Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

author: Robert Speicher <rspeicher@gmail.com> 2019-06-03 10:04:57 -0700
committer: Robert Speicher <rspeicher@gmail.com> 2019-06-03 10:04:57 -0700
commit: a2c767b9f8e22398daa19e62597f2663aadf457d (patch)
tree: d390cf8db76cfd2f069b8957a255a064b99590ec /lib
parent: 96ff9c6bd82a6eb60b9f2d1c20fca0105ed4160d (diff)
parent: 5906fb2e45f352b8fc02f0e98a6148d0c0b2db59 (diff)
download: gitlab-ce-a2c767b9f8e22398daa19e62597f2663aadf457d.tar.gz
2 files changed, 14 insertions, 1 deletions
diff --git a/lib/banzai/filter/wiki_link_filter/rewriter.rb b/lib/banzai/filter/wiki_link_filter/rewriter.rb
index f4cc8beeb52..77b5053f38c 100644
--- a/lib/banzai/filter/wiki_link_filter/rewriter.rb
+++ b/lib/banzai/filter/wiki_link_filter/rewriter.rb
@@ -4,6 +4,8 @@ module Banzai
   module Filter
     class WikiLinkFilter < HTML::Pipeline::Filter
       class Rewriter
+        UNSAFE_SLUG_REGEXES = [/\Ajavascript:/i].freeze
+
         def initialize(link_string, wiki:, slug:)
           @uri = Addressable::URI.parse(link_string)
           @wiki_base_path = wiki && wiki.wiki_base_path
@@ -35,6 +37,8 @@ module Banzai
 
         # Of the form `./link`, `../link`, or similar
         def apply_hierarchical_link_rules!
+          return if slug_considered_unsafe?
+
           @uri = Addressable::URI.join(@slug, @uri) if @uri.to_s[0] == '.'
         end
 
@@ -54,6 +58,10 @@ module Banzai
         def repository_upload?
           @uri.relative? && @uri.path.starts_with?(Wikis::CreateAttachmentService::ATTACHMENT_PATH)
         end
+
+        def slug_considered_unsafe?
+          UNSAFE_SLUG_REGEXES.any? { |r| r.match?(@slug) }
+        end
       end
     end
   end
diff --git a/lib/gitlab/import_export/attribute_cleaner.rb b/lib/gitlab/import_export/attribute_cleaner.rb
index 93b37b7bc5f..c28a1674018 100644
--- a/lib/gitlab/import_export/attribute_cleaner.rb
+++ b/lib/gitlab/import_export/attribute_cleaner.rb
@@ -4,6 +4,7 @@ module Gitlab
   module ImportExport
     class AttributeCleaner
       ALLOWED_REFERENCES = RelationFactory::PROJECT_REFERENCES + RelationFactory::USER_REFERENCES + ['group_id']
+      PROHIBITED_REFERENCES = Regexp.union(/\Acached_markdown_version\Z/, /_id\Z/, /_html\Z/).freeze
 
       def self.clean(*args)
         new(*args).clean
@@ -24,7 +25,11 @@ module Gitlab
       private
 
       def prohibited_key?(key)
-        key.end_with?('_id') && !ALLOWED_REFERENCES.include?(key)
+        key =~ PROHIBITED_REFERENCES && !permitted_key?(key)
+      end
+
+      def permitted_key?(key)
+        ALLOWED_REFERENCES.include?(key)
       end
 
       def excluded_key?(key)
author	Robert Speicher <rspeicher@gmail.com>	2019-06-03 10:04:57 -0700
committer	Robert Speicher <rspeicher@gmail.com>	2019-06-03 10:04:57 -0700
commit	a2c767b9f8e22398daa19e62597f2663aadf457d (patch)
tree	d390cf8db76cfd2f069b8957a255a064b99590ec /lib
parent	96ff9c6bd82a6eb60b9f2d1c20fca0105ed4160d (diff)
parent	5906fb2e45f352b8fc02f0e98a6148d0c0b2db59 (diff)
download	gitlab-ce-a2c767b9f8e22398daa19e62597f2663aadf457d.tar.gz