summaryrefslogtreecommitdiff
path: root/lib/banzai
diff options
context:
space:
mode:
authorKerri Miller <kerrizor@kerrizor.com>2019-05-20 13:24:22 -0700
committerKerri Miller <kerrizor@kerrizor.com>2019-05-24 12:33:24 -0700
commita76fdcb7a30c6244ffb11a2e672e16d1e5b413b2 (patch)
tree2df0435eaf290a601f8eb91346a4bed2d1153893 /lib/banzai
parenta600c0a78d7f9660d8f37f0f6fc98b61bdc275fb (diff)
downloadgitlab-ce-a76fdcb7a30c6244ffb11a2e672e16d1e5b413b2.tar.gz
Reject slug+uri concat if slug is deemed unsafe
First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
Diffstat (limited to 'lib/banzai')
-rw-r--r--lib/banzai/filter/wiki_link_filter/rewriter.rb8
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/banzai/filter/wiki_link_filter/rewriter.rb b/lib/banzai/filter/wiki_link_filter/rewriter.rb
index f4cc8beeb52..77b5053f38c 100644
--- a/lib/banzai/filter/wiki_link_filter/rewriter.rb
+++ b/lib/banzai/filter/wiki_link_filter/rewriter.rb
@@ -4,6 +4,8 @@ module Banzai
module Filter
class WikiLinkFilter < HTML::Pipeline::Filter
class Rewriter
+ UNSAFE_SLUG_REGEXES = [/\Ajavascript:/i].freeze
+
def initialize(link_string, wiki:, slug:)
@uri = Addressable::URI.parse(link_string)
@wiki_base_path = wiki && wiki.wiki_base_path
@@ -35,6 +37,8 @@ module Banzai
# Of the form `./link`, `../link`, or similar
def apply_hierarchical_link_rules!
+ return if slug_considered_unsafe?
+
@uri = Addressable::URI.join(@slug, @uri) if @uri.to_s[0] == '.'
end
@@ -54,6 +58,10 @@ module Banzai
def repository_upload?
@uri.relative? && @uri.path.starts_with?(Wikis::CreateAttachmentService::ATTACHMENT_PATH)
end
+
+ def slug_considered_unsafe?
+ UNSAFE_SLUG_REGEXES.any? { |r| r.match?(@slug) }
+ end
end
end
end