)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 9255caa9bd7..470e34e1d71 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-13.7.8
\ No newline at end of file
+13.7.9
\ No newline at end of file
diff --git a/VERSION b/VERSION
index 9255caa9bd7..470e34e1d71 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-13.7.8
\ No newline at end of file
+13.7.9
\ No newline at end of file
diff --git a/config/initializers/kramdown_patch.rb b/config/initializers/kramdown_patch.rb
new file mode 100644
index 00000000000..5cb769cec24
--- /dev/null
+++ b/config/initializers/kramdown_patch.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+#
+# This pulls in https://github.com/gettalong/kramdown/pull/708 for kramdown v2.3.0.
+# Remove this file when that pull request is merged and released.
+require 'kramdown/converter'
+require 'kramdown/converter/syntax_highlighter/rouge'
+
+module Kramdown::Converter::SyntaxHighlighter
+  module Rouge
+    def self.formatter_class(opts = {})
+      case formatter = opts[:formatter]
+      when Class
+        formatter
+      when /\A[[:upper:]][[:alnum:]_]*\z/
+        ::Rouge::Formatters.const_get(formatter, false)
+      else
+        # Available in Rouge 2.0 or later
+        ::Rouge::Formatters::HTMLLegacy
+      end
+    rescue NameError
+      # Fallback to Rouge 1.x
+      ::Rouge::Formatters::HTML
+    end
+  end
+end
diff --git a/spec/initializers/kramdown_patch_spec.rb b/spec/initializers/kramdown_patch_spec.rb
new file mode 100644
index 00000000000..49dda9252bb
--- /dev/null
+++ b/spec/initializers/kramdown_patch_spec.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Kramdown patch for syntax highlighting formatters' do
+  subject { Kramdown::Document.new(options + "\n" + code).to_html }
+
+  let(:code) do
+    <<-RUBY
+~~~ ruby
+    def what?
+      42
+    end
+~~~
+    RUBY
+  end
+
+  context 'with invalid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: CSV, line_numbers: true\\}" /}) }
+
+    it 'falls back to standard HTML and disallows CSV' do
+      expect(CSV).not_to receive(:new)
+      expect(::Rouge::Formatters::HTML).to receive(:new).and_call_original
+
+      expect(subject).to be_present
+    end
+  end
+
+  context 'with valid formatter' do
+    let(:options) { %({::options auto_ids="false" footnote_nr="5" syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: HTMLLegacy\\}" /}) }
+
+    it 'allows formatter' do
+      expect(::Rouge::Formatters::HTMLLegacy).to receive(:new).and_call_original
+
+      expect(subject).to be_present
+    end
+  end
+end