diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-06-19 22:57:28 +0000 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-06-20 15:46:20 -0500 |
commit | 4c835a43a32589bc29b30b28f6455bc43f605981 (patch) | |
tree | 22805ac2ec080cb35dee1a34af0a7f4ee7d57e2d | |
parent | d6912920549887d6dc62a44ed55812915dcf8c37 (diff) | |
download | gitlab-ce-4c835a43a32589bc29b30b28f6455bc43f605981.tar.gz |
Merge branch 'security-fj-bumping-sanitize-gem-10-8' into 'security-10-8'
[10.8] Update sanitize gem to 4.6.5 to fix HTML injection vulnerability
See merge request gitlab/gitlabhq!2403
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 12 | ||||
-rw-r--r-- | changelogs/unreleased/security-fj-bumping-sanitize-gem.yml | 5 | ||||
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 3 | ||||
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 12 |
5 files changed, 27 insertions, 7 deletions
@@ -222,7 +222,7 @@ gem 'kubeclient', '~> 3.0' gem 'd3_rails', '~> 3.5.0' # Sanitize user input -gem 'sanitize', '~> 2.0' +gem 'sanitize', '~> 4.6.5' gem 'babosa', '~> 1.0.2' # Sanitizes SVG input diff --git a/Gemfile.lock b/Gemfile.lock index ffcf3db13c9..16233e9e512 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -304,13 +304,13 @@ GEM flowdock (~> 0.7) gitlab-grit (>= 2.4.1) multi_json - gitlab-gollum-lib (4.2.7.2) + gitlab-gollum-lib (4.2.7.5) gemojione (~> 3.2) github-markup (~> 1.6) gollum-grit_adapter (~> 1.0) nokogiri (>= 1.6.1, < 2.0) rouge (~> 3.1) - sanitize (~> 2.1) + sanitize (~> 4.6.4) stringex (~> 2.6) gitlab-gollum-rugged_adapter (0.4.4) mime-types (>= 1.15) @@ -519,6 +519,8 @@ GEM netrc (0.11.0) nokogiri (1.8.2) mini_portile2 (~> 2.3.0) + nokogumbo (1.5.0) + nokogiri numerizer (0.1.1) oauth (0.5.4) oauth2 (1.4.0) @@ -813,8 +815,10 @@ GEM et-orbi (~> 1.0) rugged (0.27.1) safe_yaml (1.0.4) - sanitize (2.1.0) + sanitize (4.6.5) + crass (~> 1.0.2) nokogiri (>= 1.4.4) + nokogumbo (~> 1.4) sass (3.5.5) sass-listen (~> 4.0.0) sass-listen (4.0.0) @@ -1171,7 +1175,7 @@ DEPENDENCIES ruby_parser (~> 3.8) rufus-scheduler (~> 3.4) rugged (~> 0.27) - sanitize (~> 2.0) + sanitize (~> 4.6.5) sass-rails (~> 5.0.6) scss_lint (~> 0.56.0) seed-fu (~> 2.3.7) diff --git a/changelogs/unreleased/security-fj-bumping-sanitize-gem.yml b/changelogs/unreleased/security-fj-bumping-sanitize-gem.yml new file mode 100644 index 00000000000..bec1033425d --- /dev/null +++ b/changelogs/unreleased/security-fj-bumping-sanitize-gem.yml @@ -0,0 +1,5 @@ +--- +title: Update sanitize gem to 4.6.5 to fix HTML injection vulnerability +merge_request: +author: +type: security diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 6786b9d07b6..afc2ca4e362 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -25,10 +25,11 @@ module Banzai # Only push these customizations once return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific style properties in a + # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['td'] = %w(style) + whitelist[:css] = { properties: ['text-align'] } # Allow span elements whitelist[:elements].push('span') diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 17a620ef603..d930c608b18 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do expect(doc.at_css('td')['style']).to eq 'text-align: center' end + it 'disallows `text-align` property in `style` attribute on other elements' do + html = <<~HTML + <div style="text-align: center">Text</div> + HTML + + doc = filter(html) + + expect(doc.at_css('div')['style']).to be_nil + end + it 'allows `span` elements' do exp = act = %q{<span>Hello</span>} expect(filter(act).to_html).to eq exp @@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do 'protocol-based JS injection: spaces and entities' => { input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a href="">foo</a>' + output: '<a href>foo</a>' }, 'protocol whitespace' => { |