diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-02-29 13:22:38 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-02-29 13:22:38 +0000 |
commit | cd391b66e9d480c3143b63d32f893c6a1015f04e (patch) | |
tree | 8916890c65f15a7899b0abae5f50923fc568e934 | |
parent | 2ea8f71bb42e63caf58ab285d0c4e483c2c4de19 (diff) | |
parent | 989946f33717685065812d72e9ed4490fe969104 (diff) | |
download | gitlab-ce-cd391b66e9d480c3143b63d32f893c6a1015f04e.tar.gz |
Merge branch 'rs-data-links' into 'master'
Sanitize `data` and `vbscript` links
Closes #13625
Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
See merge request !2905
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 10 | ||||
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 16 |
2 files changed, 21 insertions, 5 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 04ddfe53ed6..abd79b329ae 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -7,6 +7,8 @@ module Banzai # # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter + UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze + def whitelist whitelist = super @@ -43,8 +45,8 @@ module Banzai # Allow any protocol in `a` elements... whitelist[:protocols].delete('a') - # ...but then remove links with the `javascript` protocol - whitelist[:transformers].push(remove_javascript_links) + # ...but then remove links with unsafe protocols + whitelist[:transformers].push(remove_unsafe_links) # Remove `rel` attribute from `a` elements whitelist[:transformers].push(remove_rel) @@ -55,14 +57,14 @@ module Banzai whitelist end - def remove_javascript_links + def remove_unsafe_links lambda do |env| node = env[:node] return unless node.name == 'a' return unless node.has_attribute?('href') - if node['href'].start_with?('javascript', ':javascript') + if node['href'].start_with?(*UNSAFE_PROTOCOLS) node.remove_attribute('href') end end diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index e14a6dbf922..4a7b00c7660 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -156,13 +156,27 @@ describe Banzai::Filter::SanitizationFilter, lib: true do } protocols.each do |name, data| - it "handles #{name}" do + it "disallows #{name}" do doc = filter(data[:input]) expect(doc.to_html).to eq data[:output] end end + it 'disallows data links' do + input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>' + output = filter(input) + + expect(output.to_html).to eq '<a>XSS</a>' + end + + it 'disallows vbscript links' do + input = '<a href="vbscript:alert(document.domain)">XSS</a>' + output = filter(input) + + expect(output.to_html).to eq '<a>XSS</a>' + end + it 'allows non-standard anchor schemes' do exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>} act = filter(exp) |