diff options
author | Robert Speicher <rspeicher@gmail.com> | 2021-01-20 13:34:23 -0600 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2021-01-20 13:34:23 -0600 |
commit | 6438df3a1e0fb944485cebf07976160184697d72 (patch) | |
tree | 00b09bfd170e77ae9391b1a2f5a93ef6839f2597 /lib/banzai | |
parent | 42bcd54d971da7ef2854b896a7b34f4ef8601067 (diff) | |
download | gitlab-ce-6438df3a1e0fb944485cebf07976160184697d72.tar.gz |
Add latest changes from gitlab-org/gitlab@13-8-stable-eev13.8.0-rc42
Diffstat (limited to 'lib/banzai')
-rw-r--r-- | lib/banzai/filter/ascii_doc_sanitization_filter.rb | 38 | ||||
-rw-r--r-- | lib/banzai/filter/asset_proxy_filter.rb | 10 | ||||
-rw-r--r-- | lib/banzai/filter/base_sanitization_filter.rb | 34 | ||||
-rw-r--r-- | lib/banzai/filter/broadcast_message_sanitization_filter.rb | 10 | ||||
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 22 | ||||
-rw-r--r-- | lib/banzai/filter/truncate_source_filter.rb | 13 | ||||
-rw-r--r-- | lib/banzai/pipeline/description_pipeline.rb | 4 | ||||
-rw-r--r-- | lib/banzai/pipeline/pre_process_pipeline.rb | 1 |
8 files changed, 73 insertions, 59 deletions
diff --git a/lib/banzai/filter/ascii_doc_sanitization_filter.rb b/lib/banzai/filter/ascii_doc_sanitization_filter.rb index 11762c3bfb4..67f5baf4635 100644 --- a/lib/banzai/filter/ascii_doc_sanitization_filter.rb +++ b/lib/banzai/filter/ascii_doc_sanitization_filter.rb @@ -27,7 +27,7 @@ module Banzai TABLE_GRID_CLASSES = %w(grid-all grid-rows grid-cols grid-none).freeze TABLE_STRIPES_CLASSES = %w(stripes-all stripes-odd stripes-even stripes-hover stripes-none).freeze - ELEMENT_CLASSES_WHITELIST = { + ELEMENT_CLASSES_ALLOWLIST = { span: %w(big small underline overline line-through).freeze, div: ALIGNMENT_BUILTINS_CLASSES + ['admonitionblock'].freeze, td: ['icon'].freeze, @@ -38,35 +38,35 @@ module Banzai table: TABLE_FRAME_CLASSES + TABLE_GRID_CLASSES + TABLE_STRIPES_CLASSES }.freeze - def customize_whitelist(whitelist) + def customize_allowlist(allowlist) # Allow marks - whitelist[:elements].push('mark') + allowlist[:elements].push('mark') # Allow any classes in `span`, `i`, `div`, `td`, `ul`, `ol` and `a` elements # but then remove any unknown classes - whitelist[:attributes]['span'] = %w(class) - whitelist[:attributes]['div'].push('class') - whitelist[:attributes]['td'] = %w(class) - whitelist[:attributes]['i'] = %w(class) - whitelist[:attributes]['ul'] = %w(class) - whitelist[:attributes]['ol'] = %w(class) - whitelist[:attributes]['a'].push('class') - whitelist[:attributes]['table'] = %w(class) - whitelist[:transformers].push(self.class.remove_element_classes) + allowlist[:attributes]['span'] = %w(class) + allowlist[:attributes]['div'].push('class') + allowlist[:attributes]['td'] = %w(class) + allowlist[:attributes]['i'] = %w(class) + allowlist[:attributes]['ul'] = %w(class) + allowlist[:attributes]['ol'] = %w(class) + allowlist[:attributes]['a'].push('class') + allowlist[:attributes]['table'] = %w(class) + allowlist[:transformers].push(self.class.remove_element_classes) # Allow `id` in anchor and footnote elements - whitelist[:attributes]['a'].push('id') - whitelist[:attributes]['div'].push('id') + allowlist[:attributes]['a'].push('id') + allowlist[:attributes]['div'].push('id') # Allow `id` in heading elements for section anchors SECTION_HEADINGS.each do |header| - whitelist[:attributes][header] = %w(id) + allowlist[:attributes][header] = %w(id) end # Remove ids that are not explicitly allowed - whitelist[:transformers].push(self.class.remove_disallowed_ids) + allowlist[:transformers].push(self.class.remove_disallowed_ids) - whitelist + allowlist end class << self @@ -91,11 +91,11 @@ module Banzai lambda do |env| node = env[:node] - return unless (classes_whitelist = ELEMENT_CLASSES_WHITELIST[node.name.to_sym]) + return unless (classes_allowlist = ELEMENT_CLASSES_ALLOWLIST[node.name.to_sym]) return unless node.has_attribute?('class') classes = node['class'].strip.split(' ') - allowed_classes = (classes & classes_whitelist) + allowed_classes = (classes & classes_allowlist) if allowed_classes.empty? node.remove_attribute('class') else diff --git a/lib/banzai/filter/asset_proxy_filter.rb b/lib/banzai/filter/asset_proxy_filter.rb index 8acd3917d81..55dc426edaf 100644 --- a/lib/banzai/filter/asset_proxy_filter.rb +++ b/lib/banzai/filter/asset_proxy_filter.rb @@ -15,7 +15,7 @@ module Banzai needs(:asset_proxy, :asset_proxy_secret_key) if asset_proxy_enabled? end - def asset_host_whitelisted?(host) + def asset_host_allowed?(host) context[:asset_proxy_domain_regexp] ? context[:asset_proxy_domain_regexp].match?(host) : false end @@ -44,21 +44,21 @@ module Banzai Gitlab.config.asset_proxy['enabled'] = application_settings.asset_proxy_enabled Gitlab.config.asset_proxy['url'] = application_settings.asset_proxy_url Gitlab.config.asset_proxy['secret_key'] = application_settings.asset_proxy_secret_key - Gitlab.config.asset_proxy['whitelist'] = determine_whitelist(application_settings) - Gitlab.config.asset_proxy['domain_regexp'] = compile_whitelist(Gitlab.config.asset_proxy.whitelist) + Gitlab.config.asset_proxy['allowlist'] = determine_allowlist(application_settings) + Gitlab.config.asset_proxy['domain_regexp'] = compile_allowlist(Gitlab.config.asset_proxy.allowlist) else Gitlab.config.asset_proxy['enabled'] = ::ApplicationSetting.defaults[:asset_proxy_enabled] end end - def self.compile_whitelist(domain_list) + def self.compile_allowlist(domain_list) return if domain_list.empty? escaped = domain_list.map { |domain| Regexp.escape(domain).gsub('\*', '.*?') } Regexp.new("^(#{escaped.join('|')})$", Regexp::IGNORECASE) end - def self.determine_whitelist(application_settings) + def self.determine_allowlist(application_settings) application_settings.asset_proxy_whitelist.presence || [Gitlab.config.gitlab.host] end end diff --git a/lib/banzai/filter/base_sanitization_filter.rb b/lib/banzai/filter/base_sanitization_filter.rb index 4f9e8cffd11..c63453f94ca 100644 --- a/lib/banzai/filter/base_sanitization_filter.rb +++ b/lib/banzai/filter/base_sanitization_filter.rb @@ -16,42 +16,42 @@ module Banzai UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze - def whitelist - strong_memoize(:whitelist) do - whitelist = super.deep_dup + def allowlist + strong_memoize(:allowlist) do + allowlist = super.deep_dup # Allow span elements - whitelist[:elements].push('span') + allowlist[:elements].push('span') # Allow data-math-style attribute in order to support LaTeX formatting - whitelist[:attributes]['code'] = %w(data-math-style) - whitelist[:attributes]['pre'] = %w(data-math-style data-mermaid-style data-kroki-style) + allowlist[:attributes]['code'] = %w(data-math-style) + allowlist[:attributes]['pre'] = %w(data-math-style data-mermaid-style data-kroki-style) # Allow html5 details/summary elements - whitelist[:elements].push('details') - whitelist[:elements].push('summary') + allowlist[:elements].push('details') + allowlist[:elements].push('summary') # Allow abbr elements with title attribute - whitelist[:elements].push('abbr') - whitelist[:attributes]['abbr'] = %w(title) + allowlist[:elements].push('abbr') + allowlist[:attributes]['abbr'] = %w(title) # Disallow `name` attribute globally, allow on `a` - whitelist[:attributes][:all].delete('name') - whitelist[:attributes]['a'].push('name') + allowlist[:attributes][:all].delete('name') + allowlist[:attributes]['a'].push('name') # Allow any protocol in `a` elements # and then remove links with unsafe protocols - whitelist[:protocols].delete('a') - whitelist[:transformers].push(self.class.method(:remove_unsafe_links)) + allowlist[:protocols].delete('a') + allowlist[:transformers].push(self.class.method(:remove_unsafe_links)) # Remove `rel` attribute from `a` elements - whitelist[:transformers].push(self.class.remove_rel) + allowlist[:transformers].push(self.class.remove_rel) - customize_whitelist(whitelist) + customize_allowlist(allowlist) end end - def customize_whitelist(whitelist) + def customize_allowlist(allowlist) raise NotImplementedError end diff --git a/lib/banzai/filter/broadcast_message_sanitization_filter.rb b/lib/banzai/filter/broadcast_message_sanitization_filter.rb index 042293170c8..183908d02a9 100644 --- a/lib/banzai/filter/broadcast_message_sanitization_filter.rb +++ b/lib/banzai/filter/broadcast_message_sanitization_filter.rb @@ -6,14 +6,14 @@ module Banzai # # Extends Banzai::Filter::BaseSanitizationFilter with specific rules. class BroadcastMessageSanitizationFilter < Banzai::Filter::BaseSanitizationFilter - def customize_whitelist(whitelist) - whitelist[:elements].push('br') + def customize_allowlist(allowlist) + allowlist[:elements].push('br') - whitelist[:attributes]['a'].push('class', 'style') + allowlist[:attributes]['a'].push('class', 'style') - whitelist[:css] = { properties: %w(color border background padding margin text-decoration) } + allowlist[:css] = { properties: %w(color border background padding margin text-decoration) } - whitelist + allowlist end end end diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index f57e57890f8..f6314040f28 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -9,26 +9,26 @@ module Banzai # Styles used by Markdown for table alignment TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/.freeze - def customize_whitelist(whitelist) - # Allow table alignment; we whitelist specific text-align values in a + def customize_allowlist(allowlist) + # Allow table alignment; we allow specific text-align values in a # transformer below - whitelist[:attributes]['th'] = %w(style) - whitelist[:attributes]['td'] = %w(style) - whitelist[:css] = { properties: ['text-align'] } + allowlist[:attributes]['th'] = %w(style) + allowlist[:attributes]['td'] = %w(style) + allowlist[:css] = { properties: ['text-align'] } # Allow the 'data-sourcepos' from CommonMark on all elements - whitelist[:attributes][:all].push('data-sourcepos') + allowlist[:attributes][:all].push('data-sourcepos') # Remove any `style` properties not required for table alignment - whitelist[:transformers].push(self.class.remove_unsafe_table_style) + allowlist[:transformers].push(self.class.remove_unsafe_table_style) # Allow `id` in a and li elements for footnotes # and remove any `id` properties not matching for footnotes - whitelist[:attributes]['a'].push('id') - whitelist[:attributes]['li'] = %w(id) - whitelist[:transformers].push(self.class.remove_non_footnote_ids) + allowlist[:attributes]['a'].push('id') + allowlist[:attributes]['li'] = %w(id) + allowlist[:transformers].push(self.class.remove_non_footnote_ids) - whitelist + allowlist end class << self diff --git a/lib/banzai/filter/truncate_source_filter.rb b/lib/banzai/filter/truncate_source_filter.rb new file mode 100644 index 00000000000..c903b83d868 --- /dev/null +++ b/lib/banzai/filter/truncate_source_filter.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +module Banzai + module Filter + class TruncateSourceFilter < HTML::Pipeline::TextFilter + def call + return text unless context.key?(:limit) + + text.truncate_bytes(context[:limit]) + end + end + end +end diff --git a/lib/banzai/pipeline/description_pipeline.rb b/lib/banzai/pipeline/description_pipeline.rb index d5ff9b025cc..8f8ce1cbd41 100644 --- a/lib/banzai/pipeline/description_pipeline.rb +++ b/lib/banzai/pipeline/description_pipeline.rb @@ -3,14 +3,14 @@ module Banzai module Pipeline class DescriptionPipeline < FullPipeline - WHITELIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge( + ALLOWLIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge( elements: Banzai::Filter::SanitizationFilter::LIMITED[:elements] - %w(pre code img ol ul li) ) def self.transform_context(context) super(context).merge( # SanitizationFilter - whitelist: WHITELIST + allowlist: ALLOWLIST ) end end diff --git a/lib/banzai/pipeline/pre_process_pipeline.rb b/lib/banzai/pipeline/pre_process_pipeline.rb index 1f7cb437fcd..eb6f35b0e2a 100644 --- a/lib/banzai/pipeline/pre_process_pipeline.rb +++ b/lib/banzai/pipeline/pre_process_pipeline.rb @@ -6,6 +6,7 @@ module Banzai def self.filters FilterArray[ Filter::NormalizeSourceFilter, + Filter::TruncateSourceFilter, Filter::FrontMatterFilter, Filter::BlockquoteFenceFilter, ] |