Skip to content
Snippets Groups Projects
Commit c76ccc6b authored by Brett Walker's avatar Brett Walker Committed by GitLab Release Tools Bot
Browse files

Verify Kroki diagram type

Merge branch 'security-kroki-stored-xss-15-9' into '15-9-stable-ee'

See merge request gitlab-org/security/gitlab!3056

Changelog: security
parent c868e3d4
No related merge requests found
......@@ -9,6 +9,8 @@ module Filter
# HTML that replaces all diagrams supported by Kroki with the corresponding img tags.
# If the source content is large then the hidden attribute is added to the img tag.
class KrokiFilter < HTML::Pipeline::Filter
include ActionView::Helpers::TagHelper
MAX_CHARACTER_LIMIT = 2000
def call
......@@ -27,9 +29,11 @@ def call
diagram_format = "svg"
doc.xpath(xpath).each do |node|
diagram_type = node.parent['lang'] || node['lang']
next unless diagram_selectors.include?(diagram_type)
diagram_src = node.content
image_src = create_image_src(diagram_type, diagram_format, diagram_src)
img_tag = Nokogiri::HTML::DocumentFragment.parse(%(<img src="#{image_src}" />))
img_tag = Nokogiri::HTML::DocumentFragment.parse(content_tag(:img, nil, src: image_src))
img_tag = img_tag.children.first
next if img_tag.nil?
......
......@@ -54,4 +54,11 @@
expect(doc.to_s).to start_with '<img src="http://localhost:8000/nomnoml/svg/eNqLDsgsSixJrUmtTHXOL80rsVLwzCupKUrMTNHQtC7IzMlJTE_V0KyJyVNQiE5KTSxKidXVjS5ILCrKL4lFFrSyi07LL81RyM0vLckAysRGjxo8avCowaMGjxo8avCowaMGU8lgAE7mIdc=" hidden="" class="js-render-kroki" data-diagram="nomnoml" data-diagram-src="data:text/plain;base64,W1BpcmF0ZXxleWVDb3VudDog'
end
it 'verifies diagram type to avoid possible XSS' do
stub_application_setting(kroki_enabled: true, kroki_url: "http://localhost:8000")
doc = filter(%(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>))
expect(doc.to_s).to eq %(<a><pre lang='f/" onerror=alert(1) onload=alert(1) '><code lang="wavedrom">xss</code></pre></a>)
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment