diff options
author | Robert Speicher <robert@gitlab.com> | 2017-02-13 22:42:46 +0000 |
---|---|---|
committer | Ruben Davila <rdavila84@gmail.com> | 2017-02-13 18:11:52 -0500 |
commit | dd9ca1f2de84363a9c797a6b0cdab499c8d04912 (patch) | |
tree | 6778e20c7bf4fc1212368cf7d0e4423b00278799 | |
parent | a89ed2c095b93fa3ad9486d00d2e612ee3147422 (diff) | |
download | gitlab-ce-dd9ca1f2de84363a9c797a6b0cdab499c8d04912.tar.gz |
Merge branch 'svg-xss-fix' into 'security'
Fix for XSS vulnerability in SVG attachments
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2059
-rw-r--r-- | app/uploaders/file_uploader.rb | 2 | ||||
-rw-r--r-- | app/uploaders/uploader_helper.rb | 7 | ||||
-rw-r--r-- | changelogs/unreleased/fix-xss-svg.yml | 4 | ||||
-rw-r--r-- | spec/controllers/uploads_controller_spec.rb | 22 | ||||
-rw-r--r-- | spec/factories/notes.rb | 6 |
5 files changed, 39 insertions, 2 deletions
diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb index 3ac6030c21c..407606ae408 100644 --- a/app/uploaders/file_uploader.rb +++ b/app/uploaders/file_uploader.rb @@ -36,7 +36,7 @@ class FileUploader < CarrierWave::Uploader::Base escaped_filename = filename.gsub("]", "\\]") markdown = "[#{escaped_filename}](#{self.secure_url})" - markdown.prepend("!") if image_or_video? + markdown.prepend("!") if image_or_video? || dangerous? { alt: filename, diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb index b10ad71d052..35fd1ed23f8 100644 --- a/app/uploaders/uploader_helper.rb +++ b/app/uploaders/uploader_helper.rb @@ -7,6 +7,9 @@ module UploaderHelper # on IE >= 9. # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html VIDEO_EXT = %w[mp4 m4v mov webm ogv] + # These extension types can contain dangerous code and should only be embedded inline with + # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline". + DANGEROUS_EXT = %w[svg] def image? extension_match?(IMAGE_EXT) @@ -20,6 +23,10 @@ module UploaderHelper image? || video? end + def dangerous? + extension_match?(DANGEROUS_EXT) + end + def extension_match?(extensions) return false unless file diff --git a/changelogs/unreleased/fix-xss-svg.yml b/changelogs/unreleased/fix-xss-svg.yml new file mode 100644 index 00000000000..dbb956c3910 --- /dev/null +++ b/changelogs/unreleased/fix-xss-svg.yml @@ -0,0 +1,4 @@ +--- +title: Fix XSS vulnerability in SVG attachments +merge_request: +author: diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb index 69124ab06bf..8ea9c71e4af 100644 --- a/spec/controllers/uploads_controller_spec.rb +++ b/spec/controllers/uploads_controller_spec.rb @@ -4,6 +4,28 @@ describe UploadsController do let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) } describe "GET show" do + context 'Content-Disposition security measures' do + let(:project) { create(:empty_project, :public) } + + context 'for PNG files' do + it 'returns Content-Disposition: inline' do + note = create(:note, :with_attachment, project: project) + get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png' + + expect(response['Content-Disposition']).to start_with('inline;') + end + end + + context 'for SVG files' do + it 'returns Content-Disposition: attachment' do + note = create(:note, :with_svg_attachment, project: project) + get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg' + + expect(response['Content-Disposition']).to start_with('attachment;') + end + end + end + context "when viewing a user avatar" do context "when signed in" do before do diff --git a/spec/factories/notes.rb b/spec/factories/notes.rb index a10ba629760..b60b9f605c2 100644 --- a/spec/factories/notes.rb +++ b/spec/factories/notes.rb @@ -83,7 +83,11 @@ FactoryGirl.define do end trait :with_attachment do - attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") } + attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") } + end + + trait :with_svg_attachment do + attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") } end end end |