summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2017-02-08 20:33:29 +0000
committerRuben Davila <rdavila84@gmail.com>2017-02-13 17:15:31 -0500
commit44a45369588102adcf1b11651d03cdf04085458a (patch)
tree2641230426d3d35a572af769dbe10083b3313dd8
parentba92981ff8faa36a2aa2a09adbc656c169a61620 (diff)
downloadgitlab-ce-44a45369588102adcf1b11651d03cdf04085458a.tar.gz
Merge branch 'asciidoctor-xss-patch' into 'security'
Add sanitization filter to asciidocs output to prevent XSS See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
Diffstat
-rw-r--r--changelogs/unreleased/asciidocs-xss-patch.yml4
-rw-r--r--lib/gitlab/asciidoc.rb3
-rw-r--r--spec/lib/gitlab/asciidoc_spec.rb23
3 files changed, 30 insertions, 0 deletions
diff --git a/changelogs/unreleased/asciidocs-xss-patch.yml b/changelogs/unreleased/asciidocs-xss-patch.yml
new file mode 100644
index 00000000000..f70a4b81b82
--- /dev/null
+++ b/changelogs/unreleased/asciidocs-xss-patch.yml
@@ -0,0 +1,4 @@
+---
+title: Patch Asciidocs rendering to block XSS
+merge_request:
+author:
diff --git a/lib/gitlab/asciidoc.rb b/lib/gitlab/asciidoc.rb
index 0618107e2c3..d575367d81a 100644
--- a/lib/gitlab/asciidoc.rb
+++ b/lib/gitlab/asciidoc.rb
@@ -36,6 +36,9 @@ module Gitlab
html = Banzai.post_process(html, context)
+ filter = Banzai::Filter::SanitizationFilter.new(html)
+ html = filter.call.to_s
+
html.html_safe
end
diff --git a/spec/lib/gitlab/asciidoc_spec.rb b/spec/lib/gitlab/asciidoc_spec.rb
index ba199917f5c..bca57105d1d 100644
--- a/spec/lib/gitlab/asciidoc_spec.rb
+++ b/spec/lib/gitlab/asciidoc_spec.rb
@@ -41,6 +41,29 @@ module Gitlab
render(input, context, asciidoc_opts)
end
end
+
+ context "XSS" do
+ links = {
+ 'links' => {
+ input: 'link:mylink"onmouseover="alert(1)[Click Here]',
+ output: "<div>\n<p><a href=\"mylink\">Click Here</a></p>\n</div>"
+ },
+ 'images' => {
+ input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]',
+ output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>"
+ },
+ 'pre' => {
+ input: '```mypre"><script>alert(3)</script>',
+ output: "<div>\n<div>\n<pre lang=\"mypre\">\"&gt;<code></code></pre>\n</div>\n</div>"
+ }
+ }
+
+ links.each do |name, data|
+ it "does not convert dangerous #{name} into HTML" do
+ expect(render(data[:input], context)).to eql data[:output]
+ end
+ end
+ end
end
def render(*args)
View Lorry Controller Status