Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
603fa7c1
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
603fa7c1
编写于
1月 31, 2018
作者:
D
Douwe Maan
提交者:
Robert Speicher
2月 09, 2018
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Merge branch 'fix-mermaid-xss' into 'security-10-4'
[10.4] Fix stored XSS in code blocks
上级
5e9e5692
变更
9
隐藏空白更改
内联
并排
Showing
9 changed file
with
130 addition
and
15 deletion
+130
-15
app/assets/javascripts/render_mermaid.js
app/assets/javascripts/render_mermaid.js
+3
-0
changelogs/unreleased/fix-stored-xss-in-code-blocks.yml
changelogs/unreleased/fix-stored-xss-in-code-blocks.yml
+5
-0
lib/banzai/filter/syntax_highlight_filter.rb
lib/banzai/filter/syntax_highlight_filter.rb
+22
-12
spec/features/markdown/copy_as_gfm_spec.rb
spec/features/markdown/copy_as_gfm_spec.rb
+0
-0
spec/features/markdown/gitlab_flavored_markdown_spec.rb
spec/features/markdown/gitlab_flavored_markdown_spec.rb
+0
-0
spec/features/markdown/markdown_spec.rb
spec/features/markdown/markdown_spec.rb
+0
-0
spec/features/markdown/math_spec.rb
spec/features/markdown/math_spec.rb
+22
-0
spec/features/markdown/mermaid_spec.rb
spec/features/markdown/mermaid_spec.rb
+24
-0
spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
+54
-3
未找到文件。
app/assets/javascripts/render_mermaid.js
浏览文件 @
603fa7c1
...
...
@@ -30,6 +30,9 @@ export default function renderMermaid($els) {
$els
.
each
((
i
,
el
)
=>
{
const
source
=
el
.
textContent
;
// Remove any extra spans added by the backend syntax highlighting.
Object
.
assign
(
el
,
{
textContent
:
source
});
mermaid
.
init
(
undefined
,
el
,
(
id
)
=>
{
const
svg
=
document
.
getElementById
(
id
);
...
...
changelogs/unreleased/fix-stored-xss-in-code-blocks.yml
0 → 100644
浏览文件 @
603fa7c1
---
title
:
Fix stored XSS in code blocks that ignore highlighting
merge_request
:
author
:
type
:
security
lib/banzai/filter/syntax_highlight_filter.rb
浏览文件 @
603fa7c1
...
...
@@ -14,23 +14,33 @@ module Banzai
end
def
highlight_node
(
node
)
code
=
node
.
text
css_classes
=
'code highlight js-syntax-highlight'
language
=
node
.
attr
(
'lang'
)
lang
=
node
.
attr
(
'lang'
)
retried
=
false
if
use_rouge?
(
lang
uage
)
lexer
=
lexer_for
(
lang
uage
)
if
use_rouge?
(
lang
)
lexer
=
lexer_for
(
lang
)
language
=
lexer
.
tag
else
lexer
=
Rouge
::
Lexers
::
PlainText
.
new
language
=
lang
end
begin
code
=
Rouge
::
Formatters
::
HTMLGitlab
.
format
(
lex
(
lexer
,
node
.
text
),
tag:
language
)
css_classes
<<
"
#{
language
}
"
if
language
rescue
# Gracefully handle syntax highlighter bugs/errors to ensure users can
# still access an issue/comment/etc. First, retry with the plain text
# filter. If that fails, then just skip this entirely, but that would
# be a pretty bad upstream bug.
return
if
retried
begin
code
=
Rouge
::
Formatters
::
HTMLGitlab
.
format
(
lex
(
lexer
,
code
),
tag:
language
)
css_classes
<<
"
#{
language
}
"
rescue
# Gracefully handle syntax highlighter bugs/errors to ensure
# users can still access an issue/comment/etc.
language
=
nil
lexer
=
Rouge
::
Lexers
::
PlainText
.
new
retried
=
true
language
=
nil
end
retry
end
highlighted
=
%(<pre class="#{css_classes}" lang="#{language}" v-pre="true"><code>#{code}</code></pre>)
...
...
spec/features/copy_as_gfm_spec.rb
→
spec/features/
markdown/
copy_as_gfm_spec.rb
浏览文件 @
603fa7c1
文件已移动
spec/features/gitlab_flavored_markdown_spec.rb
→
spec/features/
markdown/
gitlab_flavored_markdown_spec.rb
浏览文件 @
603fa7c1
文件已移动
spec/features/markdown_spec.rb
→
spec/features/markdown
/markdown
_spec.rb
浏览文件 @
603fa7c1
文件已移动
spec/features/markdown/math_spec.rb
0 → 100644
浏览文件 @
603fa7c1
require
'spec_helper'
describe
'Math rendering'
,
:js
do
it
'renders inline and display math correctly'
do
description
=
<<~
MATH
This math is inline $`a^2+b^2=c^2`$.
This is on a separate line
```math
a^2+b^2=c^2
```
MATH
project
=
create
(
:project
,
:public
)
issue
=
create
(
:issue
,
project:
project
,
description:
description
)
visit
project_issue_path
(
project
,
issue
)
expect
(
page
).
to
have_selector
(
'.katex .mord.mathit'
,
text:
'b'
)
expect
(
page
).
to
have_selector
(
'.katex-display .mord.mathit'
,
text:
'b'
)
end
end
spec/features/markdown/mermaid_spec.rb
0 → 100644
浏览文件 @
603fa7c1
require
'spec_helper'
describe
'Mermaid rendering'
,
:js
do
it
'renders Mermaid diagrams correctly'
do
description
=
<<~
MERMAID
```mermaid
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
MERMAID
project
=
create
(
:project
,
:public
)
issue
=
create
(
:issue
,
project:
project
,
description:
description
)
visit
project_issue_path
(
project
,
issue
)
%w[A B C D]
.
each
do
|
label
|
expect
(
page
).
to
have_selector
(
'svg foreignObject'
,
text:
label
)
end
end
end
spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
浏览文件 @
603fa7c1
...
...
@@ -3,35 +3,86 @@ require 'spec_helper'
describe
Banzai
::
Filter
::
SyntaxHighlightFilter
do
include
FilterSpecHelper
shared_examples
"XSS prevention"
do
|
lang
|
it
"escapes HTML tags"
do
# This is how a script tag inside a code block is presented to this filter
# after Markdown rendering.
result
=
filter
(
%{<pre lang="#{lang}"><code><script>alert(1)</script></code></pre>}
)
expect
(
result
.
to_html
).
not_to
include
(
"<script>alert(1)</script>"
)
expect
(
result
.
to_html
).
to
include
(
"alert(1)"
)
end
end
context
"when no language is specified"
do
it
"highlights as plaintext"
do
result
=
filter
(
'<pre><code>def fun end</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">def fun end</span></code></pre>'
)
end
include_examples
"XSS prevention"
,
""
end
context
"when a valid language is specified"
do
it
"highlights as that language"
do
result
=
filter
(
'<pre><code lang="ruby">def fun end</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre class="code highlight js-syntax-highlight ruby" lang="ruby" v-pre="true"><code><span id="LC1" class="line" lang="ruby"><span class="k">def</span> <span class="nf">fun</span> <span class="k">end</span></span></code></pre>'
)
end
include_examples
"XSS prevention"
,
"ruby"
end
context
"when an invalid language is specified"
do
it
"highlights as plaintext"
do
result
=
filter
(
'<pre><code lang="gnuplot">This is a test</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">This is a test</span></code></pre>'
)
end
include_examples
"XSS prevention"
,
"gnuplot"
end
context
"when Rouge formatting fails"
do
context
"languages that should be passed through"
do
%w(math mermaid plantuml)
.
each
do
|
lang
|
context
"when
#{
lang
}
is specified"
do
it
"highlights as plaintext but with the correct language attribute and class"
do
result
=
filter
(
%{<pre><code lang="#{lang}">This is a test</code></pre>}
)
expect
(
result
.
to_html
).
to
eq
(
%{<pre class="code highlight js-syntax-highlight #{lang}" lang="#{lang}" v-pre="true"><code><span id="LC1" class="line" lang="#{lang}">This is a test</span></code></pre>}
)
end
include_examples
"XSS prevention"
,
lang
end
end
end
context
"when Rouge lexing fails"
do
before
do
allow_any_instance_of
(
Rouge
::
Formatter
).
to
receive
(
:format
).
and_raise
(
StandardError
)
allow_any_instance_of
(
Rouge
::
Lexers
::
Ruby
).
to
receive
(
:stream_tokens
).
and_raise
(
StandardError
)
end
it
"highlights as plaintext"
do
result
=
filter
(
'<pre><code lang="ruby">This is a test</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre class="code highlight js-syntax-highlight" lang="" v-pre="true"><code>This is a test</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre class="code highlight js-syntax-highlight" lang="" v-pre="true"><code><span id="LC1" class="line" lang="">This is a test</span></code></pre>'
)
end
include_examples
"XSS prevention"
,
"ruby"
end
context
"when Rouge lexing fails after a retry"
do
before
do
allow_any_instance_of
(
Rouge
::
Lexers
::
PlainText
).
to
receive
(
:stream_tokens
).
and_raise
(
StandardError
)
end
it
"does not add highlighting classes"
do
result
=
filter
(
'<pre><code>This is a test</code></pre>'
)
expect
(
result
.
to_html
).
to
eq
(
'<pre><code>This is a test</code></pre>'
)
end
include_examples
"XSS prevention"
,
"ruby"
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录