Verify Kroki diagram type

Merge branch 'security-kroki-stored-xss-15-9' into '15-9-stable-ee'

See merge request gitlab-org/security/gitlab!3056

Changelog: security

lib/banzai/filter/kroki_filter.rb

@@ -9,6 +9,8 @@ module Filter
     # HTML that replaces all diagrams supported by Kroki with the corresponding img tags.
     # If the source content is large then the hidden attribute is added to the img tag.
     class KrokiFilter < HTML::Pipeline::Filter
+      include ActionView::Helpers::TagHelper
+
       MAX_CHARACTER_LIMIT = 2000
 
       def call
@@ -27,9 +29,11 @@ def call
         diagram_format = "svg"
         doc.xpath(xpath).each do |node|
           diagram_type = node.parent['lang'] || node['lang']
+          next unless diagram_selectors.include?(diagram_type)
+
           diagram_src = node.content
           image_src = create_image_src(diagram_type, diagram_format, diagram_src)
-          img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{image_src}" />))
+          img_tag = Nokogiri::HTML::DocumentFragment.parse(content_tag(:img, nil, src: image_src))
           img_tag = img_tag.children.first
 
           next if img_tag.nil?

spec/lib/banzai/filter/kroki_filter_spec.rb

@@ -54,4 +54,11 @@
 
     expect(doc.to_s).to start_with '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KyJyVNQiE5KTSxKidXVjS5ILCrKL4lFFrSyi07LL81RyM0vLckAysRGjxo8avCowaMGjxo8avCowaMGU8lgAE7mIdc=" hidden="" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDog'
   end
+
+  it 'verifies diagram type to avoid possible XSS' do
+    stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000")
+    doc = filter(%(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>))
+
+    expect(doc.to_s).to eq %(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>)
+  end
 end