diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 14:41:42 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 14:41:42 +0000 |
commit | 6a5ff493faf5070153625c4b18c423cbe5b390e4 (patch) | |
tree | e6fef0b77227b845ee31aab2dff4b747862aa9f0 | |
parent | cb3e3835e12e4f4432b87f329d91e4eb04313545 (diff) | |
parent | 2dfa614c83ce1a4bfb818d1f040924b4d6e7e0c6 (diff) | |
download | gitlab-ce-6a5ff493faf5070153625c4b18c423cbe5b390e4.tar.gz |
Merge branch 'security-stored-xss-via-katex' into 'master'
[master] Resolve "[Security] Stored XSS via KaTeX"
Closes #2760
See merge request gitlab/gitlabhq!2718
-rw-r--r-- | changelogs/unreleased/security-stored-xss-via-katex.yml | 5 | ||||
-rw-r--r-- | spec/features/markdown/math_spec.rb | 18 |
2 files changed, 22 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-stored-xss-via-katex.yml b/changelogs/unreleased/security-stored-xss-via-katex.yml new file mode 100644 index 00000000000..a71ae1123f2 --- /dev/null +++ b/changelogs/unreleased/security-stored-xss-via-katex.yml @@ -0,0 +1,5 @@ +--- +title: Fixed XSS content in KaTex links +merge_request: +author: +type: security diff --git a/spec/features/markdown/math_spec.rb b/spec/features/markdown/math_spec.rb index 678ce80b382..53abb5e3722 100644 --- a/spec/features/markdown/math_spec.rb +++ b/spec/features/markdown/math_spec.rb @@ -1,6 +1,8 @@ require 'spec_helper' describe 'Math rendering', :js do + let!(:project) { create(:project, :public) } + it 'renders inline and display math correctly' do description = <<~MATH This math is inline $`a^2+b^2=c^2`$. @@ -11,7 +13,6 @@ describe 'Math rendering', :js do ``` MATH - project = create(:project, :public) issue = create(:issue, project: project, description: description) visit project_issue_path(project, issue) @@ -19,4 +20,19 @@ describe 'Math rendering', :js do expect(page).to have_selector('.katex .mord.mathdefault', text: 'b') expect(page).to have_selector('.katex-display .mord.mathdefault', text: 'b') end + + it 'only renders non XSS links' do + description = <<~MATH + This link is valid $`\\href{javascript:alert('xss');}{xss}`$. + + This link is valid $`\\href{https://gitlab.com}{Gitlab}`$. + MATH + + issue = create(:issue, project: project, description: description) + + visit project_issue_path(project, issue) + + expect(page).to have_selector('.katex-error', text: "\href{javascript:alert('xss');}{xss}") + expect(page).to have_selector('.katex-html a', text: 'Gitlab') + end end |