Merge branch 'fix-rdoc-xss' into 'security'

Fix XSS in rdoc and other markups See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058

Merge branch 'fix-rdoc-xss' into 'security'
abb87f4a · Robert Speicher · Ruben Davila · 44a45369 · abb87f4a · abb87f4a
Commit abb87f4a authored Feb 09, 2017 by Robert Speicher Committed by Ruben Davila Feb 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 0 deletions

patch-rdoc-xss.yml changelogs/unreleased/patch-rdoc-xss.yml +4 -0

other_markup.rb lib/gitlab/other_markup.rb +3 -0

other_markup.rb spec/lib/gitlab/other_markup.rb +22 -0

No files found.
--- a/changelogs/unreleased/patch-rdoc-xss.yml
+++ b/changelogs/unreleased/patch-rdoc-xss.yml
+---
+title: Patch XSS vulnerability in RDOC support
+merge_request:
+author:
--- a/lib/gitlab/other_markup.rb
+++ b/lib/gitlab/other_markup.rb
@@ -17,6 +17,9 @@ module Gitlab

      html = Banzai.post_process(html, context)

+      filter = Banzai::Filter::SanitizationFilter.new(html)
+      html = filter.call.to_s
+
      html.html_safe
    end
  end

--- a/spec/lib/gitlab/other_markup.rb
+++ b/spec/lib/gitlab/other_markup.rb
+require 'spec_helper'
+
+describe Gitlab::OtherMarkup, lib: true do
+  context "XSS Checks" do
+    links = {
+      'links' => {
+        file: 'file.rdoc',
+        input: 'XSS[JaVaScriPt:alert(1)]',
+        output: '<p><a>XSS</a></p>'
+      }
+    }
+    links.each do |name, data|
+      it "does not convert dangerous #{name} into HTML" do
+        expect(render(data[:file], data[:input], context)).to eql data[:output]
+      end
+    end
+  end
+
+  def render(*args)
+    described_class.render(*args)
+  end
+end