diff options
| -rw-r--r-- | changelogs/unreleased/patch-rdoc-xss.yml | 4 | ||||
| -rw-r--r-- | lib/gitlab/other_markup.rb | 3 | ||||
| -rw-r--r-- | spec/lib/gitlab/other_markup.rb | 22 |
3 files changed, 29 insertions, 0 deletions
diff --git a/changelogs/unreleased/patch-rdoc-xss.yml b/changelogs/unreleased/patch-rdoc-xss.yml new file mode 100644 index 00000000000..b428f5435e3 --- /dev/null +++ b/changelogs/unreleased/patch-rdoc-xss.yml @@ -0,0 +1,4 @@ +--- +title: Patch XSS vulnerability in RDOC support +merge_request: +author: diff --git a/lib/gitlab/other_markup.rb b/lib/gitlab/other_markup.rb index 4e2f8ed5587..e67acf28c94 100644 --- a/lib/gitlab/other_markup.rb +++ b/lib/gitlab/other_markup.rb @@ -17,6 +17,9 @@ module Gitlab html = Banzai.post_process(html, context) + filter = Banzai::Filter::SanitizationFilter.new(html) + html = filter.call.to_s + html.html_safe end end diff --git a/spec/lib/gitlab/other_markup.rb b/spec/lib/gitlab/other_markup.rb new file mode 100644 index 00000000000..8f5a353b381 --- /dev/null +++ b/spec/lib/gitlab/other_markup.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe Gitlab::OtherMarkup, lib: true do + context "XSS Checks" do + links = { + 'links' => { + file: 'file.rdoc', + input: 'XSS[JaVaScriPt:alert(1)]', + output: '<p><a>XSS</a></p>' + } + } + links.each do |name, data| + it "does not convert dangerous #{name} into HTML" do + expect(render(data[:file], data[:input], context)).to eql data[:output] + end + end + end + + def render(*args) + described_class.render(*args) + end +end |