summaryrefslogtreecommitdiff
path: root/app/assets/javascripts
diff options
context:
space:
mode:
authorJohn Jarvis <jarv@gitlab.com>2019-03-05 10:28:59 +0000
committerJohn Jarvis <jarv@gitlab.com>2019-03-05 10:28:59 +0000
commit83cb7482560c04d14fda372fcb4f95d667cd1962 (patch)
treeec36cfddb359467a35276a99b5bc872b1fdfb7e2 /app/assets/javascripts
parent960101c20bb8ec5a2d1d3f01474676c7ea95adc7 (diff)
parenta24eabb1782785ad0bcf2460c3fff67106598b83 (diff)
downloadgitlab-ce-83cb7482560c04d14fda372fcb4f95d667cd1962.tar.gz
Merge branch 'merge-dev-to-master' into 'master'
Merge dev.gitlab.org master into GitLab.com master Closes #2794, #2814, #2806, #2805, #2798, #2795, #2788, and #2787 See merge request gitlab-org/gitlab-ce!25746
Diffstat (limited to 'app/assets/javascripts')
-rw-r--r--app/assets/javascripts/behaviors/markdown/render_mermaid.js19
1 files changed, 19 insertions, 0 deletions
diff --git a/app/assets/javascripts/behaviors/markdown/render_mermaid.js b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
index 35380ca49fb..798114b4b0b 100644
--- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js
+++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js
@@ -1,4 +1,5 @@
import flash from '~/flash';
+import { sprintf, __ } from '../../locale';
// Renders diagrams and flowcharts from text using Mermaid in any element with the
// `js-render-mermaid` class.
@@ -14,6 +15,9 @@ import flash from '~/flash';
// </pre>
//
+// This is an arbitary number; Can be iterated upon when suitable.
+const MAX_CHAR_LIMIT = 5000;
+
export default function renderMermaid($els) {
if (!$els.length) return;
@@ -34,6 +38,21 @@ export default function renderMermaid($els) {
$els.each((i, el) => {
const source = el.textContent;
+ /**
+ * Restrict the rendering to a certain amount of character to
+ * prevent mermaidjs from hanging up the entire thread and
+ * causing a DoS.
+ */
+ if (source && source.length > MAX_CHAR_LIMIT) {
+ el.textContent = sprintf(
+ __(
+ 'Cannot render the image. Maximum character count (%{charLimit}) has been exceeded.',
+ ),
+ { charLimit: MAX_CHAR_LIMIT },
+ );
+ return;
+ }
+
// Remove any extra spans added by the backend syntax highlighting.
Object.assign(el, { textContent: source });