diff options
author | Robert Speicher <rspeicher@gmail.com> | 2017-08-09 18:52:37 -0400 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-08-23 15:58:15 -0400 |
commit | f33b4dd45bfcf93b74862cb405531a88f2578709 (patch) | |
tree | 5549d61472dc7137955098e2994a26af7730cae1 | |
parent | d751acd77c87690de369174623d3686bc806d44d (diff) | |
download | gitlab-ce-f33b4dd45bfcf93b74862cb405531a88f2578709.tar.gz |
Disallow the `name` attribute on all user-provided markup
A malicious user was able to do something like
<img src="" name="getElementById">
to override the `document.getElementById` method, which would result in
JavaScript errors being thrown.
See https://gitlab.com/gitlab-org/gitlab-ce/issues/36104
-rw-r--r-- | app/views/projects/blob/viewers/_route_map.html.haml | 2 | ||||
-rw-r--r-- | app/views/projects/blob/viewers/_route_map_loading.html.haml | 2 | ||||
-rw-r--r-- | changelogs/unreleased/rs-issue-36104.yml | 4 | ||||
-rw-r--r-- | doc/ci/environments.md | 3 | ||||
-rw-r--r-- | doc/install/database_mysql.md | 3 | ||||
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 3 | ||||
-rw-r--r-- | spec/features/copy_as_gfm_spec.rb | 2 | ||||
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 12 |
8 files changed, 23 insertions, 8 deletions
diff --git a/app/views/projects/blob/viewers/_route_map.html.haml b/app/views/projects/blob/viewers/_route_map.html.haml index d0fcd55f6c1..6d6bd79bc3c 100644 --- a/app/views/projects/blob/viewers/_route_map.html.haml +++ b/app/views/projects/blob/viewers/_route_map.html.haml @@ -6,4 +6,4 @@ This Route Map is invalid: = viewer.validation_message -= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map') += link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment') diff --git a/app/views/projects/blob/viewers/_route_map_loading.html.haml b/app/views/projects/blob/viewers/_route_map_loading.html.haml index 2318cf82f58..a5f73fb0197 100644 --- a/app/views/projects/blob/viewers/_route_map_loading.html.haml +++ b/app/views/projects/blob/viewers/_route_map_loading.html.haml @@ -1,4 +1,4 @@ = icon('spinner spin fw') Validating Route Map… -= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map') += link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment') diff --git a/changelogs/unreleased/rs-issue-36104.yml b/changelogs/unreleased/rs-issue-36104.yml new file mode 100644 index 00000000000..b050cd83175 --- /dev/null +++ b/changelogs/unreleased/rs-issue-36104.yml @@ -0,0 +1,4 @@ +--- +title: Disallow the `name` attribute on all user-provided markup +merge_request: +author: diff --git a/doc/ci/environments.md b/doc/ci/environments.md index 3393030210e..95198b310f5 100644 --- a/doc/ci/environments.md +++ b/doc/ci/environments.md @@ -448,8 +448,7 @@ and/or `production`) you can see this information in the merge request itself. ![Environment URLs in merge request](img/environments_link_url_mr.png) -### <a name="route-map"></a>Go directly from source files to public pages on the environment - +### Go directly from source files to public pages on the environment > Introduced in GitLab 8.17. diff --git a/doc/install/database_mysql.md b/doc/install/database_mysql.md index bc75dc1447e..5c128f54a76 100644 --- a/doc/install/database_mysql.md +++ b/doc/install/database_mysql.md @@ -75,7 +75,7 @@ log_bin_trust_function_creators=1 ### MySQL utf8mb4 support -After installation or upgrade, remember to [convert any new tables](#convert) to `utf8mb4`/`utf8mb4_general_ci`. +After installation or upgrade, remember to [convert any new tables](#tables-and-data-conversion-to-utf8mb4) to `utf8mb4`/`utf8mb4_general_ci`. --- @@ -230,7 +230,6 @@ We need to check, enable and probably convert your existing GitLab DB tables to > Now, ensure that [innodb_file_format](https://dev.mysql.com/doc/refman/5.6/en/tablespace-enabling.html) and [innodb_large_prefix](http://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) are **persisted** in your `my.cnf` file. #### Tables and data conversion to utf8mb4 -<a name="convert"></a> Now that you have a persistent MySQL setup, you can safely upgrade tables after setup or upgrade time: diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 2d6e8ffc90f..bda98092389 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -43,6 +43,9 @@ module Banzai whitelist[:elements].push('abbr') whitelist[:attributes]['abbr'] = %w(title) + # Disallow `name` attribute globally + whitelist[:attributes][:all].delete('name') + # Allow any protocol in `a` elements... whitelist[:protocols].delete('a') diff --git a/spec/features/copy_as_gfm_spec.rb b/spec/features/copy_as_gfm_spec.rb index 740f60c05cc..f260f7435ac 100644 --- a/spec/features/copy_as_gfm_spec.rb +++ b/spec/features/copy_as_gfm_spec.rb @@ -288,8 +288,6 @@ describe 'Copy as GFM', feature: true, js: true do 'SanitizationFilter', <<-GFM.strip_heredoc - <a name="named-anchor"></a> - <sub>sub</sub> <dl> diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index fb7862f49a2..d9ed49137df 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -87,6 +87,18 @@ describe Banzai::Filter::SanitizationFilter, lib: true do expect(filter(act).to_html).to eq exp end + it 'disallows the `name` attribute globally' do + html = <<~HTML + <img name="getElementById" src=""> + <span name="foo" class="bar">Hi</span> + HTML + + doc = filter(html) + + expect(doc.at_css('img')).not_to have_attribute('name') + expect(doc.at_css('span')).not_to have_attribute('name') + end + it 'allows `summary` elements' do exp = act = '<summary>summary line</summary>' expect(filter(act).to_html).to eq exp |