Merge branch 'fix-stored-xss-in-code-blocks-10-2' into 'security-10-2'

[10.2] Fix stored XSS in code blocks See merge request gitlab/gitlabhq!2298

Merge branch 'fix-stored-xss-in-code-blocks-10-2' into 'security-10-2'
8489f5f3 · Robert Speicher · Marin Jankovski · cabed08c · 8489f5f3 · 8489f5f3
Unverified Commit 8489f5f3 authored Jan 10, 2018 by Robert Speicher Committed by Marin Jankovski Feb 01, 2018
3 changed files
--- a/changelogs/unreleased/fix-stored-xss-in-code-blocks.yml
+++ b/changelogs/unreleased/fix-stored-xss-in-code-blocks.yml
+---
+title: Fix stored XSS in code blocks that ignore highlighting
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/syntax_highlight_filter.rb
+++ b/lib/banzai/filter/syntax_highlight_filter.rb
@@ -14,23 +14,31 @@ module Banzai
      end
      def highlight_node(node)
-        language = node.attr('lang')
+        lang = node.attr('lang')
-        code = node.text
        css_classes = "code highlight"
-        lexer = lexer_for(language)
+        lexer = lexer_for(lang)
-        lang = lexer.tag
+        language = lexer.tag
+        retried = false
        begin
-          code = Rouge::Formatters::HTMLGitlab.format(lex(lexer, code), tag: lang)
+          code = Rouge::Formatters::HTMLGitlab.format(lex(lexer, node.text), tag: language)
-          css_classes << " js-syntax-highlight #{lang}"
+          css_classes << " js-syntax-highlight #{language}"
        rescue
-          lang = nil
+          # Gracefully handle syntax highlighter bugs/errors to ensure users can
-          # Gracefully handle syntax highlighter bugs/errors to ensure
+          # still access an issue/comment/etc. First, retry with the plain text
-          # users can still access an issue/comment/etc.
+          # filter. If that fails, then just skip this entirely, but that would
+          # be a pretty bad upstream bug.
+          return if retried
+          language = nil
+          lexer = Rouge::Lexers::PlainText.new
+          retried = true
+          retry
        end
-        highlighted = %(<pre class="#{css_classes}" lang="#{lang}" v-pre="true"><code>#{code}</code></pre>)
+        highlighted = %(<pre class="#{css_classes}" lang="#{language}" v-pre="true"><code>#{code}</code></pre>)
        # Extracted to a method to measure it
        replace_parent_pre_element(node, highlighted)

--- a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
+++ b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
@@ -3,35 +3,86 @@ require 'spec_helper'
 describe Banzai::Filter::SyntaxHighlightFilter do
  include FilterSpecHelper
+  shared_examples "XSS prevention" do |lang|
+    it "escapes HTML tags" do
+      # This is how a script tag inside a code block is presented to this filter
+      # after Markdown rendering.
+      result = filter(%{<pre lang="#{lang}"><code>&lt;script&gt;alert(1)&lt;/script&gt;</code></pre>})
+      expect(result.to_html).not_to include("<script>alert(1)</script>")
+      expect(result.to_html).to include("alert(1)")
+    end
+  end
  context "when no language is specified" do
    it "highlights as plaintext" do
      result = filter('<pre><code>def fun end</code></pre>')
      expect(result.to_html).to eq('<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">def fun end</span></code></pre>')
    end
+    include_examples "XSS prevention", ""
  end
  context "when a valid language is specified" do
    it "highlights as that language" do
      result = filter('<pre><code lang="ruby">def fun end</code></pre>')
      expect(result.to_html).to eq('<pre class="code highlight js-syntax-highlight ruby" lang="ruby" v-pre="true"><code><span id="LC1" class="line" lang="ruby"><span class="k">def</span> <span class="nf">fun</span> <span class="k">end</span></span></code></pre>')
    end
+    include_examples "XSS prevention", "ruby"
  end
  context "when an invalid language is specified" do
    it "highlights as plaintext" do
      result = filter('<pre><code lang="gnuplot">This is a test</code></pre>')
      expect(result.to_html).to eq('<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">This is a test</span></code></pre>')
    end
+    include_examples "XSS prevention", "gnuplot"
  end
-  context "when Rouge formatting fails" do
+  context "languages that should be passed through" do
+    %w(math plantuml).each do |lang|
+      context "when #{lang} is specified" do
+        it "highlights as plaintext but with the correct language attribute and class" do
+          result = filter(%{<pre><code lang="#{lang}">This is a test</code></pre>})
+          expect(result.to_html).to eq(%{<pre class="code highlight js-syntax-highlight #{lang}" lang="#{lang}" v-pre="true"><code><span id="LC1" class="line" lang="#{lang}">This is a test</span></code></pre>})
+        end
+        include_examples "XSS prevention", lang
+      end
+    end
+  end
+  context "when Rouge lexing fails" do
    before do
-      allow_any_instance_of(Rouge::Formatter).to receive(:format).and_raise(StandardError)
+      allow_any_instance_of(Rouge::Lexers::Ruby).to receive(:stream_tokens).and_raise(StandardError)
    end
    it "highlights as plaintext" do
      result = filter('<pre><code lang="ruby">This is a test</code></pre>')
-      expect(result.to_html).to eq('<pre class="code highlight" lang="" v-pre="true"><code>This is a test</code></pre>')
+      expect(result.to_html).to eq('<pre class="code highlight js-syntax-highlight " lang="" v-pre="true"><code><span id="LC1" class="line" lang="">This is a test</span></code></pre>')
+    end
+    include_examples "XSS prevention", "ruby"
+  end
+  context "when Rouge lexing fails after a retry" do
+    before do
+      allow_any_instance_of(Rouge::Lexers::PlainText).to receive(:stream_tokens).and_raise(StandardError)
+    end
+    it "does not add highlighting classes" do
+      result = filter('<pre><code>This is a test</code></pre>')
+      expect(result.to_html).to eq('<pre><code>This is a test</code></pre>')
    end
+    include_examples "XSS prevention", "ruby"
  end
 end