diff options
author | Robert Speicher <robert@gitlab.com> | 2017-02-09 17:30:06 +0000 |
---|---|---|
committer | Ruben Davila <rdavila84@gmail.com> | 2017-02-13 17:15:57 -0500 |
commit | abb87f4ad5adc97c736296e4d0c1508e5481897c (patch) | |
tree | 44c58ec01b2d5f037f797ecbf33762f7e2c92357 | |
parent | 44a45369588102adcf1b11651d03cdf04085458a (diff) | |
download | gitlab-ce-abb87f4ad5adc97c736296e4d0c1508e5481897c.tar.gz |
Merge branch 'fix-rdoc-xss' into 'security'
Fix XSS in rdoc and other markups
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058
-rw-r--r-- | changelogs/unreleased/patch-rdoc-xss.yml | 4 | ||||
-rw-r--r-- | lib/gitlab/other_markup.rb | 3 | ||||
-rw-r--r-- | spec/lib/gitlab/other_markup.rb | 22 |
3 files changed, 29 insertions, 0 deletions
diff --git a/changelogs/unreleased/patch-rdoc-xss.yml b/changelogs/unreleased/patch-rdoc-xss.yml new file mode 100644 index 00000000000..b428f5435e3 --- /dev/null +++ b/changelogs/unreleased/patch-rdoc-xss.yml @@ -0,0 +1,4 @@ +--- +title: Patch XSS vulnerability in RDOC support +merge_request: +author: diff --git a/lib/gitlab/other_markup.rb b/lib/gitlab/other_markup.rb index 4e2f8ed5587..e67acf28c94 100644 --- a/lib/gitlab/other_markup.rb +++ b/lib/gitlab/other_markup.rb @@ -17,6 +17,9 @@ module Gitlab html = Banzai.post_process(html, context) + filter = Banzai::Filter::SanitizationFilter.new(html) + html = filter.call.to_s + html.html_safe end end diff --git a/spec/lib/gitlab/other_markup.rb b/spec/lib/gitlab/other_markup.rb new file mode 100644 index 00000000000..8f5a353b381 --- /dev/null +++ b/spec/lib/gitlab/other_markup.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe Gitlab::OtherMarkup, lib: true do + context "XSS Checks" do + links = { + 'links' => { + file: 'file.rdoc', + input: 'XSS[JaVaScriPt:alert(1)]', + output: '<p><a>XSS</a></p>' + } + } + links.each do |name, data| + it "does not convert dangerous #{name} into HTML" do + expect(render(data[:file], data[:input], context)).to eql data[:output] + end + end + end + + def render(*args) + described_class.render(*args) + end +end |