diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-02-08 20:33:29 +0000 |
|---|---|---|
| committer | Ruben Davila <rdavila84@gmail.com> | 2017-02-13 18:11:36 -0500 |
| commit | 134d66c968e8d935ad6028dd76f4bf2956c92773 (patch) | |
| tree | 50037b345a0b06ed0958f2e43fa1ef02537174f4 | |
| parent | ebc2e5f3cc40395d234a1b76eb587e6ff86fbdf4 (diff) | |
| download | gitlab-ce-134d66c968e8d935ad6028dd76f4bf2956c92773.tar.gz | |
Merge branch 'asciidoctor-xss-patch' into 'security'
Add sanitization filter to asciidocs output to prevent XSS
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
| -rw-r--r-- | changelogs/unreleased/asciidocs-xss-patch.yml | 4 | ||||
| -rw-r--r-- | lib/gitlab/asciidoc.rb | 3 | ||||
| -rw-r--r-- | spec/lib/gitlab/asciidoc_spec.rb | 23 |
3 files changed, 30 insertions, 0 deletions
diff --git a/changelogs/unreleased/asciidocs-xss-patch.yml b/changelogs/unreleased/asciidocs-xss-patch.yml new file mode 100644 index 00000000000..f70a4b81b82 --- /dev/null +++ b/changelogs/unreleased/asciidocs-xss-patch.yml @@ -0,0 +1,4 @@ +--- +title: Patch Asciidocs rendering to block XSS +merge_request: +author: diff --git a/lib/gitlab/asciidoc.rb b/lib/gitlab/asciidoc.rb index 1a22ad9acf5..bac02b96697 100644 --- a/lib/gitlab/asciidoc.rb +++ b/lib/gitlab/asciidoc.rb @@ -32,6 +32,9 @@ module Gitlab html = Banzai.post_process(html, context) + filter = Banzai::Filter::SanitizationFilter.new(html) + html = filter.call.to_s + html.html_safe end end diff --git a/spec/lib/gitlab/asciidoc_spec.rb b/spec/lib/gitlab/asciidoc_spec.rb index 4aba783dc33..8f7338c3b81 100644 --- a/spec/lib/gitlab/asciidoc_spec.rb +++ b/spec/lib/gitlab/asciidoc_spec.rb @@ -37,6 +37,29 @@ module Gitlab render(input, context, asciidoc_opts) end end + + context "XSS" do + links = { + 'links' => { + input: 'link:mylink"onmouseover="alert(1)[Click Here]', + output: "<div>\n<p><a href=\"mylink\">Click Here</a></p>\n</div>" + }, + 'images' => { + input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]', + output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>" + }, + 'pre' => { + input: '```mypre"><script>alert(3)</script>', + output: "<div>\n<div>\n<pre lang=\"mypre\">\"><code></code></pre>\n</div>\n</div>" + } + } + + links.each do |name, data| + it "does not convert dangerous #{name} into HTML" do + expect(render(data[:input], context)).to eql data[:output] + end + end + end end def render(*args) |